booth 0.0.1

data/lib/booth/adminland/onboardings/create.rb

@@ -0,0 +1,63 @@
+module Booth
+  module Adminland
+    module Onboardings
+      class Create
+        include ::Booth::MethodObject
+        include ::Booth::Logging
+
+        option :credential_id
+
+        def call
+          find_action.on_success { validate_action }
+                     .on_success { save_action }
+        end
+
+        private
+
+        def find_action
+          if credential
+            debug { "Found the credential with id #{credential_id.inspect}, deleting any current onboardings" }
+            ::Booth::Models::Onboarding.where(credential_id: credential.id).destroy_all
+            Tron.success :credential_exists
+          else
+            warn { "Could not find credential with id #{credential_id.inspect}" }
+            Tron.failure :credential_not_found
+          end
+        end
+
+        def validate_action
+          if onboarding.valid?
+            debug { 'The new onboarding record is valid' }
+            Tron.success :record_is_valid
+          else
+            debug { "The new onboarding record is invalid: #{onboarding.errors.full_messages.to_sentence}" }
+            Tron.failure :invalid_record, message: onboarding.errors.full_messages.to_sentence
+          end
+        end
+
+        def save_action
+          if onboarding.save
+            debug { 'Successfully persisted a new onboarding record' }
+            Tron.success :onboarding_created, id: onboarding.id, credential_id: credential.id,
+                                              secret_key: onboarding.secret_key
+          else
+            debug { 'Could not persist a new onboarding record' }
+            Tron.failure :persistence_failed, message: onboarding.errors.full_messages.to_sentence
+          end
+        end
+
+        def credential
+          return @credential if defined?(@credential)
+
+          @credential = ::Booth::Models::Credential.find_by(id: credential_id)
+        end
+
+        def onboarding
+          @onboarding ||= ::Booth::Models::Onboarding.new(
+            credential_id:
+          )
+        end
+      end
+    end
+  end
+end

data/lib/booth/adminland/onboardings/destroy.rb

@@ -0,0 +1,50 @@
+module Booth
+  module Adminland
+    module Onboardings
+      class Destroy
+        include ::Booth::Logging
+        include ::Booth::MethodObject
+
+        option :id, as: :raw_id
+
+        def call
+          do_verify_id
+            .on_success { do_find_record }
+            .on_success { do_destroy_record }
+        end
+
+        def do_verify_id
+          return Tron.success :valid_id_syntax if id
+
+          debug { "Invalid Onboarding ID #{raw_id.inspect}" }
+          Tron.failure :invalid_id_syntax, id:, credential_id: nil
+        end
+
+        def do_find_record
+          return Tron.success :record_found if record
+
+          debug { "Could not find Onboarding with ID #{id.inspect}" }
+          Tron.failure :onboarding_not_found, id: nil, credential_id: nil
+        end
+
+        def do_destroy_record
+          return Tron.success(:onboarding_deleted, id: record.id, credential_id:) if record.destroy
+
+          Tron.failure :could_not_delete_onboarding, id: record.id, credential_id:
+        end
+
+        private
+
+        delegate :credential_id, to: :record, allow_nil: true
+
+        def id
+          ::Booth::Syntaxes::Uuid.call(raw_id, raise_if_invalid: false).uuid
+        end
+
+        def record
+          @record ||= ::Booth::Models::Onboarding.find_by(id:)
+        end
+      end
+    end
+  end
+end

data/lib/booth/adminland/onboardings/find.rb

@@ -0,0 +1,93 @@
+module Booth
+  module Adminland
+    module Onboardings
+      class Find
+        include ::Booth::Logging
+        include ::Booth::MethodObject
+
+        option :id, default: -> {}
+        option :credential_id, default: -> {}, as: :raw_credential_id
+        option :raise_if_missing, default: -> { false }
+        option :only_unused, default: -> { false }
+
+        def call
+          do_check_id
+            .on_success { do_find_onboarding }
+            .on_success { do_check_used }
+            .on_success { do_serialize_onboarding }
+        end
+
+        private
+
+        def do_check_id
+          return Tron.success(:id_is_valid) if onboarding_id || credential_id
+
+          Tron.failure :no_id_provided, record: nil
+        end
+
+        def do_find_onboarding
+          @onboarding = if onboarding_id
+                          ::Booth::Models::Onboarding.find_by(id: onboarding_id)
+                        else
+                          ::Booth::Models::Onboarding.find_by(credential_id:)
+                        end
+
+          return Tron.success :onboarding_exists if @onboarding
+
+          if onboarding_id
+            debug { "Couldn't find Onboarding with ID #{onboarding_id.inspect}" }
+          else
+            debug { "Couldn't find Onboarding with credential ID #{credential_id.inspect}" }
+          end
+
+          result = Tron.failure :onboarding_not_found, provided_onboarding_id: id.inspect,
+                                                       provided_credential_id: raw_credential_id.inspect,
+                                                       record: nil
+          raise result if raise_if_missing
+
+          result
+        end
+
+        def do_check_used
+          return Tron.success :onboarding_is_new if @onboarding.step == :choose_mode
+          return Tron.success :we_allow_used_onboardings unless only_unused
+
+          error = Tron.failure(:onboarding_already_used, provided_onboarding_id: id.inspect,
+                                                         provided_credential_id: raw_credential_id.inspect,
+                                                         record: nil)
+          raise error if raise_if_missing
+
+          error
+        end
+
+        def do_serialize_onboarding
+          attributes = @onboarding.attributes
+                                  .symbolize_keys
+                                  .slice(:id, :credential_id, :secret_key, :accessed_at, :mode)
+                                  .merge(additional_attributes)
+
+          debug { "Onboarding found ID #{@onboarding.id.inspect} and Credential ID #{@onboarding.credential_id.inspect}" }
+          Tron.success(:onboarding_found, record: ::Booth::ToStruct.call(attributes))
+        end
+
+        # Helpers
+
+        def onboarding_id
+          ::Booth::Syntaxes::Uuid.call(id, raise_if_invalid: false).uuid
+        end
+
+        def credential_id
+          ::Booth::Syntaxes::Uuid.call(raw_credential_id, raise_if_invalid: false).uuid
+        end
+
+        def additional_attributes
+          {
+            step: @onboarding.step,
+            username: @onboarding.username,
+            is_completed: @onboarding.completed?,
+          }
+        end
+      end
+    end
+  end
+end

data/lib/booth/adminland/onboardings/index.rb

@@ -0,0 +1,23 @@
+module Booth
+  module Adminland
+    module Onboardings
+      class Index
+        include ::Booth::MethodObject
+
+        option :scope, ->(scope) { ::Booth::Syntaxes::Scope.call(scope).normalized_scope }
+
+        def call
+          Tron.success(:all_onboardings, records:)
+        end
+
+        private
+
+        def records
+          ::Booth::Models::Onboarding.includes_scope
+                                     .sorted_scope
+                                     .where(credential: { scope: })
+        end
+      end
+    end
+  end
+end

data/lib/booth/adminland/periodic_cleanup.rb

@@ -0,0 +1,11 @@
+module Booth
+  module Adminland
+    class PeriodicCleanup
+      include ::Booth::MethodObject
+
+      def call
+        # TODO
+      end
+    end
+  end
+end

data/lib/booth/adminland/recoveries/consume.rb

@@ -0,0 +1,70 @@
+module Booth
+  module Adminland
+    module Recoveries
+      # When sending out username recovery emails,
+      # this class helps to keep the sending mechanism idempodent.
+      class Consume
+        include ::Booth::MethodObject
+        include ::Booth::Logging
+
+        option :recovery_id
+        option :credential_id
+
+        def call
+          do_find_recovery
+            .on_success { do_find_credential }
+            .on_success { do_check_eligibility }
+            .on_success { do_consume }
+        end
+
+        private
+
+        def do_find_recovery
+          debug { "Looking for Recovery with ID #{recovery_id.inspect}" }
+          @recovery = ::Booth::Models::Recovery.find_by(id: recovery_id)
+
+          if @recovery
+            debug { 'Recovery was found' }
+            return Tron.success :recovery_exists
+          end
+
+          debug { 'Did not find Recovery' }
+          Tron.failure :recovery_not_found, provided_id: recovery_id.inspect
+        end
+
+        def do_find_credential
+          debug { "Looking for Credential with ID #{credential_id.inspect}" }
+          @credential = ::Booth::Models::Credential.find_by(id: credential_id)
+
+          if @credential
+            debug { 'Credential was found' }
+            return Tron.success :credential_exists
+          end
+
+          debug { 'Did not find Credential' }
+          Tron.failure :credential_not_found, provided_id: credential_id.inspect
+        end
+
+        def do_check_eligibility
+          return Tron.failure :already_consumed if @recovery.consumed?
+
+          return Tron.failure :already_revoked if @recovery.revoked?
+
+          Tron.success :can_be_consumed
+        end
+
+        def do_consume
+          @recovery.transaction do
+            @recovery.update! consumed_at: Time.current
+
+            @recovery.other_recoveries_with_this_scope_and_email
+                     .update_all revoked_at: Time.current # rubocop:disable Rails/SkipsModelValidations
+          end
+
+          Tron.success :recovery_consumed, email: @recovery.email,
+                                           username: @credential.username
+        end
+      end
+    end
+  end
+end

data/lib/booth/adminland.rb

@@ -0,0 +1,48 @@
+module Booth
+  module Adminland
+    # ------------------
+    # Credential Helpers
+    # ------------------
+
+    def self.create_credential(...)
+      ::Booth::Adminland::Credentials::Create.call(...)
+    end
+
+
+    # ------------------
+    # Onboarding Helpers
+    # ------------------
+
+    def self.create_onboarding(...)
+      ::Booth::Adminland::Onboardings::Create.call(...)
+    end
+
+    def self.destroy_onboarding(...)
+      ::Booth::Adminland::Onboardings::Destroy.call(...)
+    end
+
+    def self.find_onboarding(...)
+      ::Booth::Adminland::Onboardings::Find.call(...)
+    end
+
+    def self.find_onboarding_for_mail_delivery(id:)
+      ::Booth::Adminland::Onboardings::Find.call(id:, only_unused: true, raise_if_missing: true)
+    end
+
+    def self.index_onboardings(...)
+      ::Booth::Adminland::Onboardings::Index.call(...)
+    end
+
+
+
+    # Other
+
+    def self.consume_recovery(...)
+      ::Booth::Adminland::Recoveries::Consume.call(...)
+    end
+
+    def self.periodic_cleanup(...)
+      ::Booth::Adminland::PeriodicCleanup.call(...)
+    end
+  end
+end

data/lib/booth/audits/register/added_otp.rb

@@ -0,0 +1,22 @@
+module Booth
+  module Audits
+    module Register
+      class AddedOtp
+        include ::Booth::MethodObject
+
+        option :credential
+        option :ip
+        option :agent
+
+        def call
+          ::Booth::Models::Audit.create! credential: credential,
+                                         ip: ip,
+                                         agent: agent,
+                                         event: :added_otp
+
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/booth/audits/register/changed_otp.rb

@@ -0,0 +1,22 @@
+module Booth
+  module Audits
+    module Register
+      class ChangedOtp
+        include ::Booth::MethodObject
+
+        option :credential
+        option :ip
+        option :agent
+
+        def call
+          ::Booth::Models::Audit.create! credential: credential,
+                                         ip: ip,
+                                         agent: agent,
+                                         event: :changed_otp
+
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/booth/audits/register/completed_onboarding.rb

@@ -0,0 +1,22 @@
+module Booth
+  module Audits
+    module Register
+      class CompletedOnboarding
+        include ::Booth::MethodObject
+
+        option :credential
+        option :ip
+        option :agent
+
+        def call
+          ::Booth::Models::Audit.create! credential: credential,
+                                         ip: ip,
+                                         agent: agent,
+                                         event: :completed_onboarding
+
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/booth/audits/register/correct_otp.rb

@@ -0,0 +1,42 @@
+module Booth
+  module Audits
+    module Register
+      class CorrectOtp
+        include ::Booth::MethodObject
+        include ::Booth::Logging
+
+        option :credential
+        option :ip
+        option :agent
+
+        def call
+          ::Booth::Models::Audit.transaction do
+            register_attempt!
+            clear_failed_attempts!
+          end
+
+          nil
+        end
+
+        private
+
+        def register_attempt!
+          debug { "Auditing correct OTP for credential `#{credential.id}` and IP `#{ip}`" }
+
+          ::Booth::Models::Audit.create! credential:,
+                                         ip:,
+                                         agent:,
+                                         event: :entered_correct_password
+        end
+
+        def clear_failed_attempts!
+          debug { "Redeeming all failed OTP attempts for credential `#{credential.id}`" }
+
+          ::Booth::Models::Audit.where(credential:)
+                                .where(event: :entered_wrong_otp)
+                                .update_all(deleted_at: Time.current) # rubocop:disable Rails/SkipsModelValidations
+        end
+      end
+    end
+  end
+end

data/lib/booth/audits/register/correct_password.rb

@@ -0,0 +1,43 @@
+module Booth
+  module Audits
+    module Register
+      class CorrectPassword
+        include ::Booth::MethodObject
+        include ::Booth::Logging
+
+        option :credential
+        option :ip
+        option :agent
+
+        def call
+          ::Booth::Models::Audit.transaction do
+            register_attempt!
+            clear_failed_attempts!
+          end
+
+          nil
+        end
+
+        private
+
+        def register_attempt!
+          debug { "Auditing correct password for credential `#{credential.id}` and IP `#{ip}`" }
+
+          ::Booth::Models::Audit.create! credential:,
+                                         ip:,
+                                         agent:,
+                                         event: :entered_correct_password
+        end
+
+        def clear_failed_attempts!
+          debug { "Redeeming failed password attempts for credential `#{credential.id}` and IP `#{ip}`" }
+
+          ::Booth::Models::Audit.where(credential:)
+                                .where(ip:)
+                                .where(event: :entered_wrong_password)
+                                .update_all(deleted_at: Time.current) # rubocop:disable Rails/SkipsModelValidations
+        end
+      end
+    end
+  end
+end

data/lib/booth/audits/register/logout.rb

@@ -0,0 +1,22 @@
+module Booth
+  module Audits
+    module Register
+      class Logout
+        include ::Booth::MethodObject
+
+        option :credential
+        option :ip
+        option :agent
+
+        def call
+          ::Booth::Models::Audit.create! credential: credential,
+                                         ip: ip,
+                                         agent: agent,
+                                         event: :logout
+
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/booth/audits/register/requested_password_reset.rb

@@ -0,0 +1,22 @@
+module Booth
+  module Audits
+    module Register
+      class RequestedPasswordReset
+        include ::Booth::MethodObject
+
+        option :credential
+        option :ip
+        option :agent
+
+        def call
+          ::Booth::Models::Audit.create! credential: credential,
+                                         ip: ip,
+                                         agent: agent,
+                                         event: :requested_password_reset
+
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/booth/audits/register/wrong_otp.rb

@@ -0,0 +1,22 @@
+module Booth
+  module Audits
+    module Register
+      class WrongOtp
+        include ::Booth::MethodObject
+
+        option :credential
+        option :ip
+        option :agent
+
+        def call
+          ::Booth::Models::Audit.create! credential: credential,
+                                         ip: ip,
+                                         agent: agent,
+                                         event: :entered_wrong_otp
+
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/booth/audits/register/wrong_password.rb

@@ -0,0 +1,25 @@
+module Booth
+  module Audits
+    module Register
+      class WrongPassword
+        include ::Booth::MethodObject
+        include ::Booth::Logging
+
+        option :credential
+        option :ip
+        option :agent
+
+        def call
+          debug { 'Auditing wrong password...' }
+
+          ::Booth::Models::Audit.create! credential: credential,
+                                         ip: ip,
+                                         agent: agent,
+                                         event: :entered_wrong_password
+
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/booth/authenticators/confirm.rb

@@ -0,0 +1,34 @@
+module Booth
+  module Authenticators
+    class Confirm
+      include ::Booth::MethodObject
+      include ::Booth::Logging
+
+      option :authenticator
+      option :sign_count
+
+      def call
+        raise 'Authenticator is already confirmed' if authenticator.confirmed_at
+
+        debug { 'Confirming Authenticator...' }
+        authenticator.transaction do
+          authenticator.update! sign_count: sign_count,
+                                confirmed_at: Time.current
+
+          authenticator.credential.update! mode: new_mode
+        end
+
+        Tron.success :confirmation_successful
+      rescue ActiveRecord::ActiveRecordError => e
+        error { e }
+        Tron.failure :confirmation_failed
+      end
+
+      private
+
+      def new_mode
+        ::Booth::Authenticators::CredentialModeAfterConfirmation.call(authenticator:)
+      end
+    end
+  end
+end

data/lib/booth/authenticators/credential_mode_after_confirmation.rb

@@ -0,0 +1,25 @@
+module Booth
+  module Authenticators
+    class CredentialModeAfterConfirmation
+      include ::Booth::MethodObject
+
+      option :authenticator
+
+      def call
+        return :username_and_webauth if credential.mode_username_and_webauth?
+        return :username_password_and_webauth if credential.mode_username_password_and_webauth?
+
+        return :username_and_webauth if credential.mode_first_time? &&
+                                        authenticator.supports_user_verification?
+
+        return :username_password_and_webauth if credential.mode_username_and_password? ||
+                                                 credential.mode_username_password_and_otp?
+
+        raise "Cannot add webauth for credential #{credential.id} with mode #{credential.mode} " \
+              "and authenticator #{authenticator.id} (user verification: #{authenticator.supports_user_verification?})"
+      end
+
+      delegate :credential, to: :authenticator
+    end
+  end
+end