booth 0.0.1

data/lib/booth/userland/sessions/transitions/show/enter_webauth.rb

@@ -0,0 +1,56 @@
+module Booth
+  module Userland
+    module Sessions
+      module Transitions
+        module Show
+          class EnterWebauth
+            include ::Booth::Concerns::Transition
+
+            def self.applicable?(params:)
+              !params[:webauth]
+            end
+
+            def call
+              if sudo.webauth?
+                if session_id_param
+                  debug { 'Having webauth sudo, revoking the desired session...' }
+                  return ::Booth::Sessions::Revoke.call credential_id: authentication.credential_id,
+                                                        session_id: session_id_param
+                else
+                  debug { 'Having webauth sudo, revoking all other sessions...' }
+                  return ::Booth::Sessions::RevokeAllOthers.call credential_id: authentication.credential_id,
+                                                                 surviving_session_id: authentication.session_id
+                end
+              end
+
+              if session_id_param
+                Tron.failure :need_sudo_to_show_session,
+                             step: :enter_webauth_to_show,
+                             session_id: session_id_param
+              else
+                Tron.failure :need_sudo_to_show_all_other_sessions,
+                             step: :enter_webauth_to_show_all_others
+              end
+            end
+
+            private
+
+            def session_id_param
+              # If params[:id] is a UUID, then it's an ID for a `Booth::Models::Session` in the DB.
+              # If params[:id] is something else, then it's just a WebAuth Ceremony argument.
+              ::Booth::Syntaxes::Uuid.call(params[:id], raise_if_invalid: false).uuid
+            end
+
+            def authentication
+              request.authentication
+            end
+
+            def sudo
+              request.sudo
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/webauths/create.rb

@@ -0,0 +1,83 @@
+module Booth
+  module Userland
+    module Webauths
+      class Create
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_post!
+          request.must_be_logged_in!
+
+          ::Booth::Userland::Webauths::Guards::Manageable.call(credential:) { return _1 }
+          ::Booth::Userland::Webauths::Guards::Sudo.call(request:, credential:) { return _1 }
+
+          do_ensure_authenticator
+            .on_success { do_require_editable_authentictor }
+            .on_success { do_transition }
+        end
+
+        private
+
+        def do_ensure_authenticator
+          return Tron.success :authenticator_exists if storage.authenticator
+
+          # TODO: test that one credential cannot have multiple deviceless authenticators
+          authenticator = credential.authenticators.find_or_initialize_by(device_id: nil)
+          authenticator.generate_webauth_id
+
+          webauth = ::Booth::Webauth::OptionsForCreate.call(
+            webauthn_id: authenticator.generate_webauth_id,
+            username: credential.username,
+            requires_user_verification: enforce_user_verification?
+          )
+
+          authenticator.challenge = webauth.challenge
+
+          if authenticator.save
+            storage.authenticator_id = authenticator.id
+            return Tron.success :authenticator_created if storage.authenticator
+          end
+
+          Tron.failure :authenticator_creation_failed
+        end
+
+        def do_require_editable_authentictor
+          if %i[register choose_nickname confirm].include?(storage.authenticator.step)
+            return Tron.success :authenticator_is_editable
+          end
+
+          Tron.failure :authenticator_already_completed
+        end
+
+        def transitions
+          [
+            ::Booth::Userland::Webauths::Transitions::Create::AuthenticationInitiation,
+            ::Booth::Userland::Webauths::Transitions::Create::AuthenticationVerification,
+            ::Booth::Userland::Webauths::Transitions::Create::ChooseNickname,
+            ::Booth::Userland::Webauths::Transitions::Create::RegistrationInitiation,
+            ::Booth::Userland::Webauths::Transitions::Create::RegistrationVerification,
+            ::Booth::Userland::Webauths::Transitions::Create::Reset,
+          ]
+        end
+
+        # When switching from with-password login to passwordless,
+        # we need to enable a way to add user-verifiable webauth tokens,
+        # even though we are currently not passwordless. That's what the param is for.
+        def enforce_user_verification?
+          ::Booth::Webauth::DemandUserVerification.call(
+            credential:,
+            force: request.params[:enforce_user_verification].present?
+          )
+        end
+
+        def storage
+          request.storage.webauth
+        end
+
+        def credential
+          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/webauths/destroy.rb

@@ -0,0 +1,60 @@
+module Booth
+  module Userland
+    module Webauths
+      class Destroy
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_delete!
+          request.must_be_html!
+          request.must_be_logged_in!
+
+          ::Booth::Userland::Webauths::Guards::Manageable.call(credential:) { return _1 }
+          ::Booth::Userland::Webauths::Guards::Sudo.call(request:, credential:) { return _1 }
+
+          do_require_eligible_credential
+            .on_success { do_find_authenticator }
+            .on_success { do_destroy_authenticator }
+            .on_success { do_update_credential }
+        end
+
+        private
+
+        def do_require_eligible_credential
+          return Tron.success :can_remove_webauth if ::Booth::Credentials::Modes::WebauthRemovable.call(credential)
+
+          Tron.failure :credential_not_webauth_removable, public_message: I18n.t('booth.webauth_irremovable')
+        end
+
+        def do_find_authenticator
+          @authenticator = credential.authenticators.find_by(id: params[:id])
+          return Tron.success :found_authenticator if @authenticator
+
+          Tron.failure :authenticator_not_found, public_message: I18n.t('booth.authenticator_not_found')
+        end
+
+        def do_destroy_authenticator
+          return Tron.success :authenticator_removed if @authenticator.destroy
+
+          Tron.failure :could_not_remove_authenticator, public_message: I18n.t('booth.authenticator_removal_failed')
+        end
+
+        def do_update_credential
+          if credential.authenticators.present?
+            return Tron.success(:some_authenticator_removed, public_message: I18n.t('booth.some_authenticator_removed'))
+          end
+
+          if credential.mode_username_and_password!
+            return Tron.success :webauth_removed, public_message: I18n.t('booth.webauth_removed')
+          end
+
+          raise "Could not switch Credential #{credential.id} to `username_and_password`: #{credential.errors.to_a}"
+        end
+
+        def credential
+          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/webauths/guards/manageable.rb

@@ -0,0 +1,21 @@
+module Booth
+  module Userland
+    module Webauths
+      module Guards
+        class Manageable
+          include ::Booth::Logging
+          include ::Booth::MethodObject
+
+          option :credential
+
+          def call
+            return if ::Booth::Credentials::Modes::WebauthManageable.call(credential)
+
+            debug { 'Webauth is not relevant to this credential' }
+            yield Tron.failure :webauth_not_configurable, public_message: I18n.t('booth.webauth_unavailable')
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/webauths/guards/sudo.rb

@@ -0,0 +1,22 @@
+module Booth
+  module Userland
+    module Webauths
+      module Guards
+        class Sudo
+          include ::Booth::MethodObject
+
+          option :request
+          option :credential
+
+          def call
+            return if credential.mode_first_time?
+            return if credential.mode_username_and_password?
+            return if credential.mode_username_password_and_otp?
+
+            request.sudo.guard_with_webauth { yield _1 }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/webauths/index.rb

@@ -0,0 +1,43 @@
+module Booth
+  module Userland
+    module Webauths
+      class Index
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_get!
+          request.must_be_html!
+          request.must_be_logged_in!
+
+          ::Booth::Userland::Webauths::Guards::Manageable.call(credential:) { return _1 }
+          ::Booth::Userland::Webauths::Guards::Sudo.call(request:, credential:) { return _1 }
+
+          do_index
+        end
+
+        private
+
+        def do_index
+          request.storage.webauth.reset if params[:reset]
+
+          Tron.success :current_webauth, step: :index,
+                                         authenticators: authenticator_structs
+        end
+
+        def authenticator_structs
+          credential.authenticators.registered_scope.map do |authenticator|
+            ::Booth::ToStruct.call(
+              authenticator.attributes
+                           .symbolize_keys
+                           .slice(:id, :confirmed_at, :nickname, :supports_user_verification)
+            )
+          end
+        end
+
+        def credential
+          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/webauths/new.rb

@@ -0,0 +1,70 @@
+module Booth
+  module Userland
+    module Webauths
+      class New
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_get!
+          request.must_be_html!
+          request.must_be_logged_in!
+
+          ::Booth::Userland::Webauths::Guards::Manageable.call(credential:) { return _1 }
+
+          # This check must come before the Sudo requirement.
+          if authenticator&.confirmed?
+            return Tron.success :completed, step: :completed,
+                                            nickname: authenticator&.nickname,
+                                            should_add_more_authenticators: should_add_more_authenticators?
+          end
+
+          ::Booth::Userland::Webauths::Guards::Sudo.call(request:, credential:) { return _1 }
+
+          do_new
+        end
+
+        private
+
+        def do_new
+          debug { "WebAuthn Authenticator registration in step #{step}" }
+          # debug { authenticator.inspect }
+
+          Tron.success :add_webauth, step:,
+                                     nickname: authenticator&.nickname,
+                                     enforce_user_verification: enforce_user_verification?
+        end
+
+        def step
+          return :register unless authenticator
+
+          authenticator.step
+        end
+
+        def should_add_more_authenticators?
+          return true if credential.authenticators.registered_scope.count < 2
+          return false unless request.authentication.mode == :username_and_webauth
+
+          credential.authenticators.registered_scope.supports_user_verification_scope.count < 2
+        end
+
+        # When switching from with-password login to passwordless,
+        # we need to enable a way to add user-verifiable webauth tokens,
+        # even though we are currently not passwordless. That's what the param is for.
+        def enforce_user_verification?
+          ::Booth::Webauth::DemandUserVerification.call(
+            credential:,
+            force: params[:enforce_user_verification].present?
+          )
+        end
+
+        def authenticator
+          request.storage.webauth.authenticator
+        end
+
+        def credential
+          @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/webauths/sudo.rb

@@ -0,0 +1,25 @@
+module Booth
+  module Userland
+    module Webauths
+      class Sudo
+        include ::Booth::Concerns::Action
+
+        def call
+          request.must_be_post!
+          request.must_be_logged_in!
+
+          do_transition
+        end
+
+        private
+
+        def transitions
+          [
+            ::Booth::Userland::Webauths::Transitions::Sudo::AuthenticationInitiation,
+            ::Booth::Userland::Webauths::Transitions::Sudo::AuthenticationVerification,
+          ]
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/webauths/transitions/create/authentication_initiation.rb

@@ -0,0 +1,52 @@
+module Booth
+  module Userland
+    module Webauths
+      module Transitions
+        module Create
+          class AuthenticationInitiation
+            include ::Booth::Concerns::Transition
+
+            def self.applicable?(params:)
+              params.key?(:test) && !params&.key?(:webauth)
+            end
+
+            def call
+              do_challenge
+            end
+
+            private
+
+            def do_challenge
+              webauth = ::Booth::Webauth::OptionsForGet.call(
+                allowed_device_ids: authenticator.device_id,
+                requires_user_verification: enforce_user_verification?
+              )
+
+              debug { "Remembering test challenge #{webauth.challenge.inspect}" }
+
+              if authenticator.update challenge: webauth.challenge
+                Tron.success :test_challenge_created, public_json: webauth.as_json, http_status: :created
+              else
+                Tron.failure :storing_test_challenge_failed
+              end
+            end
+
+            def authenticator
+              request.storage.webauth.authenticator
+            end
+
+            def credential
+              @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
+            end
+
+            # I.e. modes `first_time` and `username_and_webauth`.
+            # TODO: Also when force-adding an authenticator for removing a password.
+            def enforce_user_verification?
+              !credential.passworded?
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/webauths/transitions/create/authentication_verification.rb

@@ -0,0 +1,64 @@
+module Booth
+  module Userland
+    module Webauths
+      module Transitions
+        module Create
+          class AuthenticationVerification
+            include ::Booth::Concerns::Transition
+
+            def self.applicable?(params:)
+              params.key?(:test) && params[:webauth].key?(:rawId)
+            end
+
+            def call
+              request.must_be_json!
+
+              do_verify_response
+                .on_success { do_persist_confirmation }
+            end
+
+            private
+
+            def do_verify_response
+              debug { 'Verifying challenge...' }
+              # TODO: Replate with ::Booth::Webauth::AuthenticationVerification
+              webauth.verify(authenticator.challenge,
+                             public_key: authenticator.public_key,
+                             sign_count: authenticator.sign_count)
+
+              Tron.success :challenge_response_correct
+            rescue WebAuthn::Error => e
+              debug { "Webauth Handshake failed: #{e.message}" }
+              Tron.failure :invalid_challenge_response
+            end
+
+            def do_persist_confirmation
+              confirmation = ::Booth::Authenticators::Confirm.call(authenticator:,
+                                                                   sign_count: webauth.sign_count)
+
+              if confirmation.success?
+                return Tron.success(:webauth_authentication_verification_successful, public_json: {},
+                                                                                     http_status: :created)
+              end
+
+              Tron.failure :storing_response_failed, public_json: {},
+                                                     http_status: :bad_request
+            end
+
+            def webauth
+              @webauth ||= ::WebAuthn::Credential.from_get(webauth_params)
+            end
+
+            def webauth_params
+              params.require(:webauth).permit!
+            end
+
+            def authenticator
+              request.storage.webauth.authenticator
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/webauths/transitions/create/choose_nickname.rb

@@ -0,0 +1,50 @@
+module Booth
+  module Userland
+    module Webauths
+      module Transitions
+        module Create
+          class ChooseNickname
+            include ::Booth::Concerns::Transition
+
+            def self.applicable?(params:)
+              params.dig(:webauth, :nickname)
+            end
+
+            def call
+              do_check_blank_nickname
+                .on_success { do_update_authenticator }
+            end
+
+            private
+
+            def do_check_blank_nickname
+              return Tron.success :nickname_is_present if nickname_param.present?
+
+              debug { 'The nickname was blank' }
+              Tron.failure :nickname_is_blank, public_message: I18n.t('booth.blank_nickname')
+            end
+
+            def do_update_authenticator
+              if authenticator.update nickname: nickname_param
+                debug { 'The nickname successfully changed' }
+                Tron.success :nickname_saved
+              else
+                public_message = authenticator.errors.to_a.to_sentence
+                debug { "The nickname could not be updated: #{public_message}" }
+                Tron.failure :nickname_failed, public_message:
+              end
+            end
+
+            def nickname_param
+              params.require(:webauth).permit(:nickname)[:nickname]
+            end
+
+            def authenticator
+              request.storage.webauth.authenticator
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/webauths/transitions/create/registration_initiation.rb

@@ -0,0 +1,61 @@
+module Booth
+  module Userland
+    module Webauths
+      module Transitions
+        module Create
+          class RegistrationInitiation
+            include ::Booth::Concerns::Transition
+
+            def self.applicable?(params:)
+              params&.key?(:register) && !params&.key?(:webauth)
+            end
+
+            def call
+              do_require_authenticator
+                .on_success { do_challenge }
+            end
+
+            private
+
+            def do_require_authenticator
+              return Tron.success :authenticator_waiting_for_registration if storage.authenticator.step == :register
+
+              Tron.failure :authenticator_not_registerable
+            end
+
+            def do_challenge
+              debug { "Remembering registration challenge #{webauth.challenge.inspect}" }
+
+              if storage.authenticator.update challenge: webauth.challenge,
+                                              supports_user_verification: enforce_user_verification?
+                return Tron.success :registration_challenge_created, public_json: webauth.as_json,
+                                                                     http_status: :created
+              end
+
+              Tron.failure :storing_registration_challenge_failed
+            end
+
+            def webauth
+              @webauth ||= ::Booth::Webauth::OptionsForCreate.call(
+                webauthn_id: storage.authenticator.webauthn_id,
+                username: storage.authenticator.credential.username,
+                requires_user_verification: enforce_user_verification?
+              )
+            end
+
+            def enforce_user_verification?
+              ::Booth::Webauth::DemandUserVerification.call(
+                credential: storage.authenticator.credential,
+                force: request.params[:enforce_user_verification].present?
+              )
+            end
+
+            def storage
+              request.storage.webauth
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/webauths/transitions/create/registration_verification.rb

@@ -0,0 +1,68 @@
+module Booth
+  module Userland
+    module Webauths
+      module Transitions
+        module Create
+          class RegistrationVerification
+            include ::Booth::Concerns::Transition
+
+            def self.applicable?(params:)
+              params&.key?(:register) && params[:webauth]&.key?(:rawId)
+            end
+
+            def call
+              do_verify_response
+                .on_success { do_persist_keys }
+            end
+
+            private
+
+            def do_verify_response
+              debug { "Verifying challenge #{authenticator.challenge.inspect}" }
+              # TODO: Replate with ::Booth::Webauth::RegistrationVerification (?)
+              webauth.verify(authenticator.challenge)
+
+              Tron.success :challenge_response_correct
+            rescue WebAuthn::Error => e
+              debug { "Webauth Handshake failed: #{e.message}" }
+              Tron.failure :invalid_challenge_response
+            end
+
+            def do_persist_keys
+              debug { "Persisting authenticator information, the sign count is now at #{webauth.sign_count}..." }
+              if authenticator.update(device_id: ::Base64.strict_encode64(webauth.raw_id),
+                                      public_key: webauth.public_key,
+                                      sign_count: webauth.sign_count)
+
+                return Tron.success :challenge_accepted, public_json: {}, http_status: :created
+              end
+
+              Tron.failure :storing_response_failed
+            end
+
+            def webauth
+              @webauth ||= ::WebAuthn::Credential.from_create(webauth_params)
+            end
+
+            def webauth_params
+              params.require(:webauth).permit!
+            end
+
+            # def credential
+            #   @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
+            # end
+
+            def mode_after_update
+              @mode_after_update ||= ::Booth::Webauth::ModeAfterAdd.call(credential:,
+                                                                         authenticator:)
+            end
+
+            def authenticator
+              request.storage.webauth.authenticator
+            end
+          end
+        end
+      end
+    end
+  end
+end