booth 0.0.3 → 0.0.5

data/lib/booth/testing/userland/registration_without_passkey.rb

@@ -9,10 +9,14 @@ module Booth
 
           # Register normally
 
-          visit_namespaced controller: :registrations, action: :new
+          begin
+            # Non-headless Chrome may cause Exception if HTTP status is 4xx
+            visit_namespaced controller: :registrations, action: :new
+          rescue Playwright::Error => e
+            raise unless e.message.include?('ERR_HTTP_RESPONSE_CODE_FAILURE')
+          end
 
-          # Chrome Page
-          return 'Skipping self-registration tests' if page.has_text?('HTTP ERROR 410')
+          return log { 'Skipping self-registration tests' } if page.status_code == 410
 
           assert_userland_view controller: :registrations, step: :choose_username
 
@@ -53,17 +57,17 @@ module Booth
           assert_userland_view controller: :remote_logins, step: :remote_solved
 
           using_session(:other_device) do
-            visit_namespaced controller: :webauths, action: :index
+            visit current_path
 
             # -------------------------- SIGNIFICANT TEST ---------------------------
             # You can remote-login even though you don't have any Authenticators yet.
             # -----------------------------------------------------------------------
-            assert_userland_view controller: :webauths, step: :index
+            assert_logged_in username: 'alice'
           end
 
           # Try to Login without having any Authenticators
 
-          soft_reset_session
+          clear_cookies
 
           visit_namespaced controller: :logins, action: :new
 
@@ -93,7 +97,7 @@ module Booth
           # ---------------- SIGNIFICANT TEST -------------------
           # You cannot register a username that is already taken.
           # -----------------------------------------------------
-          assert_text 'username already exists'
+          assert_text I18n.t('booth.username_already_exists')
         end
       end
     end

data/lib/booth/testing/userland/sessions_manage_behavior.rb

@@ -10,13 +10,19 @@ module Booth
           before_test&.call
 
           create_and_onboard(username: 'alice')
-          virtual_authenticators.create
+          latchkey = virtual_authenticators.create
           register_new_passkey(username: 'alice')
 
+          # Capture credentials after registration
+          latchkey.pull
+
           using_session(:"second_browser_#{button_name}") do
-            virtual_authenticators.clone_from_other_session
+            virtual_authenticators.import(latchkey)
             login_with_passkey(username: 'alice')
 
+            # Capture updated sign count from second browser
+            latchkey.pull
+
             visit_namespaced controller: :sessions, action: :index
 
             assert_userland_view controller: :sessions, step: :index
@@ -30,13 +36,18 @@ module Booth
 
           visit current_path
 
+          # Refresh to force session validation with server
+          page.refresh
+
           # ----------- SIGNIFICANT TEST ---------------
           # A revoked session is not logged in any more.
           # --------------------------------------------
           assert_logged_out
 
+          # Sync sign count from second browser to first browser
+          latchkey.push
+
           # Login on first device again and revoke all others
-          virtual_authenticators.refresh_from_other_session
           login_with_passkey(username: 'alice')
 
           visit_namespaced controller: :sessions, action: :index

data/lib/booth/testing/userland/sudo_webauth.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Booth
+  module Testing
+    module Userland
+      class SudoWebauth < ::Booth::Testing::IncorporationTestCase
+        def call
+          before_test&.call
+
+          create_and_onboard(username: 'alice')
+          virtual_authenticators.create
+          register_new_passkey(username: 'alice')
+
+          # Visit webauths index with fresh sudo
+          visit_namespaced controller: :webauths, action: :index
+          assert_userland_view controller: :webauths, step: :index
+
+          # Time travel to expire sudo (default interaction_timeout is 20 minutes)
+          travel 21.minutes
+
+          # Visit webauths index again - should require sudo
+          visit_namespaced controller: :webauths, action: :index
+          assert_userland_view controller: :webauths, step: :sudo
+
+          # Re-authenticate with hardware key to restore sudo
+          click_on :authenticate
+
+          # After successful sudo, user sees the index again
+          assert_userland_view controller: :webauths, step: :index
+        end
+      end
+    end
+  end
+end

data/lib/booth/testing/userland.rb

@@ -12,6 +12,7 @@ require_relative 'userland/registration_without_passkey'
 require_relative 'userland/sessions_manage_behavior'
 require_relative 'userland/sessions_revoke_all_others'
 require_relative 'userland/sessions_revoke_one'
+require_relative 'userland/sudo_webauth'
 
 module Booth
   module Testing
@@ -24,6 +25,7 @@ module Booth
         ::Booth::Testing::Userland::LoginRemotely,
         ::Booth::Testing::Userland::SessionsRevokeOne,
         ::Booth::Testing::Userland::SessionsRevokeAllOthers,
+        ::Booth::Testing::Userland::SudoWebauth,
       ].freeze
 
       def self.scenarios

data/lib/booth/userland/webauths/index.rb

@@ -12,7 +12,7 @@ module Booth
           request.must_be_html!
           request.must_be_logged_in!
 
-          ::Booth::Userland::Webauths::Guards::Sudo.call(request:, credential:) { return _1 }
+          ::Booth::Userland::Webauths::Guards::Sudo.call(request:, credential:) { return it }
 
           do_index
         end
@@ -23,7 +23,8 @@ module Booth
           request.storage.webauth.reset if params[:reset]
 
           Tron.success :current_webauth, step: :index,
-                                         authenticators: authenticator_structs
+                                         authenticators: authenticator_structs,
+                                         authenticators?: authenticators?
         end
 
         def authenticator_structs
@@ -31,11 +32,16 @@ module Booth
             ::Booth::ToStruct.call(
               authenticator.attributes
                            .symbolize_keys
-                           .slice(:id, :confirmed_at, :nickname)
+                           .slice(:id, :confirmed_at, :nickname, :aaguid)
+                           .merge(authenticator.provider_attributes),
             )
           end
         end
 
+        def authenticators?
+          credential.registered_authenticators?
+        end
+
         def credential
           @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
         end

data/lib/booth/userland/webauths/new.rb

@@ -15,7 +15,8 @@ module Booth
           if authenticator&.confirmed?
             return Tron.success :completed, step: :completed,
                                             nickname: authenticator&.nickname,
-                                            should_add_more_authenticators: should_add_more_authenticators?
+                                            authenticators?: authenticators?,
+                                            should_add_more_authenticators?: should_add_more_authenticators?
           end
 
           ::Booth::Userland::Webauths::Guards::Sudo.call(request:, credential:) { return it }
@@ -29,7 +30,10 @@ module Booth
           log { "WebAuthn Authenticator registration in step #{step}" }
           # log { authenticator.inspect }
 
-          Tron.success :add_webauth, step:, nickname: authenticator&.nickname
+          Tron.success :add_webauth, step:,
+                                     nickname: authenticator&.nickname,
+                                     authenticators?: authenticators?,
+                                     should_add_more_authenticators?: should_add_more_authenticators?
         end
 
         def step
@@ -38,6 +42,10 @@ module Booth
           authenticator.step
         end
 
+        def authenticators?
+          credential.registered_authenticators?
+        end
+
         def should_add_more_authenticators?
           credential.authenticators.registered_scope.count < 2
         end

data/lib/booth/userland/webauths/transitions/create/choose_nickname.rb

@@ -29,7 +29,7 @@ module Booth
 
             def do_update_authenticator
               if authenticator.update nickname: nickname_param
-                log { 'The nickname successfully changed' }
+                log { "The nickname successfully changed to #{authenticator.nickname}" }
                 Tron.success :nickname_saved
               else
                 public_message = authenticator.errors.to_a.to_sentence

data/lib/booth/userland/webauths/transitions/sudo/authentication_initiation.rb

@@ -28,9 +28,14 @@ module Booth
 
               request.sudo.webauthn_challenge = webauth.challenge
               Tron.success :test_challenge_created, public_json: webauth.as_json,
+                                                    authenticators?: authenticators?,
                                                     http_status: :created
             end
 
+            def authenticators?
+              credential.registered_authenticators?
+            end
+
             def credential
               @credential ||= ::Booth::Models::Credential.find(request.authentication.credential_id)
             end

data/lib/booth/userland/webauths/transitions/sudo/authentication_verification.rb

@@ -25,7 +25,7 @@ module Booth
               ::Booth::Core::Webauth::AuthenticationVerification.call(
                 request:,
                 credential_id: request.authentication.credential_id,
-                challenge: request.sudo.webauthn_challenge
+                challenge: request.sudo.webauthn_challenge,
               )
             end
           end

data/lib/booth/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Booth
-  VERSION = '0.0.3'
+  VERSION = '0.0.5'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: booth
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.5
 platform: ruby
 authors:
 - halo
@@ -187,6 +187,7 @@ files:
 - app/assets/images/booth/fido/passkey_mark_a_reverse.svg
 - app/assets/images/booth/fido/passkey_mark_a_white.svg
 - app/assets/images/booth/fido/passkey_mark_b_black.svg
+- app/assets/images/booth/fido/passkey_mark_b_reverse.svg
 - app/assets/images/booth/platforms/README.md
 - app/assets/images/booth/platforms/android.svg
 - app/assets/images/booth/platforms/apple.svg
@@ -292,6 +293,7 @@ files:
 - lib/booth/models/remotes/scopes/recently_responded.rb
 - lib/booth/models/session.rb
 - lib/booth/models/user_agent.rb
+- lib/booth/passport.rb
 - lib/booth/request.rb
 - lib/booth/requests/agent.rb
 - lib/booth/requests/authentication.rb
@@ -319,18 +321,20 @@ files:
 - lib/booth/testing/support/assert_logged_in.rb
 - lib/booth/testing/support/assert_logged_out.rb
 - lib/booth/testing/support/assert_partial.rb
+- lib/booth/testing/support/capybara_step_logger.rb
+- lib/booth/testing/support/clear_cookies.rb
+- lib/booth/testing/support/cookie_data_from_browser.rb
 - lib/booth/testing/support/force_login.rb
-- lib/booth/testing/support/get_session_value.rb
 - lib/booth/testing/support/scenario.rb
 - lib/booth/testing/support/shortcuts/create_and_onboard.rb
 - lib/booth/testing/support/shortcuts/login_with_passkey.rb
 - lib/booth/testing/support/shortcuts/register_new_passkey.rb
-- lib/booth/testing/support/soft_reset_session.rb
+- lib/booth/testing/support/virtual_authenticator.rb
+- lib/booth/testing/support/virtual_authenticators.rb
 - lib/booth/testing/support/virtual_authenticators/create.rb
 - lib/booth/testing/support/virtual_authenticators/destroy.rb
 - lib/booth/testing/support/virtual_authenticators/enable.rb
 - lib/booth/testing/support/virtual_authenticators/load.rb
-- lib/booth/testing/support/virtual_authenticators/manager.rb
 - lib/booth/testing/support/visit.rb
 - lib/booth/testing/userland.rb
 - lib/booth/testing/userland/login_remotely.rb
@@ -341,6 +345,7 @@ files:
 - lib/booth/testing/userland/sessions_manage_behavior.rb
 - lib/booth/testing/userland/sessions_revoke_all_others.rb
 - lib/booth/testing/userland/sessions_revoke_one.rb
+- lib/booth/testing/userland/sudo_webauth.rb
 - lib/booth/to_struct.rb
 - lib/booth/userland.rb
 - lib/booth/userland/extract_flash_messages.rb
@@ -409,7 +414,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.1
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Opinionated authentication framework for Rails
 test_files: []

data/lib/booth/testing/support/get_session_value.rb

@@ -1,37 +0,0 @@
-# frozen_string_literal: true
-
-module Booth
-  module Testing
-    module Support
-      class GetSessionValue
-        include ::Calls
-        include ::Capybara::DSL
-        include ::Booth::Logging
-
-        option :key
-
-        def call
-          ::Capybara::Lockstep.synchronize
-
-          result = nil
-          in_new_window do
-            result = page.get_rack_session[key]
-          end
-
-          log { "session[#{key.inspect}] is: #{result.inspect}" }
-
-          ::Capybara::Lockstep.synchronize
-          result
-        end
-
-        private
-
-        def in_new_window(&)
-          window = open_new_window
-          within_window(window, &)
-          window.close
-        end
-      end
-    end
-  end
-end

data/lib/booth/testing/support/virtual_authenticators/manager.rb

@@ -1,124 +0,0 @@
-# frozen_string_literal: true
-
-module Booth
-  module Testing
-    module Support
-      module VirtualAuthenticators
-        # Capybara handles multiple separate Chrome sessions (like separate browsers).
-        # In Chrome each of those sessions is completely distinct and nows nothing about the others.
-        # To "simulate" having the *same* passkey in "two browsers", we need to clone and sync it.
-        # This means transferring the secret key, and synchronizing the sign count.
-        # This class holds a state of all browser sessions to easier facilitate transfer and sync.
-        class Manager
-          include ::Capybara::DSL
-          include ::Booth::Logging
-
-          # Creates a brand new passkey.
-          def create(has_user_verification: true)
-            ::Booth::Testing::Support::VirtualAuthenticators::Enable.call
-
-            new_device = ::Booth::Testing::Support::VirtualAuthenticators::Create.call(
-              has_user_verification:,
-            )
-
-            this_session[new_device.instance_variable_get(:@id)] = new_device
-
-            nil
-          end
-
-          # Takes a passkey from (the) other browser and injects it into this browser.
-          def clone_from_other_session
-            new_device = ::Booth::Testing::Support::VirtualAuthenticators::Create.call(
-              has_user_verification: true,
-            )
-            new_device.add_credential(other_credential)
-
-            this_session[new_device.instance_variable_get(:@id)] = new_device
-            nil
-          end
-
-          # Inspects a passkey in (the) other browser and syncs the passkey here if needed.
-          def refresh_from_other_session
-            this_sign_count = this_credential.instance_variable_get(:@sign_count)
-            other_sign_count = other_credential.instance_variable_get(:@sign_count)
-
-            if this_sign_count == other_sign_count
-              log { "Sign count of both Virtual Keys is #{this_sign_count}" }
-              return
-            end
-
-            log { "Changing Virtual Key sign count from #{this_sign_count} to #{other_sign_count}" }
-
-            new_credential = this_credential
-            # This only affects the Credential here in our Ruby instance.
-            new_credential.instance_variable_set(:@sign_count, other_sign_count)
-
-            # So let us send our Ruby instance to the browser by replacing the key there.
-            this_device.remove_all_credentials
-            this_device.add_credential(new_credential)
-
-            nil
-          end
-
-          private
-
-          def this_credential
-            these_credentials = this_device.credentials
-
-            unless these_credentials.size == 1
-              raise "Don't know which other Virtual Credential to pick: #{these_credentials}"
-            end
-
-            these_credentials.first
-          end
-
-          def other_credential
-            other_credentials = other_device.credentials
-
-            unless other_credentials.size == 1
-              raise "Don't know which Virtual Credential of mine to pick: #{other_credentials}"
-            end
-
-            other_credentials.first
-          end
-
-          def this_device
-            unless this_session.size == 1
-              raise "Don't know which Virtual Authenticator of mine to pick: #{this_session.keys}"
-            end
-
-            this_session.values.first
-          end
-
-          def other_device
-            unless other_session.size == 1
-              raise "Don't know which other Virtual Authenticator to pick: #{other_session.keys}"
-            end
-
-            other_session.values.first
-          end
-
-          def this_session
-            sessions[Capybara.session_name]
-          end
-
-          def other_session
-            other_session_keys = sessions.keys.reject { it == Capybara.session_name }
-
-            unless other_session_keys.size == 1
-              raise "Cannot determine #{sessions.keys} as alternative to #{Capybara.session_name}"
-            end
-
-            sessions[other_session_keys.first]
-          end
-
-          def sessions
-            @sessions ||= {}
-            @sessions[Capybara.session_name] ||= {}
-            @sessions
-          end
-        end
-      end
-    end
-  end
-end