booth 0.0.1

data/lib/booth/authenticators/step.rb

@@ -0,0 +1,19 @@
+module Booth
+  module Authenticators
+    class Step
+      include ::Booth::MethodObject
+
+      param :authenticator
+
+      def call
+        return :register if authenticator.device_id.blank? ||
+                            authenticator.public_key.blank? ||
+                            authenticator.sign_count.blank?
+        return :choose_nickname if authenticator.nickname.blank?
+        return :confirm if authenticator.confirmed_at.blank?
+
+        :completed
+      end
+    end
+  end
+end

data/lib/booth/concerns/action.rb

@@ -0,0 +1,58 @@
+module Booth
+  module Concerns
+    # An "Action" is something that is called from a Rails controller.#
+    # It contains all the logic that the controller action is supposed to execute.
+    # By convention the "authentication scope" and the "request object" are passed in.
+    module Action
+      extend ActiveSupport::Concern
+
+      included do
+        include ::Booth::Logging
+        include ::Booth::MethodObject
+
+        option :scope, ->(scope) { ::Booth::Syntaxes::Scope.call(scope).normalized_scope }
+        option :request, ::Booth::Request
+
+        delegate :params, to: :request, private: true
+      end
+
+      private
+
+      # ----------------
+      # May be overriden
+      # ----------------
+
+      def initialize_transition
+        transition.call(request:)
+      end
+
+      def after_transition; end
+
+      def transitions
+        raise "Implement `#transitions` in #{self}"
+      end
+
+      # ---------------
+      # Never overriden
+      # ---------------
+
+      # I found this to be a repetitive pattern, so I added this method in this concern.
+      # It makes the code a little harder to read but probably still more robust.
+      def do_transition
+        if transition
+          # debug { "Calling Transition #{transition}" }
+          result = initialize_transition
+          after_transition
+          return result
+        end
+
+        debug { 'No transition applies to these params' }
+        Tron.failure :unknown_transition
+      end
+
+      def transition
+        @transition ||= transitions.detect { _1.applicable?(params:) }
+      end
+    end
+  end
+end

data/lib/booth/concerns/transition.rb

@@ -0,0 +1,17 @@
+module Booth
+  module Concerns
+    # A `Booth::Action` usually consists of several `Booth::Transition`s.
+    module Transition
+      extend ActiveSupport::Concern
+
+      included do
+        include ::Booth::Logging
+        include ::Booth::MethodObject
+
+        option :request, ::Booth::Request
+
+        delegate :params, to: :request, private: true
+      end
+    end
+  end
+end

data/lib/booth/configuration.rb

@@ -0,0 +1,116 @@
+module Booth
+  # Holds global configuration parameters.
+  class Configuration
+    def otp_issuer(scope: :default)
+      @otp_issuers ||= {}
+
+      @otp_issuers[scope.to_sym].to_s.presence || 'Login'
+    end
+
+    def set_otp_issuer(new_issuer, scope: :default)
+      @otp_issuers ||= {}
+
+      @otp_issuers[scope.to_sym] = new_issuer
+    end
+
+    def otp_issuer=(new_issuer)
+      set_otp_issuer(new_issuer)
+    end
+
+    def logger
+      return if @no_logger
+
+      @logger || rails_logger
+    end
+
+    def logger=(new_logger)
+      @no_logger = new_logger.nil?
+      @logger = new_logger
+    end
+
+    def log_to_rails_and_stdout!
+      self.logger = Class.new do
+        def debug(...)
+          ::Booth.config.send(:rails_logger).debug(...)
+          ::Booth.config.send(:stdout_logger).debug(...)
+        end
+
+        def warn(...)
+          ::Booth.config.send(:rails_logger).warn(...)
+          ::Booth.config.send(:stdout_logger).warn(...)
+        end
+
+        def error(...)
+          ::Booth.config.send(:rails_logger).error(...)
+          ::Booth.config.send(:stdout_logger).error(...)
+        end
+      end.new
+    end
+
+    def interaction_timeout
+      20.minutes
+    end
+
+    def session_inactivity_lifetime
+      @session_inactivity_lifetime ||= 3.months
+    end
+
+    def session_inactivity_lifetime=(new_lifetime)
+      @session_inactivity_lifetime = new_lifetime
+    end
+
+    def password_reset_window
+      2.hours
+    end
+
+    def onboarding_window
+      1.week
+    end
+
+    def otp_digits
+      6
+    end
+
+    def contest_digits
+      6
+    end
+
+    private
+
+    # The standard Rails logger does not show `progname`.
+    # But it's a helpful feature, so we add it manually to the message.
+    def rails_logger
+      @rails_logger ||= Class.new do
+        def debug(progname, &block)
+          ::Rails.logger.debug { "#{ActiveSupport::LogSubscriber.new.send(:color, progname, :blue)} - #{block.call}" }
+        end
+
+        def info(progname, &block)
+          ::Rails.logger.info { "#{ActiveSupport::LogSubscriber.new.send(:color, progname, :blue)} - #{block.call}" }
+        end
+
+        def warn(progname, &block)
+          ::Rails.logger.warn { "#{ActiveSupport::LogSubscriber.new.send(:color, progname, :blue)} - #{block.call}" }
+        end
+
+        def error(progname, &block)
+          ::Rails.logger.error { "#{ActiveSupport::LogSubscriber.new.send(:color, progname, :blue)} - #{block.call}" }
+        end
+      end.new
+    end
+
+    def stdout_logger
+      return @stdout_logger if defined?(@stdout_logger)
+
+      @stdout_logger = ::Logger.new($stdout)
+      @stdout_logger.formatter = stdout_logger_formatter
+      @stdout_logger
+    end
+
+    def stdout_logger_formatter
+      proc do |severity, _, progname, message|
+        [severity.rjust(5), progname, '-', message, "\n"].join(' ')
+      end
+    end
+  end
+end

data/lib/booth/configure.rb

@@ -0,0 +1,37 @@
+module Booth
+  # Lazy-loads and returns the global configuration instance.
+  #
+  # @example
+  #   Booth.config.logger = MyLogger.new
+  #
+  # @return [Booth::Configuration]
+  # @see .configure
+  #
+  def self.config
+    @config ||= ::Booth::Configuration.new
+  end
+
+  # Yields the configuration instance.
+  #
+  # @example
+  #   Booth.configure do |config|
+  #     config.logger = MyLogger.new
+  #   end
+  #
+  # @yieldparam [Booth::Configuration] config global configuration instance.
+  # @see .config
+  #
+  def self.configure
+    yield config
+  end
+
+  # Resets the configuration.
+  #
+  # @note This is useful for testing, since the configuration is global
+  #   and persists across tests.
+  # @api private
+  #
+  def self.reset!
+    @configs = nil
+  end
+end

data/lib/booth/contests/get.rb

@@ -0,0 +1,36 @@
+module Booth
+  module Contests
+    class Get
+      include ::Booth::Logging
+      include ::Booth::MethodObject
+
+      option :credential_id
+
+      def call
+        return Tron.failure :contest_not_found unless contest
+
+        Tron.success :found_recent_contest,
+                     formatted_code: contest.formatted_code,
+                     normalized_code: contest.code,
+                     reason: contest.reason.to_sym,
+                     ip: contest.ip,
+                     agent: contest.agent.presence,
+                     location: contest.location.presence,
+                     recently_responded: contest.recently_responded?,
+                     browser_name: contest.browser_name,
+                     platform_name: contest.platform_name,
+                     browser_image_path: contest.browser_image_path,
+                     platform_image_path: contest.platform_image_path
+      end
+
+      private
+
+      def contest
+        return @contest if defined?(@contest)
+
+        @contest = ::Booth::Models::Contest.recently_created_scope
+                                           .find_by(credential_id:)
+      end
+    end
+  end
+end

data/lib/booth/contests/respond.rb

@@ -0,0 +1,78 @@
+module Booth
+  module Contests
+    class Respond
+      include ::Booth::Logging
+      include ::Booth::MethodObject
+
+      option :scope
+      option :contest
+      option :request
+
+      def call
+        do_find_contest
+          .on_success { do_check_timeout }
+          .on_success { do_check_scope }
+          .on_success { do_check_already_responded }
+          .on_success { do_check_code_syntax }
+          .on_success { do_respond }
+      end
+
+      private
+
+      delegate :credential, to: :contest, private: true
+
+      def do_find_contest
+        return Tron.success :contest_exists if contest
+
+        Tron.failure :missing_contest
+      end
+
+      def do_check_timeout
+        return Tron.success :contested_recently if contest.recently_created?
+
+        debug { 'This contest timed out' }
+        Tron.failure :contest_timed_out,
+                     lifespan: contest.lifespan,
+                     public_message: I18n.t('booth.contest_timed_out', lifespan_minutes: contest.lifespan.seconds / 60)
+      end
+
+      def do_check_scope
+        ::Booth::Syntaxes::ScopeComparison.call this: scope, that: credential.scope
+      end
+
+      def do_check_already_responded
+        return Tron.success :ok_waiting_for_response if contest.responded_at.blank?
+
+        debug { "This contest has already been responded to #{contest.responded_at.inspect}" }
+        Tron.failure :already_responded, public_message: I18n.t('booth.already_responded_to_contest')
+      end
+
+      def do_check_code_syntax
+        check = ::Booth::Syntaxes::ContestCode.call(code_param)
+
+        check.on_success do
+          @normalized_code = check.normalized_contest_code
+        end
+
+        check
+      end
+
+      def do_respond
+        return Tron.failure :no_response_needed unless contest.reason.to_sym == :login
+
+        if @normalized_code == contest.code
+          debug { "The code #{@normalized_code} was accepted, persisting positive response..." }
+          contest.update!(responded_at: Time.current)
+          return Tron.success :response_code_accepted,
+                              public_message: I18n.t('booth.contest_response_accepted')
+        end
+
+        Tron.failure :wrong_code, public_message: I18n.t('booth.wrong_response_code')
+      end
+
+      def code_param
+        request.params.require(:response).permit(:code)[:code]
+      end
+    end
+  end
+end

data/lib/booth/contests/set_for_login.rb

@@ -0,0 +1,28 @@
+module Booth
+  module Contests
+    class SetForLogin
+      include ::Booth::Logging
+      include ::Booth::MethodObject
+
+      option :credential_id
+      option :request
+
+      def call
+        contest = nil
+
+        ::Booth::Models::ApplicationRecord.transaction do
+          ::Booth::Models::Contest.where(credential_id:).delete_all
+
+          contest = ::Booth::Models::Contest.create!(
+            credential_id:,
+            reason: :login,
+            ip: request.ip,
+            agent: request.agent
+          )
+        end
+
+        Tron.success :contest_created, contest:
+      end
+    end
+  end
+end

data/lib/booth/cooldowns/distance_of_time.rb

@@ -0,0 +1,46 @@
+module Booth
+  module Cooldowns
+    class DistanceOfTime
+      include ::Booth::MethodObject
+
+      option :from
+      option :till
+
+      def call
+        result = []
+        result.push("#{distance_in_hours} h") if show_hours?
+        result.push("#{distance_in_minutes} min") if show_minutes?
+        result.push("#{distance_in_seconds} s") if show_seconds?
+        result.join(' ')
+      end
+
+      def show_hours?
+        distance_in_hours.positive?
+      end
+
+      def show_minutes?
+        return false if (((till - from).abs % 3600) / 60) < 1
+
+        distance_in_minutes.nonzero?
+      end
+
+      def show_seconds?
+        return true if distance_in_seconds < 60
+
+        distance_in_hours.zero? && distance_in_minutes.zero?
+      end
+
+      def distance_in_hours
+        ((till - from).abs / 3600).floor
+      end
+
+      def distance_in_minutes
+        (((till - from).abs % 3600) / 60).round
+      end
+
+      def distance_in_seconds
+        (till - from).abs.round
+      end
+    end
+  end
+end

data/lib/booth/cooldowns/otp.rb

@@ -0,0 +1,22 @@
+module Booth
+  module Cooldowns
+    class Otp
+      include ::Booth::MethodObject
+
+      option :credential
+
+      def call
+        ::Booth::Cooldowns::Strategies::Global.call scope:,
+                                                    max_attempts: 10
+      end
+
+      private
+
+      def scope
+        ::Booth::Models::Audit.visible_scope
+                              .event_entered_wrong_otp
+                              .where(credential:)
+      end
+    end
+  end
+end

data/lib/booth/cooldowns/password.rb

@@ -0,0 +1,44 @@
+module Booth
+  module Cooldowns
+    class Password
+      include ::Booth::MethodObject
+
+      option :ip
+      option :credential
+
+      def call
+        # No limit for logins where hardware tokens are required.
+        return Tron.success :cool_for_webauth if credential.mode_username_and_webauth?
+        return Tron.success :cool_for_password_and_webauth if credential.mode_username_password_and_webauth?
+
+        if credential.mode_username_password_and_otp?
+          do_check_exponentially
+        else
+          do_check_globally
+        end
+      end
+
+      private
+
+      def do_check_exponentially
+        ::Booth::Cooldowns::Strategies::Exponential.call scope: base_scope
+      end
+
+      def do_check_globally
+        ::Booth::Cooldowns::Strategies::Global.call scope: ip_range_scope, max_attempts: 10
+      end
+
+      # Scopes
+
+      def ip_range_scope
+        base_scope.where('ip << ?', "#{ip}/24")
+      end
+
+      def base_scope
+        ::Booth::Models::Audit.visible_scope
+                              .event_entered_wrong_password
+                              .where(credential:)
+      end
+    end
+  end
+end

data/lib/booth/cooldowns/password_reset.rb

@@ -0,0 +1,24 @@
+module Booth
+  module Cooldowns
+    # Throttles how often you can generate a password reset link.
+    # Note that this does not reveal whether we know the email address or not,
+    # because it throttles the attempts per Credential (i.e. username).
+    class PasswordReset
+      include ::Booth::MethodObject
+
+      option :credential
+
+      def call
+        ::Booth::Cooldowns::Strategies::Exponential.call scope:
+      end
+
+      private
+
+      def scope
+        ::Booth::Models::Audit.visible_scope
+                              .event_requested_password_reset
+                              .where(credential:)
+      end
+    end
+  end
+end

data/lib/booth/cooldowns/strategies/exponential.rb

@@ -0,0 +1,82 @@
+module Booth
+  module Cooldowns
+    module Strategies
+      class Exponential
+        include ::Booth::MethodObject
+        include ::Booth::Logging
+
+        option :scope
+
+        def call
+          return limit_not_yet_reached! if seconds_to_wait.zero?
+
+          limit_reached!
+        end
+
+        private
+
+        def limit_reached!
+          debug { "Wait #{seconds_to_wait}/#{waiting_period} sec for #{number_of_incidents} incidents" }
+          public_message = I18n.t('booth.try_again_cooldown', distance_of_time_until_cooldown:)
+
+          ::Booth::Cooldowns::Strategies::Result.failure(
+            public_message:,
+            attempts_left: 999_999,
+            cooldown_at:,
+            number_of_incidents:
+          )
+        end
+
+        def limit_not_yet_reached!
+          debug { 'No need to wait' }
+
+          ::Booth::Cooldowns::Strategies::Result.success(
+            public_message: nil,
+            attempts_left: 999_999,
+            number_of_incidents:
+          )
+        end
+
+        # Calculation Helpers
+
+        def cooldown_at
+          seconds_to_wait.from_now
+        end
+
+        def seconds_to_wait
+          return 0 unless newest_timestamp
+
+          candidate = newest_timestamp.to_i + waiting_period - Time.current.to_i
+          return 0 if candidate.negative?
+
+          candidate
+        end
+
+        def waiting_period
+          return 2.years if number_of_incidents > 9
+
+          # This effectively implies less than 10 attempts.
+          (5**number_of_incidents).seconds
+        end
+
+        # Queries
+
+        def number_of_incidents
+          @number_of_incidents ||= scope.count
+        end
+
+        def newest_timestamp
+          return @newest_timestamp if defined? @newest_timestamp
+
+          @newest_timestamp = scope.maximum(:created_at)
+        end
+
+        # Helpers
+
+        def distance_of_time_until_cooldown
+          ::Booth::Cooldowns::DistanceOfTime.call(from: Time.current, till: cooldown_at)
+        end
+      end
+    end
+  end
+end

data/lib/booth/cooldowns/strategies/global.rb

@@ -0,0 +1,62 @@
+module Booth
+  module Cooldowns
+    module Strategies
+      class Global
+        include ::Booth::MethodObject
+        include ::Booth::Logging
+
+        option :scope
+        option :max_attempts
+
+        def call
+          if number_of_incidents >= max_attempts
+            limit_reached!
+          else
+            limit_not_yet_reached!
+          end
+        end
+
+        private
+
+        def limit_reached!
+          debug { "Limited globally #{number_of_incidents}/#{max_attempts}" }
+
+          ::Booth::Cooldowns::Strategies::Result.failure(
+            public_message: I18n.t('booth.permanently_blocked'),
+            attempts_left:,
+            cooldown_at: nil,
+            number_of_incidents:
+          )
+        end
+
+        def limit_not_yet_reached!
+          debug { "Not yet globally limited #{number_of_incidents}/#{max_attempts}" }
+
+          ::Booth::Cooldowns::Strategies::Result.success(
+            public_message:,
+            attempts_left:,
+            number_of_incidents:
+          )
+        end
+
+        def public_message
+          return if number_of_incidents.zero?
+
+          if attempts_left == 1
+            I18n.t 'booth.last_attempt'
+          else
+            I18n.t 'booth.attempts_left', attempts_left:
+          end
+        end
+
+        def attempts_left
+          max_attempts - number_of_incidents
+        end
+
+        def number_of_incidents
+          @number_of_incidents ||= scope.count
+        end
+      end
+    end
+  end
+end

data/lib/booth/cooldowns/strategies/result.rb

@@ -0,0 +1,22 @@
+module Booth
+  module Cooldowns
+    module Strategies
+      # All strategies quack the same way.
+      module Result
+        def self.failure(number_of_incidents:, public_message:, cooldown_at:, attempts_left:)
+          Tron.failure :hot, public_message:,
+                             cooldown_at:,
+                             attempts_left:,
+                             number_of_incidents:
+        end
+
+        def self.success(public_message:, number_of_incidents:, attempts_left:)
+          Tron.success :cool, number_of_incidents:,
+                              cooldown_at: nil,
+                              public_message:,
+                              attempts_left:
+        end
+      end
+    end
+  end
+end