booth 0.0.1

data/lib/booth/password_resets/create.rb

@@ -0,0 +1,57 @@
+module Booth
+  module PasswordResets
+    class Create
+      include ::Booth::Logging
+      include ::Booth::MethodObject
+
+      option :credential
+      option :email
+      option :ip
+      option :agent
+
+      def call
+        do_check_applicability
+          .on_success { do_check_email_syntax }
+          .on_success { do_check_cooldown }
+          .on_success { do_create_password_reset }
+      end
+
+      private
+
+      def do_check_applicability
+        return Tron.success :credential_has_password if credential.applicable_for_password_reset?
+
+        debug { 'This credential has no password to be reset' }
+        Tron.failure :credential_cannot_reset_password, public_message: I18n.t('booth.password_reset_not_available')
+      end
+
+      def do_check_email_syntax
+        check = ::Booth::Syntaxes::Email.call(email)
+
+        check.on_success do
+          @email_address = check.normalized_email
+        end
+
+        check
+      end
+
+      def do_check_cooldown
+        ::Booth::Cooldowns::PasswordReset.call(credential:)
+      end
+
+      def do_create_password_reset
+        password_reset = nil
+
+        ::Booth::Models::PasswordReset.transaction do
+          password_reset = ::Booth::Models::PasswordReset.create! credential:, creator_ip: ip
+          ::Booth::Audits::Register::RequestedPasswordReset.call credential:, ip:, agent:
+        end
+
+        Tron.success :applicable_for_reset, username: credential.username,
+                                            email: @email_address,
+                                            credential_id: credential.id,
+                                            secret_key: password_reset.secret_key
+      end
+    end
+  end
+end

data/lib/booth/password_resets/find.rb

@@ -0,0 +1,36 @@
+module Booth
+  module PasswordResets
+    class Find
+      include ::Booth::Logging
+      include ::Booth::MethodObject
+
+      option :secret_key
+
+      def call
+        do_check_secret_key_syntax
+          .on_success { do_find_password_reset }
+      end
+
+      private
+
+      def do_check_secret_key_syntax
+        ::Booth::Syntaxes::SecretKey.call(secret_key)
+      end
+
+      def do_find_password_reset
+        debug { "Looking for PasswordReset with secret key #{secret_key.inspect}" }
+        @password_reset = ::Booth::Models::PasswordReset.find_by(secret_key:)
+
+        if @password_reset
+          debug { "Found PasswordReset with ID #{@password_reset.id.inspect}" }
+          @password_reset.update! accessed_at: Time.current if @password_reset.accessed_at.blank?
+          return Tron.success(:found_password_reset, password_reset: @password_reset)
+        end
+
+        message = "Could not find userland PasswordReset with secret key #{secret_key.inspect}"
+        debug { message }
+        Tron.failure :password_reset_not_found, public_message: I18n.t('booth.unknown_secret_key')
+      end
+    end
+  end
+end

data/lib/booth/password_resets/propagate_to_credential.rb

@@ -0,0 +1,36 @@
+module Booth
+  module PasswordResets
+    class PropagateToCredential
+      include ::Booth::Logging
+      include ::Booth::MethodObject
+
+      param :password_reset
+
+      def call
+        debug { 'Propagating PasswordReset to Credential...' }
+        raise "Expected PasswordReset to be valid: #{password_reset.errors.to_a.to_sentence}" if password_reset.invalid?
+
+        password_reset.transaction do
+          update_credential!
+          invalidate_password_resets!
+          finalize_password_reset!
+        end
+      end
+
+      private
+
+      def update_credential!
+        password_reset.credential.update! password_digest: password_reset.password_digest
+      end
+
+      def invalidate_password_resets!
+        password_reset.other_password_resets_of_this_credential
+                      .update_all(revoked_at: Time.current) # rubocop:disable Rails/SkipsModelValidations
+      end
+
+      def finalize_password_reset!
+        password_reset.update! propagated_at: Time.current
+      end
+    end
+  end
+end

data/lib/booth/password_resets/step.rb

@@ -0,0 +1,18 @@
+module Booth
+  module PasswordResets
+    class Step
+      include ::Booth::MethodObject
+
+      param :password_reset
+
+      def call
+        return :completed if password_reset.completed?
+        return :revoked if password_reset.revoked?
+        return :timed_out unless password_reset.recently_created?
+        return :confirm_password if password_reset.password_chosen_at.present?
+
+        :choose_password
+      end
+    end
+  end
+end

data/lib/booth/recoveries/create.rb

@@ -0,0 +1,45 @@
+module Booth
+  module Recoveries
+    class Create
+      include ::Booth::Logging
+      include ::Booth::MethodObject
+
+      option :scope
+      option :email
+      option :ip
+
+      def call
+        do_check_cooldown
+          .on_success { do_check_email_syntax }
+          .on_success { do_create_recovery }
+      end
+
+      private
+
+      def do_check_cooldown
+        # TODO: Check recovery cooldown of email in the table `booth_recoveries`.
+        #       Respect consumed_at and revoked_at and created_at and creator_ip and email.
+        Tron.success :username_rate_limit_ok_dummy
+      end
+
+      def do_check_email_syntax
+        check = ::Booth::Syntaxes::Email.call(email)
+
+        check.on_success do
+          @email_address = check.normalized_email
+        end
+
+        check
+      end
+
+      def do_create_recovery
+        recovery = ::Booth::Models::Recovery.create! scope: scope,
+                                                     email: email,
+                                                     creator_ip: ip
+
+        Tron.success :applicable_for_recovery, email: recovery.email,
+                                               recovery_id: recovery.id
+      end
+    end
+  end
+end

data/lib/booth/request.rb

@@ -0,0 +1,106 @@
+module Booth
+  # Convenience wrapper for `Rack::Request`.
+  class Request
+    include ::Booth::Logging
+
+    # Can be used as a DRY::Initializer Coercer.
+    # See https://dry-rb.org/gems/dry-initializer/master/type-constraints/#back-references
+    def self.call(request, initializer)
+      # `request` is an `ActionDispatch::Request` or a `Rack::Request`.
+      # But if it already has been coerced, just return it immediately.
+      # This makes it easier to pass the request from one MethodObject to another.
+      return request if request.is_a?(self)
+
+      # `initializer` is an instance that is trying to coerce one of its params into a `Booth::Request`.
+      # By convention, that's where we assume the scope to be specified. So we take it from there.
+      new(request:, scope: initializer.scope)
+    end
+
+    def initialize(request:, scope:)
+      request = ActionDispatch::Request.new(request.env) if request.is_a?(Rack::Request)
+
+      @request = request
+      @scope = ::Booth::Syntaxes::Scope.call(scope).normalized_scope
+    end
+
+    attr_reader :scope
+
+    def agent
+      ::Booth::Requests::Agent.call(request:)
+    end
+
+    def ip
+      ::Booth::Requests::Ip.call(request:)
+    end
+
+    def location
+      ::Booth::Geolocation.lookup(ip)
+    end
+
+    def authentication
+      ::Booth::Requests::Authentication.new(scope:, warden: request.env['warden'])
+    end
+
+    def session(namespace:)
+      ::Booth::Requests::Session.new(scope:, namespace:, session: request.session)
+    end
+
+    def sudo
+      ::Booth::Requests::Sudo.new(scope:, request: self)
+    end
+
+    def storage
+      ::Booth::Requests::Storage.new(scope:, request: self)
+    end
+
+    def params
+      # Huh, I thought the following line was needed:
+      # return request.param if request.params.is_a?(::ActionController::Parameters)
+
+      @params ||= ::ActionController::Parameters.new(request.params)
+    end
+
+    def return_path
+      ::Booth::Requests::ReturnPath.call(params:)
+    end
+
+    # ------------
+    # Requirements
+    # ------------
+
+    def must_be_logged_in!
+      return if authentication.logged_in?
+
+      debug { "Expected someone to be logged in in scope #{scope.inspect}" }
+      raise ::Booth::Errors::NotAuthenticated
+    end
+
+    def must_be_html!
+      request.format.html? || raise(::Booth::Errors::MustBeHtml)
+    end
+
+    def must_be_json!
+      request.format.json? || raise(::Booth::Errors::MustBeJson)
+    end
+
+    def must_be_get!
+      request.get? || raise(::Booth::Errors::MustBeGet)
+    end
+
+    def must_be_post!
+      request.post? || raise(::Booth::Errors::MustBePost)
+    end
+
+    def must_be_patch!
+      request.patch? || raise(::Booth::Errors::MustBePatch)
+    end
+
+    def must_be_delete!
+      request.delete? || raise(::Booth::Errors::MustBeDelete)
+    end
+
+    private
+
+    attr_reader :request
+  end
+end

data/lib/booth/requests/agent.rb

@@ -0,0 +1,14 @@
+module Booth
+  module Requests
+    class Agent
+      include ::Booth::MethodObject
+
+      option :request
+
+      def call
+        # Truncate to prevent potential cookie overflows and DB bloating.
+        request.user_agent.to_s.truncate(255).presence
+      end
+    end
+  end
+end

data/lib/booth/requests/authentication.rb

@@ -0,0 +1,47 @@
+module Booth
+  module Requests
+    # Convenience wrapper for `Warden::Manager`.
+    class Authentication
+      delegate :username, :credential_id, :mode,
+               to: :passport,
+               allow_nil: true
+
+      def initialize(scope:, warden:)
+        @scope = scope
+        @warden = warden
+      end
+
+      def login(session:)
+        # Whatever instance we pass in to Warden,
+        # it needs to be that, which we also want do get out.
+        # Because serialization only takes place for the *next* request.
+        # In the *same* request, whatever we pass in, is returned back as it is.
+        warden.set_user ::Booth::Sessions::ToPassport.call(session), scope:
+      end
+
+      def logged_in?
+        warden.authenticated?(scope)
+      end
+
+      def logged_in_as?(credential:)
+        logged_in? && credential.id == credential_id
+      end
+
+      def logout
+        warden.logout(scope)
+      end
+
+      def session_id
+        passport&.id
+      end
+
+      private
+
+      attr_reader :scope, :warden
+
+      def passport
+        warden.user(scope)
+      end
+    end
+  end
+end

data/lib/booth/requests/ip.rb

@@ -0,0 +1,28 @@
+module Booth
+  module Requests
+    class Ip
+      include ::Booth::MethodObject
+
+      option :request
+      option :raise_if_invalid, default: -> { true }
+
+      def call
+        check = ::Booth::Syntaxes::Ip.call(raw_ip)
+        check.on_success { return check.normalized_ip }
+
+        raise ArgumentError "Invalid IP: #{raw_ip.inspect}" if raise_if_invalid
+
+        check
+      end
+
+      private
+
+      def raw_ip
+        # One could also use this:
+        # request.env['action_dispatch.remote_ip'].to_s
+        # But I think the `Rack::Request#trusted_proxy?` feature makes the following usable enough:
+        request.ip
+      end
+    end
+  end
+end

data/lib/booth/requests/return_path.rb

@@ -0,0 +1,34 @@
+module Booth
+  module Requests
+    class ReturnPath
+      include ::Booth::MethodObject
+      include ::Booth::Logging
+
+      option :params
+
+      def call
+        uri = ::URI.parse raw_return_path
+
+        # Make sure we do not redirect to (external) URLs but only paths (i.e. protocol and domain-local).
+        result = [uri.path, uri.query].compact.join '?'
+
+        # We usually never store the return path in a cookie, but some developer might still try it.
+        # To avoid potential cookie overflows, allow only as many characters as reasonably needed.
+        result = result[0..1024]
+        return if result.blank?
+
+        # We always assume it is a full path and fix any missing beginning slash.
+        result.starts_with?('/') ? result : result.prepend('/')
+      rescue URI::InvalidURIError
+        debug { "Invalid return path: #{raw_return_path.inspect}" } if raw_return_path
+        nil
+      end
+
+      private
+
+      def raw_return_path
+        params.permit![:return_path]
+      end
+    end
+  end
+end

data/lib/booth/requests/session.rb

@@ -0,0 +1,106 @@
+module Booth
+  module Requests
+    # Convenience wrapper for `ActionDispatch::Session::CookieStore`.
+    class Session
+      include ::Booth::Logging
+
+      attr_reader :scope
+
+      def initialize(scope:, namespace:, session:)
+        @scope = ::Booth::Syntaxes::Scope.call(scope).normalized_scope
+        @namespace = namespace
+        @session = session
+      end
+
+      # -------------------
+      # Getters and Setters
+      # -------------------
+
+      def [](key)
+        return if timed_out?
+        raise ArgumentError if key.to_s == 'created_at'
+
+        reset_if_too_old!
+        session[path(key)]
+      end
+
+      def []=(key, value)
+        return if timed_out?
+        raise ArgumentError if key.to_s == 'created_at'
+
+        ensure_ticking
+        reset_if_too_old!
+        session[path(key)] = value
+      end
+
+      def delete(key)
+        raise ArgumentError if key.to_s == 'created_at'
+
+        reset_if_too_old!
+        session.delete path(key)
+      end
+
+      def reset
+        debug { "Resetting #{namespace.inspect} cookie data in scope #{scope.inspect}" }
+
+        # There is no `#delete_if` in a `ActionDispatch::Request::Session`.
+        keys_to_delete = session.keys.select { _1.to_s.start_with?(path(nil)) }
+        keys_to_delete.each { session.delete(_1) }
+      end
+
+      # -----
+      # Timer
+      # -----
+
+      def lifespan
+        ::Booth.config.interaction_timeout.to_i
+      end
+
+      def seconds_until_auto_reset
+        return 0 if @reset_due_to_timeout
+
+        lifespan - age
+      end
+
+      def timed_out?
+        reset_if_too_old!
+
+        !!@reset_due_to_timeout
+      end
+
+      private
+
+      attr_reader :namespace, :session
+
+      def ensure_ticking
+        session[path(:created_at)] ||= Time.current.to_i
+      end
+
+      def ticking?
+        !!session[path(:created_at)]
+      end
+
+      def age
+        return 0 unless ticking?
+
+        Time.current.to_i - session[path(:created_at)]
+      end
+
+      def reset_if_too_old!
+        return if seconds_until_auto_reset.positive?
+
+        debug do
+          "Timeout-resetting #{namespace.inspect} cookie data in scope #{scope.inspect} " \
+            "because it is older than #{lifespan} seconds"
+        end
+
+        @reset_due_to_timeout = true
+        reset
+      end
+
+      def path(key)
+        [:booth, scope, namespace, key].join('.')
+      end
+    end
+  end
+end

data/lib/booth/requests/storage.rb

@@ -0,0 +1,62 @@
+module Booth
+  module Requests
+    class Storage
+      include ::Booth::Logging
+
+      def initialize(scope:, request:)
+        @scope = scope
+        @request = request
+      end
+
+      def login
+        @login ||= ::Booth::Requests::Storages::Login.new(
+          session: request.session(namespace: :login)
+        )
+      end
+
+      def otp
+        @otp ||= ::Booth::Requests::Storages::Otp.new(
+          session: request.session(namespace: :otp)
+        )
+      end
+
+      def webauth
+        @webauth ||= ::Booth::Requests::Storages::Webauth.new(
+          session: request.session(namespace: :webauth)
+        )
+      end
+
+      def password
+        @password ||= ::Booth::Requests::Storages::Password.new(
+          session: request.session(namespace: :password)
+        )
+      end
+
+      def password_reset
+        @password_reset ||= ::Booth::Requests::Storages::PasswordReset.new(
+          session: request.session(namespace: :password_reset)
+        )
+      end
+
+      def recovery
+        @recovery ||= ::Booth::Requests::Storages::Recovery.new(
+          session: request.session(namespace: :recovery)
+        )
+      end
+
+      def registration
+        @registration ||= ::Booth::Requests::Storages::Registration.new(
+          session: request.session(namespace: :registration)
+        )
+      end
+
+      private
+
+      attr_reader :scope, :request
+
+      def session
+        request.session(namespace: :sudo)
+      end
+    end
+  end
+end

data/lib/booth/requests/storages/login.rb

@@ -0,0 +1,108 @@
+module Booth
+  module Requests
+    module Storages
+      class Login
+        include ::Booth::Logging
+
+        delegate :reset, :timed_out?, :lifespan, :seconds_until_auto_reset, to: :session
+
+        def initialize(session:)
+          @session = session
+        end
+
+        # -------
+        # Getters
+        # -------
+
+        def username
+          session[:username]
+        end
+
+        def credential_for_username
+          return @credential_for_username if defined?(@credential_for_username)
+
+          @credential_for_username = ::Booth::Models::Credential.find_by(id: session[:credential_for_username])
+        end
+
+        def contest_for_username
+          return @contest_for_username if defined?(@contest_for_username)
+
+          @contest_for_username = ::Booth::Models::Contest.find_by(id: session[:contest_for_username])
+        end
+
+        def password_authenticated_credential
+          return @password_authenticated_credential if defined?(@password_authenticated_credential)
+
+          @password_authenticated_credential = ::Booth::Models::Credential.find_by(
+            id: session[:password_authenticated_credential]
+          )
+        end
+
+        def webauthn_challenge
+          session[:webauthn_challenge].presence
+        end
+
+        def skip_remotes?
+          session[:skip_remotes].present?
+        end
+
+        # -------
+        # Setters
+        # -------
+
+        def username=(new_username)
+          session[:username] = new_username
+        end
+
+        def credential_for_username=(new_credential)
+          debug { "Persisting credential for username in browser session for scope #{scope.inspect}" }
+          session[:credential_for_username] = new_credential.id
+          @credential_for_username = nil
+        end
+
+        def contest_for_username=(new_contest)
+          debug { "Persisting contest for username in browser session for scope #{scope.inspect}" }
+          session[:contest_for_username] = new_contest.id
+          @contest_for_username = nil
+        end
+
+        def reset_credential_for_username
+          debug { "Resetting credential in browser session for scope #{scope.inspect}" }
+          session.delete(:credential_for_username)
+          @credential_for_username = nil
+        end
+
+        def password_authenticated_credential=(new_credential)
+          debug { "Persisting password authenticated credential in browser session for scope #{scope.inspect}" }
+          session[:password_authenticated_credential] = new_credential.id
+          @password_authenticated_credential = nil
+        end
+
+        def webauthn_challenge=(new_challenge)
+          if new_challenge
+            debug do
+              "Persisting webauth challenge #{new_challenge.inspect} in browser session for scope #{scope.inspect}"
+            end
+          else
+            debug { "Removing webauth challenge from browser session for scope #{scope.inspect}" }
+          end
+          session[:webauthn_challenge] = new_challenge.presence
+        end
+
+        def skip_remotes
+          session[:skip_remotes] = true
+        end
+
+        def reset_remotes
+          session.delete(:skip_remotes)
+        end
+
+        private
+
+        attr_reader :session
+
+        delegate :scope, to: :session, private: true
+      end
+    end
+  end
+end