booth 0.0.1

data/lib/booth/userland/webauths/transitions/create/reset.rb

@@ -0,0 +1,36 @@
+module Booth
+  module Userland
+    module Webauths
+      module Transitions
+        module Create
+          class Reset
+            include ::Booth::Concerns::Transition
+
+            def self.applicable?(params:)
+              params.key?(:reset)
+            end
+
+            def call
+              do_destroy_authenticator
+            end
+
+            private
+
+            def do_destroy_authenticator
+              if storage.authenticator.destroy
+                storage.authenticator_id = nil
+                return Tron.success :draft_authenticator_removed
+              end
+
+              Tron.failure :webauth_reset_failed
+            end
+
+            def storage
+              request.storage.webauth
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/webauths/transitions/new/step.rb

@@ -0,0 +1,23 @@
+# module Booth
+#   module Userland
+#     module Webauths
+#       module New
+#         class Step
+#           include ::Booth::MethodObject
+
+#           param :authenticator
+
+#           def call
+#             return :register if authenticator.device_id.blank? ||
+#                                 authenticator.public_key.blank? ||
+#                                 authenticator.sign_count.blank?
+#             return :choose_nickname if authenticator.nickname.blank?
+#             return :confirm if authenticator.confirmed_at.blank?
+
+#             :completed
+#           end
+#         end
+#       end
+#     end
+#   end
+# end

data/lib/booth/userland/webauths/transitions/sudo/authentication_initiation.rb

@@ -0,0 +1,47 @@
+module Booth
+  module Userland
+    module Webauths
+      module Transitions
+        module Sudo
+          class AuthenticationInitiation
+            include ::Booth::Concerns::Transition
+
+            def self.applicable?(params:)
+              !params&.key?(:webauth)
+            end
+
+            def call
+              do_challenge
+            end
+
+            private
+
+            def do_challenge
+              webauth = ::Booth::Webauth::OptionsForGet.call(
+                allowed_device_ids: credential.registered_authenticator_ids,
+                requires_user_verification: enforce_user_verification?
+              )
+
+              debug { "Remembering sudo challenge #{webauth.challenge.inspect}" }
+
+              request.sudo.webauthn_challenge = webauth.challenge
+              Tron.success :test_challenge_created, public_json: webauth.as_json,
+                                                    http_status: :created
+            end
+
+            def credential
+              @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
+            end
+
+            def enforce_user_verification?
+              ::Booth::Webauth::DemandUserVerification.call(
+                credential:,
+                force: params[:enforce_user_verification].present?
+              )
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland/webauths/transitions/sudo/authentication_verification.rb

@@ -0,0 +1,34 @@
+module Booth
+  module Userland
+    module Webauths
+      module Transitions
+        module Sudo
+          class AuthenticationVerification
+            include ::Booth::Concerns::Transition
+
+            def self.applicable?(params:)
+              params.dig(:webauth, :rawId)
+            end
+
+            def call
+              request.must_be_post!
+              request.must_be_json!
+
+              do_verify_response
+            end
+
+            private
+
+            def do_verify_response
+              ::Booth::Webauth::AuthenticationVerification.call(
+                request:,
+                credential_id: request.authentication.credential_id,
+                challenge: request.sudo.webauthn_challenge
+              )
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/userland.rb

@@ -0,0 +1,192 @@
+module Booth
+  module Userland
+    def self.routes(...)
+      ::Booth::Routes::Userland.call(...)
+    end
+
+    # -------------
+    # Login Actions
+    # -------------
+
+    def self.new_login(...)
+      ::Booth::Userland::Logins::New.call(...)
+    end
+
+    def self.create_login(...)
+      ::Booth::Userland::Logins::Create.call(...)
+    end
+
+    def self.destroy_login(...)
+      ::Booth::Userland::Logins::Destroy.call(...)
+    end
+
+    # ------------------
+    # Onboarding Actions
+    # ------------------
+
+    def self.show_onboarding(...)
+      ::Booth::Userland::Onboardings::Show.call(...)
+    end
+
+    def self.update_onboarding(...)
+      ::Booth::Userland::Onboardings::Update.call(...)
+    end
+
+    # Otp Actions
+
+    def self.show_otp(...)
+      ::Booth::Userland::Otps::Show.call(...)
+    end
+
+    def self.sudo_otp(...)
+      ::Booth::Userland::Otps::Sudo.call(...)
+    end
+
+    def self.edit_otp(...)
+      ::Booth::Userland::Otps::Edit.call(...)
+    end
+
+    def self.update_otp(...)
+      ::Booth::Userland::Otps::Update.call(...)
+    end
+
+    def self.destroy_otp(...)
+      ::Booth::Userland::Otps::Destroy.call(...)
+    end
+
+    # Password Actions
+
+    def self.show_password(...)
+      ::Booth::Userland::Passwords::Show.call(...)
+    end
+
+    def self.sudo_password(...)
+      ::Booth::Userland::Passwords::Sudo.call(...)
+    end
+
+    def self.edit_password(...)
+      ::Booth::Userland::Passwords::Edit.call(...)
+    end
+
+    def self.update_password(...)
+      ::Booth::Userland::Passwords::Update.call(...)
+    end
+
+    # GET `remove` is paired with POST `destroy``.
+    def self.remove_password(...)
+      ::Booth::Userland::Passwords::Remove.call(...)
+    end
+
+    def self.destroy_password(...)
+      ::Booth::Userland::Passwords::Destroy.call(...)
+    end
+
+    # Webauth Actions
+
+    def self.index_webauth(...)
+      ::Booth::Userland::Webauths::Index.call(...)
+    end
+
+    def self.sudo_webauth(...)
+      ::Booth::Userland::Webauths::Sudo.call(...)
+    end
+
+    def self.new_webauth(...)
+      ::Booth::Userland::Webauths::New.call(...)
+    end
+
+    def self.create_webauth(...)
+      ::Booth::Userland::Webauths::Create.call(...)
+    end
+
+    def self.destroy_webauth(...)
+      ::Booth::Userland::Webauths::Destroy.call(...)
+    end
+
+    # Webauth Helpers
+
+    # def self.should_add_more_authenticators?(...)
+    #   ::Booth::Userland::Webauths::ShouldAddMoreAuthenticators.call(...)
+    # end
+
+    # def self.only_one_passwordless_authenticator?(...)
+    #   index_webauth(...).authenticators.select(&:supports_user_verification?).size == 1
+    # end
+
+    # Personal Contest Actions
+
+    def self.show_personal_contest(...)
+      ::Booth::Userland::PersonalContests::Show.call(...)
+    end
+
+    def self.update_personal_contest(...)
+      ::Booth::Userland::PersonalContests::Update.call(...)
+    end
+
+    # Password Reset Actions
+
+    def self.new_password_reset(...)
+      ::Booth::Userland::PasswordResets::New.call(...)
+    end
+
+    def self.create_password_reset(...)
+      ::Booth::Userland::PasswordResets::Create.call(...)
+    end
+
+    def self.show_password_reset(...)
+      ::Booth::Userland::PasswordResets::Show.call(...)
+    end
+
+    def self.update_password_reset(...)
+      ::Booth::Userland::PasswordResets::Update.call(...)
+    end
+
+    # Recovery Actions
+
+    def self.new_recovery(...)
+      ::Booth::Userland::Recoveries::New.call(...)
+    end
+
+    def self.create_recovery(...)
+      ::Booth::Userland::Recoveries::Create.call(...)
+    end
+
+    # Registration Actions
+
+    def self.new_registration(...)
+      ::Booth::Userland::Registrations::New.call(...)
+    end
+
+    def self.create_registration(...)
+      ::Booth::Userland::Registrations::Create.call(...)
+    end
+
+    # Session Actions
+
+    def self.index_sessions(...)
+      ::Booth::Userland::Sessions::Index.call(...)
+    end
+
+    def self.other_sessions?(...)
+      index_sessions(...).reject(&:is_current).any?
+    end
+
+    def self.show_session(...)
+      ::Booth::Userland::Sessions::Show.call(...)
+    end
+
+    def self.destroy_session(...)
+      ::Booth::Userland::Sessions::DestroyOneOrOther.call(...)
+    end
+
+    def self.destroy_all_other_sessions(...)
+      ::Booth::Userland::Sessions::DestroyOneOrOther.call(...)
+    end
+
+    # General Helpers
+
+    def self.extract_flash_messages(...)
+      ::Booth::Userland::ExtractFlashMessages.call(...)
+    end
+  end
+end

data/lib/booth/version.rb

@@ -0,0 +1,3 @@
+module Booth
+  VERSION = '0.0.1'.freeze
+end

data/lib/booth/webauth/authentication_verification.rb

@@ -0,0 +1,68 @@
+module Booth
+  module Webauth
+    class AuthenticationVerification
+      include ::Booth::MethodObject
+      include ::Booth::Logging
+
+      option :request
+      option :credential_id
+      option :challenge
+
+      def call
+        raise 'this authenticator doesnt match the credential' if credential_id != authenticator.credential_id
+
+        debug do
+          "Verifying using challenge #{challenge.inspect} and public key #{authenticator.public_key.inspect} and sign count #{authenticator.sign_count.inspect}"
+        end
+        webauth.verify(
+          challenge,
+          public_key: authenticator.public_key,
+          sign_count: authenticator.sign_count
+        )
+        debug { 'Response successfully verified' }
+
+        authenticator.update!(sign_count: webauth.sign_count)
+        sudo.webauth!
+
+        Tron.success :webauth_authentication_verification_successful,
+                     credential: authenticator.credential,
+                     public_json: {},
+                     http_status: :created
+      rescue WebAuthn::SignCountVerificationError => e
+        # TODO
+        raise 'implement me, counter differed, not too bad?'
+      rescue WebAuthn::Error => e
+        debug { "Response verification failed: #{e.message}" }
+        # TODO: Audit but don't throttle?
+        Tron.failure :webauth_failed, public_json: {},
+                                      public_message: "Verification failed: #{e.message}",
+                                      http_status: :unprocessable_entity
+      rescue RuntimeError => e
+        # This happens e.g. if the param[:id] does not match the param[:rawId]
+        raise
+      ensure
+        sudo.webauthn_challenge = nil
+      end
+
+      private
+
+      delegate :sudo, to: :request
+
+      def webauth
+        # The route `/things/123` overrides the `param[:id]` with 123.
+        # But thankfully, webauth also sends the rawId, which is identical to the id.
+        # So we override `param[:id]` back to what the webauth JS client sent in.
+        # If we don't do this, the webauth ruby library will raise a RuntimeError,
+        # complaining that the `id` does not match the `rawId`.
+        params_with_correct_id = request.params.dup.merge(id: request.params[:rawId])
+        ::WebAuthn::Credential.from_get(params_with_correct_id)
+      end
+
+      def authenticator
+        device_id = Base64.strict_encode64(webauth.raw_id)
+        @authenticator ||= ::Booth::Models::Authenticator.where(credential_id:)
+                                                         .find_by!(device_id:)
+      end
+    end
+  end
+end

data/lib/booth/webauth/demand_user_verification.rb

@@ -0,0 +1,29 @@
+module Booth
+  module Webauth
+    class DemandUserVerification
+      include ::Booth::MethodObject
+
+      option :credential
+      option :force, default: -> { false }
+
+      def call
+        !!why?
+      end
+
+      private
+
+      def why?
+        return :forced if force.present?
+
+        # From scratch, you only have a username.
+        # Adding webauth in that situation would mean passwordless login.
+        return :first_time_passwordless if credential.mode_first_time?
+
+        # Passwordless always requires verification
+        return :passwordless if credential.mode_username_and_webauth?
+
+        false
+      end
+    end
+  end
+end

data/lib/booth/webauth/options_for_create.rb

@@ -0,0 +1,46 @@
+module Booth
+  module Webauth
+    class OptionsForCreate
+      include ::Booth::MethodObject
+
+      option :webauthn_id
+      option :username
+      option :requires_user_verification
+      option :device_ids_to_exclude, default: -> {}
+
+      def call
+        verify_setup
+
+        ::WebAuthn::Credential.options_for_create(
+          user: {
+            id: webauthn_id,
+            name: username
+            # Also supports `display_name: "..."`
+          },
+          authenticator_selection: { user_verification: },
+          # Use the following instead, if you want to force device-internal authenticators and forbid USB etc.
+          # authenticator_selection: { user_verification:, authenticator_attachment: 'platform' },
+          exclude: device_ids_to_exclude
+        )
+      end
+
+      private
+
+      # See https://caniuse.com/mdn-api_publickeycredentialrequestoptions_userverification
+      # Can be turned off with `:discouraged`
+      def user_verification
+        requires_user_verification ? :required : :discouraged
+      end
+
+      def requires_user_verification?
+        !!requires_user_verification
+      end
+
+      def verify_setup
+        return if WebAuthn.configuration.rp_name.present?
+
+        raise ::Booth::Errors::MissingRelyingParty
+      end
+    end
+  end
+end

data/lib/booth/webauth/options_for_get.rb

@@ -0,0 +1,29 @@
+module Booth
+  module Webauth
+    class OptionsForGet
+      include ::Booth::MethodObject
+
+      option :allowed_device_ids
+      option :requires_user_verification
+
+      def call
+        WebAuthn::Credential.options_for_get(
+          allow: allowed_device_ids,
+          user_verification: user_verification_value
+        )
+      end
+
+      private
+
+      # See https://caniuse.com/mdn-api_publickeycredentialrequestoptions_userverification
+      # Can be turned off with `:discouraged`
+      def user_verification_value
+        requires_user_verification ? :required : :discouraged
+      end
+
+      def requires_user_verification?
+        !!requires_user_verification
+      end
+    end
+  end
+end