booth 0.0.1

data/lib/booth/errors.rb

@@ -0,0 +1,86 @@
+module Booth
+  module Errors
+    class Error < ::StandardError
+    end
+
+    # --------------------
+    # Categories of Errors
+    # --------------------
+
+    # Developer integrated Booth in a wrong way.
+    class Integration < ::Booth::Errors::Error
+    end
+
+    # Browser submits invalid data.
+    class BadRequest < ::Booth::Errors::Error
+    end
+
+    # Something inside of Booth went wrong.
+    class Internal < ::Booth::Errors::Error
+    end
+
+    # ------------------------------
+    # Developer integration mistakes
+    # ------------------------------
+
+    class InvalidScopeSyntax < ::Booth::Errors::Integration
+      def initialize(scope)
+        super("Invalid scope name: #{scope.inspect}")
+      end
+    end
+
+    class NotAuthenticated < ::Booth::Errors::Integration
+      def initialize(message = 'This controller action must only be reachable for authenticated users. ' \
+                               'Protect it for example with `before_action :require_authentication`')
+        super
+      end
+    end
+
+    class MissingRelyingParty < ::Booth::Errors::Integration
+      def initialize(message = 'Please configure a name for the relying party in the `webauth` gem. ' \
+                               "For example `WebAuthn.configuration.rp_name = 'My Homepage'`")
+        super
+      end
+    end
+
+    # -----------
+    # Bad Request
+    # -----------
+
+    class MustBeHtml < ::Booth::Errors::BadRequest
+      def initialize(message = 'This feature is only reachable in the format HTML')
+        super
+      end
+    end
+
+    class MustBeJson < ::Booth::Errors::BadRequest
+      def initialize(message = 'This feature is only reachable in the format JSON')
+        super
+      end
+    end
+
+    class MustBeGet < ::Booth::Errors::BadRequest
+      def initialize(message = 'This feature is only reachable via GET')
+        super
+      end
+    end
+
+    class MustBePost < ::Booth::Errors::BadRequest
+      def initialize(message = 'This feature is only reachable via POST')
+        super
+      end
+    end
+
+    class MustBePatch < ::Booth::Errors::BadRequest
+      def initialize(message = 'This feature is only reachable via PATCH')
+        super
+      end
+    end
+
+    class MustBeDelete < ::Booth::Errors::BadRequest
+      def initialize(message = 'This feature is only reachable via DELETE')
+        super
+      end
+    end
+  end
+end

data/lib/booth/geolocation.rb

@@ -0,0 +1,20 @@
+module Booth
+  module Geolocation
+    def self.lookup(ip)
+      return 'localhost' if ip.to_s == '127.0.0.1' || ip.to_s == '::1'
+
+      record = reader&.city(ip.to_s)
+      (record&.city || record&.subdivision || record&.country || record&.continent)&.name
+    end
+
+    def self.reader
+      return unless defined?(MaxMind::GeoIP2::Reader)
+
+      @reader ||= MaxMind::GeoIP2::Reader.new(database: database_path.to_s)
+    end
+
+    def self.database_path
+      Rails.root.join('db/GeoLite2-City.mmdb')
+    end
+  end
+end

data/lib/booth/hooks/after_fetch.rb

@@ -0,0 +1,54 @@
+module Booth
+  module Hooks
+    class AfterFetch
+      include ::Booth::MethodObject
+      include ::Booth::Logging
+
+      option :passport
+      option :warden
+      option :options
+
+      def call
+        if passport.revoked_at
+          debug { "Your session in scope #{scope.inspect} was revoked at #{passport.revoked_at}. Logging you out." }
+          request.authentication.logout
+        else
+          debug { "Registering activity of legitimate session in scope #{scope.inspect} with IP #{request.ip}..." }
+          register_activity
+        end
+
+        nil
+      end
+
+      private
+
+      def register_activity
+        ::Booth::Models::Session.where(id: passport.id).update_all(
+          ['activity_at = ?, ' \
+           'agent = ?, ' \
+           'location = ?, ' \
+           'most_recent_ip = ?, ' \
+           'historical_locations = historical_locations || hstore(?, ?), ' \
+           'historical_ips = historical_ips || hstore(?, ?)',
+           Time.current,
+           request.agent,
+           request.location,
+           request.ip,
+           request.ip,
+           request.location,
+           request.ip,
+           Time.current.to_i.to_s]
+        )
+      end
+
+      def request
+        @request ||= ::Booth::Request.new(request: warden.request,
+                                          scope:)
+      end
+
+      def scope
+        options[:scope]
+      end
+    end
+  end
+end

data/lib/booth/hooks/before_logout.rb

@@ -0,0 +1,29 @@
+module Booth
+  module Hooks
+    class BeforeLogout
+      include ::Booth::MethodObject
+      include ::Booth::Logging
+
+      option :passport
+      option :warden
+      option :options
+
+      def call
+        return unless passport # Attempting to logout when already logged out.
+
+        debug { "Revoking Session with ID #{passport.id} in scope #{scope.inspect} because of logout" }
+
+        ::Booth::Models::Session.where(id: passport.id)
+                                .update_all(revoked_at: Time.current, revoke_reason: :logout)
+
+        nil
+      end
+
+      private
+
+      def scope
+        options[:scope]
+      end
+    end
+  end
+end

data/lib/booth/hooks/serialize_from_session.rb

@@ -0,0 +1,24 @@
+module Booth
+  module Hooks
+    class SerializeFromSession
+      include ::Booth::MethodObject
+      include ::Booth::Logging
+
+      param :session_id
+
+      def call
+        ::Booth::Syntaxes::Uuid.call(session_id, raise_if_invalid: true)
+
+        session = ::Booth::Models::Session.active_scope.find_by(id: session_id)
+
+        unless session
+          debug { "Session ID #{session_id.inspect} stored in the cookie, but doesn't exist in the database" }
+          return
+        end
+
+        debug { "Deserializing Session #{session_id.inspect} information into Warden..." }
+        ::Booth::Sessions::ToPassport.call(session)
+      end
+    end
+  end
+end

data/lib/booth/hooks/serialize_into_session.rb

@@ -0,0 +1,14 @@
+module Booth
+  module Hooks
+    class SerializeIntoSession
+      include ::Booth::MethodObject
+
+      param :passport
+
+      def call
+        # This is the ID of the `Booth::Models::Session`.
+        passport.id
+      end
+    end
+  end
+end

data/lib/booth/logger.rb

@@ -0,0 +1,41 @@
+module Booth
+  # TODO: Not sure we need this. Do we need this, or can `Logging` do the delegation
+  # to the upstream logger by itself?
+  class Logger
+    def initialize(thing)
+      @name = if thing == Class || thing.is_a?(Module) || thing.is_a?(String)
+                thing.to_s
+              else
+                thing.class.to_s
+              end
+    end
+
+    def debug(&)
+      logger&.debug(name, &)
+    end
+
+    def info(&)
+      logger&.info(name, &)
+    end
+
+    def warn(&)
+      logger&.warn(name, &)
+    end
+
+    def error(&)
+      logger&.error(name, &)
+    end
+
+    def fatal(&)
+      logger&.fatal(name, &)
+    end
+
+    private
+
+    attr_reader :name
+
+    def logger
+      ::Booth.config.logger
+    end
+  end
+end

data/lib/booth/logging.rb

@@ -0,0 +1,59 @@
+module Booth
+  module Logging
+    extend ActiveSupport::Concern
+
+    # TODO: Implement only generic `log` method to avoid cluttering the Object where this was included.
+    #       We only use `debug` anyway.
+    class_methods do
+      def debug(&)
+        _logger.debug(&)
+      end
+
+      def info(&)
+        _logger.info(&)
+      end
+
+      def warn(&)
+        _logger.warn(&)
+      end
+
+      def error(&)
+        _logger.error(&)
+      end
+
+      def fatal(&)
+        _logger.fatal(&)
+      end
+
+      def _logger
+        ::Booth::Logger.new(self)
+      end
+    end
+
+    private
+
+    def debug(&)
+      _logger.debug(&)
+    end
+
+    def info(&)
+      _logger.info(&)
+    end
+
+    def warn(&)
+      _logger.warn(&)
+    end
+
+    def error(&)
+      _logger.error(&)
+    end
+
+    def fatal(&)
+      _logger.fatal(&)
+    end
+
+    def _logger
+      @_logger ||= ::Booth::Logger.new(self)
+    end
+  end
+end

data/lib/booth/method_object.rb

@@ -0,0 +1,73 @@
+# Copyright 2018 Bukowskis https://github.com/bukowskis/method_object
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+module Booth
+  module MethodObject
+    def self.included(base)
+      base.extend Dry::Initializer
+      base.extend ClassMethods
+      base.send(:private_class_method, :new)
+    end
+
+    module ClassMethods
+      def call(*args, **kwargs, &)
+        __check_for_unknown_options(*args, **kwargs)
+
+        if kwargs.empty?
+          # Preventing `Passing the keyword argument as the last hash parameter is deprecated`
+          new(*args).call(&)
+        else
+          new(*args, **kwargs).call(&)
+        end
+      end
+
+      # Overriding the implementation of `#param` in the `dry-initializer` gem.
+      # Because of the positioning of multiple params, params can never be omitted in a method object.
+      def param(name, type = nil, **opts, &)
+        raise ArgumentError, "Default value for param not allowed - #{name}" if opts.key? :default
+        raise ArgumentError, "Optional params not supported - #{name}" if opts.fetch(:optional, false)
+
+        super
+      end
+
+      def __check_for_unknown_options(*args, **kwargs)
+        return if __defined_options.empty?
+
+        # Checking params
+        opts = args.drop(__defined_params.length).first || kwargs
+        raise ArgumentError, "Unexpected argument #{opts}" unless opts.is_a? Hash
+
+        # Checking options
+        unknown_options = opts.keys - __defined_options
+        message = "Key(s) #{unknown_options} not found in #{__defined_options}"
+        raise KeyError, message if unknown_options.any?
+      end
+
+      def __defined_options
+        dry_initializer.options.map(&:source)
+      end
+
+      def __defined_params
+        dry_initializer.params.map(&:source)
+      end
+    end
+  end
+end

data/lib/booth/mode.rb

@@ -0,0 +1,22 @@
+module Booth
+  module Mode
+    def self.find(symbol)
+      return if symbol.to_s == 'first_time'
+
+      all.detect { _1.id.to_s == symbol.to_s } || raise("Unknown Booth Mode: #{symbol.inspect}")
+    end
+
+    def self.wrap(input)
+      Array(input).map { find(_1) }.sort
+    end
+
+    def self.all
+      [
+        ::Booth::Modes::UsernameAndWebauth, # Recommended for convenience
+        ::Booth::Modes::UsernamePasswordAndWebauth, # Most secure
+        ::Booth::Modes::UsernamePasswordAndOtp, # If you don't have a hardware key
+        ::Booth::Modes::UsernameAndPassword, # Discouraged
+      ]
+    end
+  end
+end

data/lib/booth/models/application_record.rb

@@ -0,0 +1,7 @@
+module Booth
+  module Models
+    class ApplicationRecord < ::ActiveRecord::Base
+      self.abstract_class = true
+    end
+  end
+end

data/lib/booth/models/audit.rb

@@ -0,0 +1,24 @@
+module Booth
+  module Models
+    class Audit < ::Booth::Models::ApplicationRecord
+      self.table_name = 'booth_audits'
+
+      enum event: { added_otp: 'added_otp',
+                    changed_otp: 'changed_otp',
+                    completed_onboarding: 'completed_onboarding',
+                    entered_correct_password: 'entered_correct_password',
+                    entered_wrong_otp: 'entered_wrong_otp',
+                    entered_wrong_password: 'entered_wrong_password',
+                    logout: 'logout',
+                    queried_unknown_username: 'queried_unknown_username',
+                    requested_password_reset: 'requested_password_reset' },
+           _prefix: true
+
+      belongs_to :credential, class_name: '::Booth::Models::Credential', optional: true
+
+      validates :ip, :event, presence: true
+
+      scope :visible_scope, -> { where(deleted_at: nil) }
+    end
+  end
+end

data/lib/booth/models/authenticator.rb

@@ -0,0 +1,45 @@
+module Booth
+  module Models
+    class Authenticator < ::Booth::Models::ApplicationRecord
+      include ::Booth::Logging
+
+      self.table_name = 'booth_authenticators'
+
+      belongs_to :credential, class_name: '::Booth::Models::Credential'
+
+      validates :credential_id, uniqueness: { scope: :webauthn_id }
+      validates :webauthn_id, presence: true, uniqueness: true
+      validates :nickname, length: { minimum: 3, maximum: 40 }, allow_blank: true
+
+      before_validation :ensure_webauthn_id
+      # before_validation :derive_registration_challenge
+      # before_destroy :keep_at_least_one_authenticator
+
+      scope :registered_scope, -> { where.not(confirmed_at: nil) }
+      scope :supports_user_verification_scope, -> { where(supports_user_verification: true) }
+      scope :sorted_scope, -> { order(:nickname) }
+
+      def generate_webauth_id
+        self.webauthn_id = ::WebAuthn.generate_user_id
+      end
+
+      def confirmed?
+        confirmed_at.present?
+      end
+
+      def step
+        ::Booth::Authenticators::Step.call(self)
+      end
+
+      private
+
+      # delegate :recommended_user_verification, to: :credential
+
+      def ensure_webauthn_id
+        return if webauthn_id.present?
+
+        generate_webauth_id
+      end
+    end
+  end
+end

data/lib/booth/models/concerns/modeable.rb

@@ -0,0 +1,50 @@
+module Booth
+  module Models
+    module Concerns
+      module Modeable
+        extend ActiveSupport::Concern
+
+        included do
+          enum mode: { first_time: 'first_time',
+                       username_and_password: 'username_and_password',
+                       username_password_and_otp: 'username_password_and_otp',
+                       username_password_and_webauth: 'username_password_and_webauth',
+                       username_and_webauth: 'username_and_webauth' },
+               _prefix: true
+
+          validates :mode, presence: true, inclusion: { in: modes.keys }
+          validates :mode, inclusion: { in: -> { ['first_time'] + _1.allowed_modes } }
+
+          before_validation :ensure_mode
+        end
+
+        def requires_user_verification?
+          # Passwordless login should always require user presence
+          !mode_username_password_and_webauth?
+        end
+
+        def allows_mode_username_and_password?
+          allowed_modes.include?('username_and_password')
+        end
+
+        def allows_mode_username_password_and_otp?
+          allowed_modes.include?('username_password_and_otp')
+        end
+
+        def allows_mode_username_password_and_webauth?
+          allowed_modes.include?('username_password_and_webauth')
+        end
+
+        def allows_mode_username_and_webauth?
+          allowed_modes.include?('username_and_webauth')
+        end
+
+        private
+
+        def ensure_mode
+          self.mode ||= 'first_time'
+        end
+      end
+    end
+  end
+end

data/lib/booth/models/concerns/otpable.rb

@@ -0,0 +1,37 @@
+module Booth
+  module Models
+    module Concerns
+      module Otpable
+        extend ActiveSupport::Concern
+
+        included do
+          # See https://github.com/heapsource/active_model_otp/blob/master/lib/active_model/one_time_password.rb
+          has_one_time_password length: otp_digits
+        end
+
+        class_methods do
+          def otp_digits
+            6
+          end
+        end
+
+        def authenticate_otp(code)
+          super(code, drift: 30.seconds)
+        end
+
+        def otp_provisioning_url
+          raise "Expected #{self} to respond to #scope" unless respond_to?(:scope)
+
+          provisioning_uri(username, issuer: ::Booth.config.otp_issuer(scope:), digits: otp_digits)
+        end
+
+        def otp_provisioning_svg
+          qr = ::RQRCode::QRCode.new(otp_provisioning_url, level: :l)
+          # See https://whomwah.github.io/rqrcode/
+          qr.as_svg use_path: false,
+                    viewbox: true, fill: 'fff', offset: 5, module_size: 8, svg_attributes: { 'data-booth' => :otpqr }
+        end
+      end
+    end
+  end
+end

data/lib/booth/models/concerns/passwordable.rb

@@ -0,0 +1,58 @@
+module Booth
+  module Models
+    module Concerns
+      module Passwordable
+        extend ActiveSupport::Concern
+
+        included do
+          # See https://github.com/rails/rails/blob/master/activemodel/lib/active_model/secure_password.rb
+          has_secure_password
+
+          define_method('password=') do |unencrypted_password|
+            # We auto-assign a random password before validation.
+            # If a non-empty password was explicitly assigned, then we should not generate a random password.
+            @apparently_wants_no_password = unencrypted_password.blank?
+
+            # See https://github.com/rails/rails/issues/34348#issuecomment-615856794
+            super(unencrypted_password.presence)
+          end
+
+          validates :password, length: { minimum: password_minlength }, allow_blank: true
+          # Don't say anything about breaches if the password was already too short to be accepted.
+          validates :password, not_pwned: {
+                                 on_error: :valid,
+                                 request_options: {
+                                   read_timeout: 3,
+                                   open_timeout: 1
+                                 },
+                               },
+                               allow_blank: true,
+                               if: proc { _1.errors.empty? }
+
+          before_validation :ensure_initial_password
+        end
+
+        class_methods do
+          def password_minlength
+            8
+          end
+
+          # See https://support.1password.com/compatible-website-design
+          # See https://developer.apple.com/password-rules
+          def passwordrules
+            "minlength: #{password_minlength}; maxlength: #{::ActiveModel::SecurePassword::MAX_PASSWORD_LENGTH_ALLOWED};"
+          end
+        end
+
+        private
+
+        def ensure_initial_password
+          return if password_digest.present?
+          return if @apparently_wants_no_password
+
+          self.password = ::SecureRandom.alphanumeric(::ActiveModel::SecurePassword::MAX_PASSWORD_LENGTH_ALLOWED)
+        end
+      end
+    end
+  end
+end