booth 0.0.1

data/lib/booth/credentials/create.rb

@@ -0,0 +1,28 @@
+module Booth
+  module Credentials
+    class Create
+      include ::Booth::MethodObject
+      include ::Booth::Logging
+
+      option :username
+      option :allowed_modes
+      option :scope, default: -> { :default }
+
+      def call
+        if credential.save
+          debug { "Successfully persisted a new Booth::Models::Credential record with ID #{credential.id.inspect}" }
+          Tron.success :credential_created, credential:
+        else
+          debug { 'Could not persist a new Booth::Models::Credential record' }
+          Tron.failure :persistence_failed, error: credential.errors.full_messages.to_sentence
+        end
+      end
+
+      private
+
+      def credential
+        @credential ||= ::Booth::Models::Credential.new(username:, allowed_modes:, scope:)
+      end
+    end
+  end
+end

data/lib/booth/credentials/create_with_onboarding.rb

@@ -0,0 +1,26 @@
+module Booth
+  module Credentials
+    class CreateWithOnboarding
+      include ::Booth::MethodObject
+      include ::Booth::Logging
+
+      option :username
+      option :allowed_modes
+      option :scope, default: -> { :default }
+
+      def call
+        creation = ::Booth::Credentials::Create.call(username:, allowed_modes:, scope:)
+
+        creation.on_success do
+          onboarding = creation.credential.create_onboarding!
+
+          return Tron.success :credential_with_onboarding_created,
+                              credential: creation.credential,
+                              onboarding:
+        end
+
+        creation
+      end
+    end
+  end
+end

data/lib/booth/credentials/find_by_username.rb

@@ -0,0 +1,45 @@
+module Booth
+  module Credentials
+    class FindByUsername
+      include ::Booth::Logging
+      include ::Booth::MethodObject
+
+      option :username
+
+      def call
+        do_check_username_syntax
+          .on_success { do_find_credential }
+      end
+
+      private
+
+      def do_check_username_syntax
+        checking = ::Booth::Syntaxes::Username.call(username)
+        @normalized_username = checking.normalized_username
+        @normalized_invalid_username = checking.normalized_invalid_username
+
+        checking
+      end
+
+      def do_find_credential
+        if credential
+          Tron.success :found_existing_credential, credential: credential,
+                                                   normalized_username: @normalized_username,
+                                                   normalized_invalid_username: @normalized_invalid_username
+        else
+          Tron.failure :credential_not_found, normalized_username: @normalized_username,
+                                              normalized_invalid_username: @normalized_invalid_username,
+                                              public_message: I18n.t('booth.unknown_username')
+        end
+      end
+
+      # Helpers
+
+      def credential
+        return @credential if defined?(@credential)
+
+        @credential = ::Booth::Models::Credential.find_by(username: @normalized_username)
+      end
+    end
+  end
+end

data/lib/booth/credentials/mode.rb

@@ -0,0 +1,69 @@
+module Booth
+  module Credentials
+    class Mode
+      include ::Booth::Logging
+
+      def initialize(credential)
+        @credential = credential
+      end
+
+      # OTP
+
+      def otp_addable?
+        ::Booth::Credentials::Modes::OtpAddable.call(credential)
+      end
+
+      def otp_changeable?
+        ::Booth::Credentials::Modes::OtpChangeable.call(credential)
+      end
+
+      def otp_removable?
+        ::Booth::Credentials::Modes::OtpRemovable.call(credential)
+      end
+
+      def otp_manageable?
+        ::Booth::Credentials::Modes::OtpManageable.call(credential)
+      end
+
+      # Password
+
+      def password_addable?
+        ::Booth::Credentials::Modes::PasswordAddable.call(credential)
+      end
+
+      def password_changeable?
+        ::Booth::Credentials::Modes::PasswordChangeable.call(credential)
+      end
+
+      def password_removable?
+        ::Booth::Credentials::Modes::PasswordRemovable.call(credential)
+      end
+
+      def password_removal_requires_user_verifiable_webauth?
+        ::Booth::Credentials::Modes::PasswordRemovalRequiresUserVerifiableWebauth.call(credential)
+      end
+
+      def password_manageable?
+        ::Booth::Credentials::Modes::PasswordManageable.call(credential)
+      end
+
+      # Webauth
+
+      def webauth_addable?
+        ::Booth::Credentials::Modes::WebauthAddable.call(credential)
+      end
+
+      def webauth_removable?
+        ::Booth::Credentials::Modes::WebauthRemovable.call(credential)
+      end
+
+      def webauth_manageable?
+        ::Booth::Credentials::Modes::WebauthManageable.call(credential)
+      end
+
+      private
+
+      attr_reader :credential
+    end
+  end
+end

data/lib/booth/credentials/modes/otp_addable.rb

@@ -0,0 +1,23 @@
+module Booth
+  module Credentials
+    module Modes
+      class OtpAddable
+        include ::Booth::MethodObject
+
+        param :credential
+
+        def call
+          !why_not?
+        end
+
+        private
+
+        def why_not?
+          return :first_time_credential if credential.mode_first_time?
+          return :already_exists if credential.mode_username_password_and_otp?
+          return :otp_not_allowed unless credential.allows_mode_username_password_and_otp?
+        end
+      end
+    end
+  end
+end

data/lib/booth/credentials/modes/otp_changeable.rb

@@ -0,0 +1,23 @@
+module Booth
+  module Credentials
+    module Modes
+      class OtpChangeable
+        include ::Booth::MethodObject
+
+        param :credential
+
+        def call
+          !why_not?
+        end
+
+        private
+
+        def why_not?
+          return :first_time_credential if credential.mode_first_time?
+          return :no_otp_in_use unless credential.mode_username_password_and_otp?
+          return :otp_deprecated unless credential.allows_mode_username_password_and_otp?
+        end
+      end
+    end
+  end
+end

data/lib/booth/credentials/modes/otp_manageable.rb

@@ -0,0 +1,17 @@
+module Booth
+  module Credentials
+    module Modes
+      class OtpManageable
+        include ::Booth::MethodObject
+
+        param :credential
+
+        def call
+          ::Booth::Credentials::Modes::OtpAddable.call(credential) ||
+            ::Booth::Credentials::Modes::OtpChangeable.call(credential) ||
+            ::Booth::Credentials::Modes::OtpRemovable.call(credential)
+        end
+      end
+    end
+  end
+end

data/lib/booth/credentials/modes/otp_removable.rb

@@ -0,0 +1,23 @@
+module Booth
+  module Credentials
+    module Modes
+      class OtpRemovable
+        include ::Booth::MethodObject
+
+        param :credential
+
+        def call
+          !why_not?
+        end
+
+        private
+
+        def why_not?
+          return :first_time_credential if credential.mode_first_time?
+          return :otp_not_in_use unless credential.mode_username_password_and_otp?
+          return :otp_required unless credential.allows_mode_username_and_password?
+        end
+      end
+    end
+  end
+end

data/lib/booth/credentials/modes/password_addable.rb

@@ -0,0 +1,29 @@
+module Booth
+  module Credentials
+    module Modes
+      class PasswordAddable
+        include ::Booth::MethodObject
+
+        param :credential
+
+        def call
+          !why_not?
+        end
+
+        private
+
+        def why_not?
+          return :first_time_credential_is_passwordless if credential.mode_first_time? &&
+                                                           !credential.mode_username_and_password? &&
+                                                           !credential.mode_username_password_and_otp? &&
+                                                           !credential.mode_username_password_and_webauth?
+          return :password_with_username_in_use if credential.mode_username_and_password?
+          return :password_with_otp_in_use if credential.mode_username_password_and_otp?
+          return :password_with_webauth_in_use if credential.mode_username_password_and_webauth?
+
+          return :not_allowed_with_webauth unless credential.allows_mode_username_password_and_webauth?
+        end
+      end
+    end
+  end
+end

data/lib/booth/credentials/modes/password_changeable.rb

@@ -0,0 +1,31 @@
+module Booth
+  module Credentials
+    module Modes
+      class PasswordChangeable
+        include ::Booth::Logging
+        include ::Booth::MethodObject
+
+        param :credential
+
+        def call
+          !why_not?
+        end
+
+        private
+
+        def why_not?
+          return :first_time_credential if credential.mode_first_time?
+          return :username_and_password_deprecated if credential.mode_username_and_password? &&
+                                                      !credential.allows_mode_username_and_password?
+          return :username_and_password_and_otp_deprecated if credential.mode_username_password_and_otp? &&
+                                                              !credential.allows_mode_username_password_and_otp?
+          return :username_password_and_webauth_deprecated if credential.mode_username_password_and_webauth? &&
+                                                              !credential.allows_mode_username_password_and_webauth?
+          return :password_not_in_use unless credential.mode_username_and_password? ||
+                                             credential.mode_username_password_and_otp? ||
+                                             credential.mode_username_password_and_webauth?
+        end
+      end
+    end
+  end
+end

data/lib/booth/credentials/modes/password_manageable.rb

@@ -0,0 +1,17 @@
+module Booth
+  module Credentials
+    module Modes
+      class PasswordManageable
+        include ::Booth::MethodObject
+
+        param :credential
+
+        def call
+          ::Booth::Credentials::Modes::PasswordAddable.call(credential) ||
+            ::Booth::Credentials::Modes::PasswordChangeable.call(credential) ||
+            ::Booth::Credentials::Modes::PasswordRemovable.call(credential)
+        end
+      end
+    end
+  end
+end

data/lib/booth/credentials/modes/password_removable.rb

@@ -0,0 +1,24 @@
+module Booth
+  module Credentials
+    module Modes
+      class PasswordRemovable
+        include ::Booth::Logging
+        include ::Booth::MethodObject
+
+        param :credential
+
+        def call
+          !why_not?
+        end
+
+        private
+
+        def why_not?
+          return :first_time_credential if credential.mode_first_time?
+          return :webauth_needed unless credential.mode_username_password_and_webauth?
+          return :not_downgradable unless credential.allows_mode_username_and_webauth?
+        end
+      end
+    end
+  end
+end

data/lib/booth/credentials/modes/password_removal_requires_user_verifiable_webauth.rb

@@ -0,0 +1,16 @@
+module Booth
+  module Credentials
+    module Modes
+      class PasswordRemovalRequiresUserVerifiableWebauth
+        include ::Booth::Logging
+        include ::Booth::MethodObject
+
+        param :credential
+
+        def call
+          ::Booth::Credentials::Modes::PasswordRemovable.call(credential) == :need_user_verifiable_authenticators
+        end
+      end
+    end
+  end
+end

data/lib/booth/credentials/modes/webauth_addable.rb

@@ -0,0 +1,26 @@
+module Booth
+  module Credentials
+    module Modes
+      class WebauthAddable
+        include ::Booth::MethodObject
+
+        param :credential
+
+        def call
+          !why_not?
+        end
+
+        private
+
+        def why_not?
+          return :first_time_credential_needs_password if credential.mode_first_time? &&
+                                                          !credential.allows_mode_username_and_webauth?
+
+          return :webauth_not_allowed unless credential.mode_first_time? ||
+                                             credential.allows_mode_username_password_and_webauth? ||
+                                             credential.allows_mode_username_and_webauth?
+        end
+      end
+    end
+  end
+end

data/lib/booth/credentials/modes/webauth_manageable.rb

@@ -0,0 +1,16 @@
+module Booth
+  module Credentials
+    module Modes
+      class WebauthManageable
+        include ::Booth::MethodObject
+
+        param :credential
+
+        def call
+          ::Booth::Credentials::Modes::WebauthAddable.call(credential) ||
+            ::Booth::Credentials::Modes::WebauthRemovable.call(credential)
+        end
+      end
+    end
+  end
+end

data/lib/booth/credentials/modes/webauth_removable.rb

@@ -0,0 +1,25 @@
+module Booth
+  module Credentials
+    module Modes
+      class WebauthRemovable
+        include ::Booth::MethodObject
+
+        param :credential
+
+        def call
+          return true if credential.authenticators.registered_scope.size > 1
+
+          !why_not?
+        end
+
+        private
+
+        def why_not?
+          return :first_time_credential if credential.mode_first_time?
+          return :webauth_not_secondary_factor unless credential.mode_username_password_and_webauth?
+          return :webauth_as_secondary_required unless credential.allows_mode_username_and_password?
+        end
+      end
+    end
+  end
+end

data/lib/booth/credentials/otp_authentication.rb

@@ -0,0 +1,59 @@
+module Booth
+  module Credentials
+    class OtpAuthentication
+      include ::Booth::MethodObject
+      include ::Booth::Logging
+
+      option :credential
+      option :code
+      option :ip
+      option :agent
+
+      def call
+        do_check_otp_code_syntax
+          .on_success { do_check_cooldown }
+          .on_success { do_check_code }
+      end
+
+      private
+
+      def do_check_otp_code_syntax
+        check = ::Booth::Syntaxes::Otp.call(code)
+        return check if check.failure?
+
+        @normalized_otp_code = check.normalized_otp
+        check
+      end
+
+      def do_check_cooldown
+        ::Booth::Cooldowns::Otp.call credential:
+      end
+
+      def do_check_code
+        return correct_code! if credential.authenticate_otp(@normalized_otp_code)
+
+        wrong_code!
+      end
+
+      def correct_code!
+        debug { 'The provided OTP is correct' }
+        ::Booth::Audits::Register::CorrectOtp.call credential: credential,
+                                                   ip: ip,
+                                                   agent: agent
+        Tron.success :correct_otp
+      end
+
+      def wrong_code!
+        debug { "The provided OTP #{@normalized_otp_code} is wrong. It should have been #{credential.otp_code}" }
+        ::Booth::Audits::Register::WrongOtp.call credential: credential,
+                                                 ip: ip,
+                                                 agent: agent
+
+        cooldown = ::Booth::Cooldowns::Otp.call credential: credential
+        return Tron.failure(:wrong_password, public_message: I18n.t('booth.wrong_otp')) if cooldown.success?
+
+        cooldown
+      end
+    end
+  end
+end

data/lib/booth/credentials/password_authentication.rb

@@ -0,0 +1,72 @@
+module Booth
+  module Credentials
+    class PasswordAuthentication
+      include ::Booth::MethodObject
+      include ::Booth::Logging
+
+      option :credential
+      option :password
+      option :ip
+      option :agent
+
+      def call
+        do_check_blank_password
+          .on_success { do_check_too_short_password }
+          .on_success { do_check_cooldown }
+          .on_success { do_check_password }
+      end
+
+      private
+
+      def do_check_blank_password
+        return Tron.success :password_is_present if password.present?
+
+        debug { 'The provided password is blank' }
+        Tron.failure :blank_password, public_message: I18n.t('booth.blank_password')
+      end
+
+      def do_check_too_short_password
+        return Tron.success :password_is_long_enough if password.to_s.length >= credential.class.password_minlength
+
+        debug { 'The provided password is too short' }
+        Tron.failure :short_password, public_message: I18n.t('booth.short_password',
+                                                             minlength: credential.class.password_minlength)
+      end
+
+      def do_check_cooldown
+        cooldown = ::Booth::Cooldowns::Password.call(ip:, credential:)
+        return cooldown if cooldown.success?
+
+        cooldown.public_message.prepend "#{I18n.t('booth.attempt_was_ignored')} "
+        cooldown
+      end
+
+      def do_check_password
+        return correct_pasword! if credential.authenticate(password)
+
+        wrong_password!
+      end
+
+      def correct_pasword!
+        debug { 'The provided password is correct' }
+        ::Booth::Audits::Register::CorrectPassword.call credential: credential,
+                                                        ip: ip,
+                                                        agent: agent
+        Tron.success :correct_password
+      end
+
+      def wrong_password!
+        debug { 'The provided password is wrong' }
+        ::Booth::Audits::Register::WrongPassword.call credential: credential,
+                                                      ip: ip,
+                                                      agent: agent
+
+        cooldown = ::Booth::Cooldowns::Password.call ip: ip, credential: credential
+        return Tron.failure(:wrong_password, public_message: I18n.t('booth.wrong_password')) if cooldown.success?
+
+        cooldown.public_message.prepend "#{I18n.t('booth.wrong_password')} "
+        cooldown
+      end
+    end
+  end
+end

data/lib/booth/credentials/webauth_challenge.rb

@@ -0,0 +1,28 @@
+module Booth
+  module Credentials
+    # See https://github.com/cedarcode/webauthn-rails-demo-app/blob/d9b73e20a7272e8d9f7a26c48ec49e5100295939/app/controllers/sessions_controller.rb#L7-L23
+    class WebauthChallenge
+      include ::Booth::Logging
+      include ::Booth::MethodObject
+
+      option :credential
+
+      def call
+        return Tron.failure :missing_credential, challenge: nil if credential.nil?
+        return Tron.failure :no_known_authenticators, challenge: nil if credential.registered_authenticator_ids.blank?
+
+        Tron.success :here_is_your_challenge, options_for_get: options_for_get.to_json,
+                                              challenge: options_for_get.challenge
+      end
+
+      private
+
+      def options_for_get
+        @options_for_get ||= ::Booth::Webauth::OptionsForGet.call(
+          allowed_device_ids: credential.registered_authenticator_ids,
+          requires_user_verification: credential.requires_user_verification?
+        )
+      end
+    end
+  end
+end

data/lib/booth/engine.rb

@@ -0,0 +1,25 @@
+module Booth
+  class Engine < ::Rails::Engine
+    initializer 'booth.add_manifest' do |app|
+      app.config.assets.precompile << 'booth_manifest.js'
+    end
+
+    initializer 'booth.insert_warden_middleware' do |app|
+      app.config.middleware.insert_after ::ActionDispatch::Flash, ::Warden::Manager do |manager|
+        manager.intercept_401 = false
+        manager.serialize_into_session { ::Booth::Hooks::SerializeIntoSession.call(_1) }
+        manager.serialize_from_session { ::Booth::Hooks::SerializeFromSession.call(_1) }
+      end
+    end
+
+    initializer 'booth.register_warden_hooks' do
+      ::Warden::Manager.after_fetch do |passport, warden, options|
+        ::Booth::Hooks::AfterFetch.call passport:, warden:, options:
+      end
+
+      ::Warden::Manager.before_logout do |passport, warden, options|
+        ::Booth::Hooks::BeforeLogout.call passport:, warden:, options:
+      end
+    end
+  end
+end