booth 0.0.1

data/lib/booth/models/contest.rb

@@ -0,0 +1,55 @@
+module Booth
+  module Models
+    class Contest < ::Booth::Models::ApplicationRecord
+      self.table_name = 'booth_contests'
+
+      belongs_to :credential
+
+      before_validation :ensure_code
+      before_validation :update_location
+
+      validates :credential_id, :code, :ip, presence: true
+      validates :credential_id, uniqueness: true
+      validates :reason, presence: true, inclusion: %w[login support]
+
+      scope :recently_created_scope, -> { ::Booth::Models::Contests::Scopes::RecentlyCreated.scope(self) }
+      scope :recently_responded_scope, -> { ::Booth::Models::Contests::Scopes::RecentlyResponded.scope(self) }
+
+      delegate :browser_name, :platform_name, :browser_image_path, :platform_image_path, to: :user_agent
+
+      def self.lifespan
+        ::Booth.config.interaction_timeout
+      end
+
+      def formatted_code
+        code.to_s.scan(/.{1,3}/).join(' ').presence
+      end
+
+      def recently_created?
+        ::Booth::Models::Contests::Scopes::RecentlyCreated.call(self)
+      end
+
+      def recently_responded?
+        ::Booth::Models::Contests::Scopes::RecentlyResponded.call(self)
+      end
+
+      def lifespan
+        self.class.lifespan
+      end
+
+      private
+
+      def ensure_code
+        self.code ||= 6.times.map { rand(0..9) }.join
+      end
+
+      def update_location
+        self.location = ::Booth::Geolocation.lookup(ip)
+      end
+
+      def user_agent
+        @user_agent = ::Booth::Models::UserAgent.new(agent)
+      end
+    end
+  end
+end

data/lib/booth/models/contests/scopes/recently_created.rb

@@ -0,0 +1,23 @@
+module Booth
+  module Models
+    module Contests
+      module Scopes
+        class RecentlyCreated
+          include ::Booth::MethodObject
+
+          param :contest
+
+          def self.scope(base)
+            base.where.not(created_at: nil)
+                .where('created_at > ?', ::Booth::Models::Contest.lifespan.ago)
+          end
+
+          def call
+            contest.created_at.present? &&
+              contest.created_at > ::Booth::Models::Contest.lifespan.ago
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/models/contests/scopes/recently_responded.rb

@@ -0,0 +1,32 @@
+module Booth
+  module Models
+    module Contests
+      module Scopes
+        class RecentlyResponded
+          include ::Booth::MethodObject
+
+          param :contest
+
+          def self.scope(base)
+            base.where.not(created_at: nil, responded_at: nil)
+                .where('created_at > ?', lifespan.ago)
+                .where('responded_at > ?', lifespan.ago)
+          end
+
+          def call
+            contest.created_at.present? &&
+              contest.responded_at.present? &&
+              contest.created_at > lifespan.ago &&
+              contest.responded_at > lifespan.ago
+          end
+
+          private
+
+          def lifespan
+            contest.class.lifespan
+          end
+        end
+      end
+    end
+  end
+end

data/lib/booth/models/credential.rb

@@ -0,0 +1,61 @@
+module Booth
+  module Models
+    class Credential < ::Booth::Models::ApplicationRecord
+      include ::Booth::Models::Concerns::Modeable
+      include ::Booth::Models::Concerns::Passwordable
+      include ::Booth::Models::Concerns::Otpable
+
+      self.table_name = 'booth_credentials'
+
+      has_one :contest, dependent: :destroy
+      has_one :onboarding, dependent: :destroy
+
+      has_many :audits, dependent: :destroy
+      has_many :authenticators, dependent: :destroy
+      has_many :password_resets, dependent: :destroy
+      has_many :sessions, dependent: :destroy
+
+      before_validation :normalize_username
+      before_validation :normalize_scope
+      before_validation :stringify_allowed_modes
+
+      validates :username, :scope, :allowed_modes, :mode, presence: true
+      validates :username, uniqueness: { scope: :scope }
+
+      validates_each :allowed_modes do |record, attr, value|
+        record.errors.add(attr, 'is invalid') unless value.all? { modes.keys.include?(_1) }
+      end
+
+      def remote_session_available?
+        sessions.active_scope.any?
+      end
+
+      def applicable_for_password_reset?
+        mode_username_and_password? ||
+          mode_username_password_and_otp? ||
+          mode_username_password_and_webauth?
+      end
+      alias passworded? applicable_for_password_reset?
+
+      def registered_authenticator_ids
+        authenticators.registered_scope
+                      .sorted_scope
+                      .pluck(:device_id)
+      end
+
+      private
+
+      def normalize_username
+        self.username = ::Booth::Syntaxes::Username.call(username).normalized_username
+      end
+
+      def normalize_scope
+        self.scope = ::Booth::Syntaxes::Scope.call(scope).normalized_scope
+      end
+
+      def stringify_allowed_modes
+        self.allowed_modes = Array(allowed_modes).map(&:to_s)
+      end
+    end
+  end
+end

data/lib/booth/models/onboarding.rb

@@ -0,0 +1,61 @@
+module Booth
+  module Models
+    class Onboarding < ::Booth::Models::ApplicationRecord
+      include ::Booth::Logging
+      include ::Booth::Models::Concerns::Modeable
+      include ::Booth::Models::Concerns::Passwordable
+      include ::Booth::Models::Concerns::Otpable
+
+      self.table_name = 'booth_onboardings'
+
+      belongs_to :credential, class_name: '::Booth::Models::Credential'
+
+      validates :credential_id, uniqueness: true
+      validates :webauthn_id, presence: true
+      validates :authenticator_nickname, length: { minimum: 3, maximum: 40 }, allow_blank: true
+
+      before_validation :ensure_webauthn_id
+
+      # See https://github.com/rails/rails/blob/main/activerecord/lib/active_record/secure_token.rb
+      has_secure_token :secret_key, length: 30
+      delegate :allowed_modes, :scope, :username, to: :credential
+
+      attr_accessor :otp_confirmation
+
+      scope :includes_scope, -> { includes(:credential) }
+      scope :sorted_scope, -> { order(:created_at) }
+
+      def step
+        ::Booth::Onboardings::Step.call(self)
+      end
+
+      def lifetime
+        ::Booth.config.onboarding_window
+      end
+
+      def completed?
+        step == :completed
+      end
+
+      def authenticator?
+        authenticator_public_key.present?
+      end
+
+      def propagated?
+        propagated_at.present?
+      end
+
+      def recently_created?
+        created_at > lifetime.ago
+      end
+
+      private
+
+      def ensure_webauthn_id
+        return if webauthn_id.present?
+
+        self.webauthn_id = ::WebAuthn.generate_user_id
+      end
+    end
+  end
+end

data/lib/booth/models/password_reset.rb

@@ -0,0 +1,41 @@
+module Booth
+  module Models
+    class PasswordReset < ::Booth::Models::ApplicationRecord
+      include ::Booth::Logging
+      include ::Booth::Models::Concerns::Passwordable
+
+      self.table_name = 'booth_password_resets'
+
+      def self.lifetime
+        ::Booth.config.password_reset_window
+      end
+
+      belongs_to :credential, class_name: '::Booth::Models::Credential'
+
+      validates :creator_ip, presence: true
+
+      # See https://github.com/rails/rails/blob/main/activerecord/lib/active_record/secure_token.rb
+      has_secure_token :secret_key, length: 30
+
+      def step
+        ::Booth::PasswordResets::Step.call(self)
+      end
+
+      def completed?
+        password_chosen_at.present? && password_confirmed_at.present?
+      end
+
+      def revoked?
+        revoked_at.present?
+      end
+
+      def recently_created?
+        created_at > self.class.lifetime.ago
+      end
+
+      def other_password_resets_of_this_credential
+        credential.password_resets.where.not(id:)
+      end
+    end
+  end
+end

data/lib/booth/models/recovery.rb

@@ -0,0 +1,32 @@
+module Booth
+  module Models
+    class Recovery < ::Booth::Models::ApplicationRecord
+      include ::Booth::Logging
+
+      self.table_name = 'booth_recoveries'
+
+      before_validation :normalize_email
+
+      def consumed?
+        consumed_at.present?
+      end
+
+      def revoked?
+        revoked_at.present?
+      end
+
+      def other_recoveries_with_this_scope_and_email
+        self.class
+            .where(scope:)
+            .where(email:)
+            .where.not(id:)
+      end
+
+      private
+
+      def normalize_email
+        self.email = ::Booth::Syntaxes::Email.call(email).normalized_email
+      end
+    end
+  end
+end

data/lib/booth/models/registration.rb

@@ -0,0 +1,10 @@
+module Booth
+  module Models
+    class Registration < ::Booth::Models::ApplicationRecord
+      include ::Booth::Logging
+      include ::Booth::Models::Concerns::ModeEnumerable
+
+      self.table_name = 'booth_registrations'
+    end
+  end
+end

data/lib/booth/models/session.rb

@@ -0,0 +1,47 @@
+module Booth
+  module Models
+    class Session < ::Booth::Models::ApplicationRecord
+      self.table_name = :booth_sessions
+
+      def self.lifetime
+        ::Booth.config.session_inactivity_lifetime
+      end
+
+      belongs_to :credential, class_name: '::Booth::Models::Credential'
+
+      before_create :ensure_activity_at
+      before_create :denormalize_and_geolocate_ip
+
+      # First of all it has to be not deleted, but also it must not be way too old.
+      scope :active_scope, -> { where(revoked_at: nil).where('activity_at > ?', lifetime.ago) }
+      scope :owned_by_scope, lambda { |credential_id:|
+        active_scope.where('credential_id = ? OR incognito_credential_id = ?', credential_id, credential_id)
+      }
+      scope :sorted_scope, -> { order(activity_at: :desc) }
+
+      delegate :browser_name, :platform_name, :browser_image_path, :platform_image_path, to: :user_agent
+
+      def historical_location_names
+        ::Booth::Sessions::HistoricalLocations.call(self)
+      end
+
+      private
+
+      def ensure_activity_at
+        self.activity_at = Time.current
+      end
+
+      # These attributes are later updated via SQL.
+      # This method here only sets the initial state.
+      def denormalize_and_geolocate_ip
+        self.location = ::Booth::Geolocation.lookup(most_recent_ip)
+        self.historical_locations = { most_recent_ip => location }
+        self.historical_ips = { most_recent_ip => Time.current.to_i }
+      end
+
+      def user_agent
+        @user_agent = ::Booth::Models::UserAgent.new(agent)
+      end
+    end
+  end
+end

data/lib/booth/models/user_agent.rb

@@ -0,0 +1,50 @@
+module Booth
+  module Models
+    class UserAgent
+      def initialize(agent_string)
+        @agent_string = agent_string
+      end
+
+      delegate :name, to: :browser, prefix: true
+
+      def platform_name
+        browser.platform.name
+      end
+
+      def browser_image_path
+        "booth/browsers/#{browser_id}.svg"
+      end
+
+      def platform_image_path
+        "booth/platforms/#{platform_id}.svg"
+      end
+
+      private
+
+      # Not sure if `https://github.com/podigee/device_detector` is better. Hard to tell.
+      def browser
+        @browser ||= ::Browser.new(@agent_string)
+      end
+
+      def browser_id
+        return :chrome if browser.chrome?
+        return :edge if browser.edge?
+        return :firefox if browser.firefox?
+        return :internet_explorer if browser.ie?
+        return :opera if browser.opera?
+        return :safari if browser.safari?
+
+        :unknown
+      end
+
+      def platform_id
+        return :android if browser.platform.android?
+        return :apple if browser.platform.ios? || browser.platform.mac?
+        return :linux if browser.platform.linux?
+        return :windows if browser.platform.windows?
+
+        :unknown
+      end
+    end
+  end
+end

data/lib/booth/modes/base.rb

@@ -0,0 +1,25 @@
+module Booth
+  module Modes
+    module Base
+      extend ActiveSupport::Concern
+
+      class_methods do
+        def id
+          self.to_s.demodulize.underscore
+        end
+
+        def title
+          I18n.t "booth.mode_#{id}_title"
+        end
+
+        def description
+          I18n.t "booth.mode_#{id}_description"
+        end
+
+        def <=>(other)
+          ::Booth::Mode.all.index(self) <=> ::Booth::Mode.all.index(other)
+        end
+      end
+    end
+  end
+end

data/lib/booth/modes/username_and_password.rb

@@ -0,0 +1,7 @@
+module Booth
+  module Modes
+    module UsernameAndPassword
+      include ::Booth::Modes::Base
+    end
+  end
+end

data/lib/booth/modes/username_and_webauth.rb

@@ -0,0 +1,7 @@
+module Booth
+  module Modes
+    module UsernameAndWebauth
+      include ::Booth::Modes::Base
+    end
+  end
+end

data/lib/booth/modes/username_password_and_otp.rb

@@ -0,0 +1,7 @@
+module Booth
+  module Modes
+    module UsernamePasswordAndOtp
+      include ::Booth::Modes::Base
+    end
+  end
+end

data/lib/booth/modes/username_password_and_webauth.rb

@@ -0,0 +1,7 @@
+module Booth
+  module Modes
+    module UsernamePasswordAndWebauth
+      include ::Booth::Modes::Base
+    end
+  end
+end

data/lib/booth/onboardings/find.rb

@@ -0,0 +1,35 @@
+module Booth
+  module Onboardings
+    class Find
+      include ::Booth::Logging
+      include ::Booth::MethodObject
+
+      option :secret_key
+
+      def call
+        check_secret_key_syntax_action
+          .on_success { find_onboarding_action }
+      end
+
+      private
+
+      def check_secret_key_syntax_action
+        ::Booth::Syntaxes::SecretKey.call(secret_key)
+      end
+
+      def find_onboarding_action
+        debug { "Looking for Onboarding with secret key #{secret_key.inspect}" }
+        onboarding = ::Booth::Models::Onboarding.find_by(secret_key:)
+
+        if onboarding
+          debug { "Found Onboarding with ID #{onboarding.id.inspect}" }
+          Tron.success(:found_onboarding, onboarding:)
+        else
+          message = "Could not find userland Onboarding with secret key #{secret_key.inspect}"
+          debug { message }
+          Tron.failure :onboarding_not_found, public_message: I18n.t('booth.unknown_secret_key')
+        end
+      end
+    end
+  end
+end

data/lib/booth/onboardings/propagate_to_credential.rb

@@ -0,0 +1,63 @@
+module Booth
+  module Onboardings
+    class PropagateToCredential
+      include ::Booth::Logging
+      include ::Booth::MethodObject
+
+      param :onboarding
+      option :ip
+      option :agent
+
+      def call
+        debug { 'Propagating Onboarding to Credential...' }
+        raise "Expected Onboarding to be valid: #{onboarding.errors.full_messages.to_sentence}" if onboarding.invalid?
+
+        onboarding.transaction do
+          update_credential!
+          remove_existing_authenticators!
+          create_authenticator!
+          register_audit!
+          finalize_onboarding!
+        end
+        debug { 'Propagation of Onboarding completed' }
+      end
+
+      private
+
+      def update_credential!
+        onboarding.credential.update! mode: onboarding.mode,
+                                      password_digest: onboarding.password_digest,
+                                      otp_secret_key: onboarding.otp_secret_key
+      end
+
+      def remove_existing_authenticators!
+        onboarding.credential.authenticators.destroy_all
+      end
+
+      def create_authenticator!
+        return unless onboarding.authenticator?
+
+        onboarding.credential.authenticators.create! webauthn_id: onboarding.webauthn_id,
+                                                     device_id: onboarding.authenticator_id,
+                                                     nickname: onboarding.authenticator_nickname,
+                                                     public_key: onboarding.authenticator_public_key,
+                                                     sign_count: onboarding.authenticator_sign_count,
+                                                     challenge: onboarding.authenticator_challenge,
+                                                     supports_user_verification: onboarding.requires_user_verification?,
+                                                     confirmed_at: Time.current
+      end
+
+      def register_audit!
+        ::Booth::Audits::Register::CompletedOnboarding.call(
+          credential: onboarding.credential,
+          ip:,
+          agent:
+        )
+      end
+
+      def finalize_onboarding!
+        onboarding.update! propagated_at: Time.current
+      end
+    end
+  end
+end

data/lib/booth/onboardings/step.rb

@@ -0,0 +1,68 @@
+module Booth
+  module Onboardings
+    class Step
+      include ::Booth::MethodObject
+
+      param :onboarding
+
+      def call
+        return :timed_out unless onboarding.recently_created?
+
+        if onboarding.mode_first_time?
+          mode_first_time
+        elsif onboarding.mode_username_and_password?
+          mode_username_and_password
+        elsif onboarding.mode_username_password_and_otp?
+          mode_username_password_and_otp
+        elsif onboarding.mode_username_password_and_webauth?
+          mode_username_password_and_webauth
+        elsif onboarding.mode_username_and_webauth?
+          mode_username_and_webauth
+        else
+          raise 'Invalid Onboarding State'
+        end
+      end
+
+      private
+
+      def mode_first_time
+        :choose_mode
+      end
+
+      def mode_username_and_password
+        return :choose_password if onboarding.password_chosen_at.blank?
+        return :completed if onboarding.password_confirmed_at.present?
+
+        :confirm_password
+      end
+
+      def mode_username_password_and_otp
+        return mode_username_and_password unless mode_username_and_password == :completed
+        return :register_otp if onboarding.otp_registered_at.blank?
+        return :confirm_otp if onboarding.otp_confirmed_at.blank?
+
+        :completed
+      end
+
+      def mode_username_password_and_webauth
+        return mode_username_and_password unless mode_username_and_password == :completed
+
+        mode_username_and_webauth
+      end
+
+      def mode_username_and_webauth
+        return :register_webauth if onboarding.authenticator_id.blank? ||
+                                    onboarding.authenticator_public_key.blank? ||
+                                    onboarding.authenticator_sign_count.blank?
+        return :choose_webauth_nickname if onboarding.authenticator_nickname.blank?
+        return :confirm_webauth if onboarding.authenticator_confirmed_at.blank?
+
+        :completed
+      end
+
+      def mode_unknown
+        :unknown
+      end
+    end
+  end
+end