active_model_otp 1.1.0 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 9d9aedb666900aee840275449fcdb4c2fb912c27
-  data.tar.gz: de9ef98a499709f05a3a836cd50242c74f8b1fdf
+SHA256:
+  metadata.gz: bdc023d65f130fca41bde8f20a7094e587c7940240ae5b36778e54d2efcf76ac
+  data.tar.gz: 1dab4dd23328538a3a3c8d9a712b9a16d01673b3d997538169126966c653cdf6
 SHA512:
-  metadata.gz: bc0e46abcdae3948c4ea3bf51d92848ecc887d83efb611f7828b830d45f4d2372e0aa45d1c229e627de6e5d404c1ebb626d4c130ed6a3f14980cae6de33da122
-  data.tar.gz: 302bcfde4c0b3d33355cf44ed9b8896a1f83c615c3fafdc9c741ae171955ab78197e5de9b31ac0a4cc7d60fd801c2718c08949f7fc724e8b821e852d10a67179
+  metadata.gz: f896afd30554da73cff730f4277aefe8805b4cbb3da0bf550039b14b8d4611374498b1cf4b0eae2fe80d7a35bdaafdc0ae1558ffbdea3f2f708d2334a81e1af2
+  data.tar.gz: 0d3b2a4fe8d0e26e9c06bd71e471bcabf4a048f1f1bd531691c0afbc5feda757147ca045ddedec34e587240b0b1337960a9248c0340e6f57ec5d7057cec776ea

data/.gitignore

@@ -16,3 +16,4 @@ test/tmp
 test/version_tmp
 tmp
 .ruby-version
+gemfiles/*.lock

data/.travis.yml

@@ -1,10 +1,43 @@
 rvm:
-  - 1.9.3
-  - 2.0.0
-  - 2.1
+  - 2.3
+  - 2.4
+  - 2.5
+  - 2.6
+  - 2.7
+  - 3.0
+  - ruby-head
+gemfile:
+  - gemfiles/rails_4.2.gemfile
+  - gemfiles/rails_5.0.gemfile
+  - gemfiles/rails_5.1.gemfile
+  - gemfiles/rails_5.2.gemfile
+  - gemfiles/rails_6.0.gemfile
+  - gemfiles/rails_6.1.gemfile
 matrix:
-  include:
-    - rvm: jruby
-      env: JRUBY_OPTS="--1.9 --server -Xcext.enabled=true"
+  exclude:
+    - rvm: 2.3
+      gemfile: gemfiles/rails_6.0.gemfile
+    - rvm: 2.3
+      gemfile: gemfiles/rails_6.1.gemfile
+    - rvm: 2.4
+      gemfile: gemfiles/rails_6.0.gemfile
+    - rvm: 2.4
+      gemfile: gemfiles/rails_6.1.gemfile
+    - rvm: 2.7
+      gemfile: gemfiles/rails_4.2.gemfile
+    - rvm: 3.0
+      gemfile: gemfiles/rails_4.2.gemfile
+    - rvm: 3.0
+      gemfile: gemfiles/rails_5.0.gemfile
+    - rvm: 3.0
+      gemfile: gemfiles/rails_5.1.gemfile
+    - rvm: 3.0
+      gemfile: gemfiles/rails_5.2.gemfile
+  fast_finish: true
+  allow_failures:
+    - rvm: ruby-head
+# include:
+#   - rvm: jruby
+#     env: JRUBY_OPTS="--1.9 --server -Xcext.enabled=true"
 notifications:
   email: false

data/Appraisals

@@ -0,0 +1,36 @@
+appraise "rails-4.2" do
+  gem "activemodel", "~> 4.2"
+  gem "sqlite3", "~> 1.3.6"
+end
+
+appraise "rails-5.0" do
+  gem "activemodel", "~> 5.0"
+  gem "activemodel-serializers-xml"
+  gem "sqlite3", "~> 1.3.6"
+end
+
+appraise "rails-5.1" do
+  gem "activemodel", "~> 5.1"
+  gem "activemodel-serializers-xml"
+  gem "sqlite3", "~> 1.3.6"
+end
+
+appraise "rails-5.2" do
+  gem "activemodel", "~> 5.2"
+  gem "activemodel-serializers-xml"
+  gem "sqlite3", "~> 1.3.6"
+end
+
+appraise "rails-6.0" do
+  gem "activerecord", "~> 6.0"
+  gem "activemodel", "~> 6.0"
+  gem "activemodel-serializers-xml"
+  gem "sqlite3", "~> 1.4"
+end
+
+appraise "rails-6.1" do
+  gem "activerecord", "~> 6.1"
+  gem "activemodel", "~> 6.1"
+  gem "activemodel-serializers-xml"
+  gem "sqlite3", "~> 1.4"
+end

data/CHANGELOG.md

@@ -1,10 +1 @@
-#unreleased
-#v1.0.0
-- Avoid overriding predefined otp_column value when initializing resource (Ilan Stern) https://github.com/heapsource/active_model_otp/pull/10
-- Pad OTP codes with less than 6 digits (Johan Brissmyr) https://github.com/heapsource/active_model_otp/pull/7
-- Get rid of deprecation warnings in Rails 4.1 (Nick DeMonner)
-
-#v0.1.0
-- OTP codes can be in 5 or 6 digits (André Luis Leal Cardoso Junior)
-- Require 'cgi', rotp needs it for encoding parameters (André Luis Leal Cardoso Junior)
-- Change column name for otp secret key (robertomiranda)
+CHANGELOG it's been deprecated in favor of https://github.com/heapsource/active_model_otp/releases

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2013 Guillermo Iguaran, Roberto Miranda, Firebase.co
+Copyright (c) 2013-2019 Roberto Miranda, Guillermo Iguaran and contributors.
 
 MIT License
 

data/README.md

@@ -1,8 +1,16 @@
 [![Build Status](https://travis-ci.org/heapsource/active_model_otp.png)](https://travis-ci.org/heapsource/active_model_otp)
+[![Gem Version](https://badge.fury.io/rb/active_model_otp.svg)](http://badge.fury.io/rb/active_model_otp)
+[![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
+
 
 # ActiveModel::Otp
 
-**ActiveModel::Otp** makes adding **Two Factor Authentication**(TFA) to a model simple, let's see what's required to get AMo::Otp working in our Application, using Rails 4.0 (AMo::Otp is also compatible with Rails 3.x versions) we're going to use an User model and some authentication to it. Inspired in AM::SecurePassword
+**ActiveModel::Otp** makes adding **Two Factor Authentication** (TFA) to a model simple. Let's see what's required to get AMo::Otp working in our Application, using Rails 5.0 (AMo::Otp is also compatible with Rails 4.x versions). We're going to use a User model and try to add options provided by **ActiveModel::Otp**. Inspired by AM::SecurePassword
+
+## Dependencies
+
+* [ROTP](https://github.com/mdp/rotp) 6.2.0 or higher
+* Ruby 2.3 or greater
 
 ## Installation
 
@@ -14,7 +22,7 @@ And then execute:
 
     $ bundle
 
-Or install it yourself as:
+Or install it yourself as follows:
 
     $ gem install active_model_otp
 
@@ -29,33 +37,32 @@ rails g migration AddOtpSecretKeyToUsers otp_secret_key:string
       create    db/migrate/20130707010931_add_otp_secret_key_to_users.rb
 ```
 
-We’ll then need to run rake db:migrate to update the users table in the database. The next step is to update the model code. We need to use has_one_time_password to tell it will be use TFA.
+We’ll then need to run rake db:migrate to update the users table in the database. The next step is to update the model code. We need to use has_one_time_password to make it use TFA.
 
 ```ruby
-class User < ActiveRecord::Base
+class User < ApplicationRecord
   has_one_time_password
 end
 ```
 
 Note: If you're adding this to an existing user model you'll need to generate *otp_secret_key* with a migration like:
 ```ruby
-User.all.each { |user| user.update_attribute(:otp_secret_key, ROTP::Base32.random_base32) }
+User.find_each { |user| user.update_attribute(:otp_secret_key, User.otp_random_secret) }
 ```
 
-For use a custom column for store the secret key field you can us the column_name option
+To use a custom column to store the secret key field you can use the column_name option. It is also possible to generate codes with a specified length.
 
 ```ruby
-class User < ActiveRecord::Base
-  has_one_time_password column_name: :my_otp_secret_column
+class User < ApplicationRecord
+  has_one_time_password column_name: :my_otp_secret_column, length: 4
 end
 ```
 
+## Usage
 
-##Usage
+The has_one_time_password statement provides to the model some useful methods in order to implement our TFA system. AMo:Otp generates one time passwords according to [TOTP RFC 6238](https://tools.ietf.org/html/rfc6238) and the [HOTP RFC 4226](https://www.ietf.org/rfc/rfc4226). This is compatible with Google Authenticator apps available for Android and iPhone, and now in use on GMail.
 
-The has_one_time_password sentence provides to the model some useful methods in order to implement our TFA system. AMo:Otp generates one time passwords according to [RFC 4226](http://tools.ietf.org/html/rfc4226) and the [HOTP RFC](http://tools.ietf.org/html/draft-mraihi-totp-timebased-00). This is compatible with Google Authenticator apps available for Android and iPhone, and now in use on GMail.
-
-The otp_secret_key is saved automatically when a object is created,
+The otp_secret_key is saved automatically when an object is created,
 
 ```ruby
 user = User.create(email: "hello@heapsource.com")
@@ -63,9 +70,9 @@ user.otp_secret_key
  => "jt3gdd2qm6su5iqh"
 ```
 
-**Note:** You can fork the applications for [iPhone](https://github.com/heapsource/google-authenticator) & [Android](https://github.com/heapsource/google-authenticator.android) and customize it
+**Note:** You can fork the applications for [iPhone](https://github.com/heapsource/google-authenticator) & [Android](https://github.com/heapsource/google-authenticator.android) and customize them
 
-### Getting current code (ex. to send via SMS)
+### Getting current code (e.g. to send via SMS)
 ```ruby
 user.otp_code # => '186522'
 sleep 30
@@ -73,9 +80,6 @@ user.otp_code # => '850738'
 
 # Override current time
 user.otp_code(time: Time.now + 3600) # => '317438'
-
-# Don't zero-pad to six digits
-user.otp_code(padding: false) # => '438'
 ```
 
 ### Authenticating using a code
@@ -94,19 +98,120 @@ sleep 30 # lets wait again
 user.authenticate_otp('186522', drift: 60) # => true
 ```
 
+## Counter based OTP
+
+An additonal counter field is required in our ``User`` Model
+
+```ruby
+rails g migration AddCounterForOtpToUsers otp_counter:integer
+=>
+      invoke  active_record
+      create    db/migrate/20130707010931_add_counter_for_otp_to_users.rb
+```
+
+Set default value for otp_counter to 0.
+```ruby
+change_column :users, :otp_counter, :integer, default: 0
+```
+
+In addition set the counter flag option to true
+
+```ruby
+class User < ApplicationRecord
+  has_one_time_password counter_based: true
+end
+```
+
+And for a custom counter column
+
+```ruby
+class User < ApplicationRecord
+  has_one_time_password counter_based: true, counter_column_name: :my_otp_secret_counter_column
+end
+```
+
+Authentication is done the same. You can manually adjust the counter for your usage or set auto_increment on success to true.
+
+```ruby
+user.authenticate_otp('186522') # => true
+user.authenticate_otp('186522', auto_increment: true) # => true
+user.authenticate_otp('186522') # => false
+user.otp_counter -= 1
+user.authenticate_otp('186522') # => true
+```
+
+When retrieving an ```otp_code``` you can also pass the ```auto_increment``` option.
+
+```ruby
+user.otp_code # => '186522'
+user.otp_code # => '186522'
+user.otp_code(auto_increment: true) # => '768273'
+user.otp_code(auto_increment: true) # => '002811'
+user.otp_code # => '002811'
+```
+
+## Backup codes
+
+We're going to add a field to our ``User`` Model, so each user can have an otp backup codes. The next step is to run the migration generator in order to add the backup codes field.
+
+```ruby
+rails g migration AddOtpBackupCodesToUsers otp_backup_codes:text
+=>
+      invoke  active_record
+      create    db/migrate/20210126030834_add_otp_backup_codes_to_users.rb
+```
+
+You can change backup codes column name by option `backup_codes_column_name`:
+
+```ruby
+class User < ApplicationRecord
+  has_one_time_password backup_codes_column_name: 'secret_codes'
+end
+```
+
+Then use array type in schema or serialize attribute in model as Array (depending on used db type). Or even consider to use some libs like (lockbox)[https://github.com/ankane/lockbox] with type array.
+
+After that user can use one of automatically generated backup codes for authentication using same method `authenticate_otp`.
+
+By default it generates 12 backup codes. You can change it by option `backup_codes_count`:
+
+```ruby
+class User < ApplicationRecord
+  has_one_time_password backup_codes_count: 6
+end
+```
+
+By default each backup code can be reused an infinite number of times. You can
+change it with option `one_time_backup_codes`:
+
+```ruby
+class User < ApplicationRecord
+  has_one_time_password one_time_backup_codes: true
+end
+```
+
+```ruby
+user.authenticate_otp('186522') # => true
+user.authenticate_otp('186522') # => false
+```
+
 ## Google Authenticator Compatible
 
 The library works with the Google Authenticator iPhone and Android app, and also includes the ability to generate provisioning URI's to use with the QR Code scanner built into the app.
 
 ```ruby
-# Use you user's emails for generate the provisioning_url
+# Use your user's email address to generate the provisioning_url
 user.provisioning_uri # => 'otpauth://totp/hello@heapsource.com?secret=2z6hxkdwi3uvrnpn'
 
-# Use a custom fied for generate the provisioning_url
+# Use a custom field to generate the provisioning_url
 user.provisioning_uri("hello") # => 'otpauth://totp/hello?secret=2z6hxkdwi3uvrnpn'
+
+# You can customize the generated url, by passing a hash of Options
+# `:issuer` lets you set the Issuer name in Google Authenticator, so it doesn't show as a blank entry.
+user.provisioning_uri(nil, issuer: 'MYAPP') #=> 'otpauth://totp/hello@heapsource.com?secret=2z6hxkdwi3uvrnpn&issuer=MYAPP'
 ```
 
-This can then be rendered as a QR Code which can then be scanned and added to the users list of OTP credentials.
+This can then be rendered as a QR Code which can be scanned and added to the users list of OTP credentials.
 
 ### Working example
 
@@ -118,6 +223,7 @@ Now run the following and compare the output
 
 ```ruby
 require "active_model_otp"
+
 class User
   extend ActiveModel::Callbacks
   include ActiveModel::Validations
@@ -128,6 +234,7 @@ class User
 
   has_one_time_password
 end
+
 user = User.new
 user.email = 'roberto@heapsource.com'
 user.otp_secret_key = "2z6hxkdwi3uvrnpn"
@@ -137,10 +244,10 @@ puts "Current code #{user.otp_code}"
 **Note:** otp_secret_key must be generated using RFC 3548 base32 key strings (for compatilibity with google authenticator)
 
 ### Useful Examples
-
+- [Drifting Ruby Tutorial](https://www.driftingruby.com/episodes/two-factor-authentication)
 - [Generate QR code with rqrcode gem](https://github.com/heapsource/active_model_otp/wiki/Generate-QR-code-with-rqrcode-gem)
 - Generating QR Code with Google Charts API
-- [Sendind code via email with Twilio](https://github.com/heapsource/active_model_otp/wiki/Send-code-via-Twilio-SMS)
+- [Sending code via SMS with Twilio](https://github.com/heapsource/active_model_otp/wiki/Send-code-via-Twilio-SMS)
 - [Using with Mongoid](https://github.com/heapsource/active_model_otp/wiki/Using-with-Mongoid)
 
 ## Contributing

data/active_model_otp.gemspec

@@ -8,7 +8,7 @@ Gem::Specification.new do |spec|
   spec.version       = ActiveModel::Otp::VERSION
   spec.authors       = ["Guillermo Iguaran", "Roberto Miranda", "Heapsource"]
   spec.email         = ["guilleiguaran@gmail.com", "rjmaltamar@gmail.com", "hello@firebase.co"]
-  spec.description   = %q{Adds methods to set and authenticate against one time passwords. Inspired in AM::SecurePassword"}
+  spec.description   = %q{Adds methods to set and authenticate against one time passwords 2FA(Two factor Authentication). Inspired in AM::SecurePassword"}
   spec.summary       = "Adds methods to set and authenticate against one time passwords."
   spec.homepage      = ""
   spec.license       = "MIT"
@@ -18,10 +18,19 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
+  spec.required_ruby_version = ">= 2.3"
+
   spec.add_dependency "activemodel"
-  spec.add_dependency "rotp"
+  spec.add_dependency "rotp", "~> 6.2.0"
 
-  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "activerecord"
   spec.add_development_dependency "rake"
   spec.add_development_dependency "minitest", "~> 5.4.2"
+  spec.add_development_dependency "appraisal"
+
+  if RUBY_PLATFORM == "java"
+    spec.add_development_dependency "activerecord-jdbcsqlite3-adapter"
+  else
+    spec.add_development_dependency "sqlite3"
+  end
 end

data/gemfiles/rails_4.2.gemfile

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "activemodel", "~> 4.2"
+gem "sqlite3", "~> 1.3.6"
+
+gemspec path: "../"

data/gemfiles/rails_5.0.gemfile

@@ -0,0 +1,9 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "activemodel", "~> 5.0"
+gem "activemodel-serializers-xml"
+gem "sqlite3", "~> 1.3.6"
+
+gemspec path: "../"

data/gemfiles/rails_5.1.gemfile

@@ -0,0 +1,9 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "activemodel", "~> 5.1"
+gem "activemodel-serializers-xml"
+gem "sqlite3", "~> 1.3.6"
+
+gemspec path: "../"

data/gemfiles/rails_5.2.gemfile

@@ -0,0 +1,9 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "activemodel", "~> 5.2"
+gem "activemodel-serializers-xml"
+gem "sqlite3", "~> 1.3.6"
+
+gemspec path: "../"

data/gemfiles/rails_6.0.gemfile

@@ -0,0 +1,10 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "activerecord", "~> 6.0"
+gem "activemodel", "~> 6.0"
+gem "activemodel-serializers-xml"
+gem "sqlite3", "~> 1.4"
+
+gemspec path: "../"

data/gemfiles/rails_6.1.gemfile

@@ -0,0 +1,10 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "activerecord", "~> 6.1"
+gem "activemodel", "~> 6.1"
+gem "activemodel-serializers-xml"
+gem "sqlite3", "~> 1.4"
+
+gemspec path: "../"

data/lib/active_model/one_time_password.rb

@@ -3,63 +3,184 @@ module ActiveModel
     extend ActiveSupport::Concern
 
     module ClassMethods
-
       def has_one_time_password(options = {})
-
-        cattr_accessor :otp_column_name
-        class_attribute :otp_digits
+        cattr_accessor :otp_column_name, :otp_counter_column_name,
+                       :otp_backup_codes_column_name
+        class_attribute :otp_digits, :otp_counter_based,
+                        :otp_backup_codes_count, :otp_one_time_backup_codes
 
         self.otp_column_name = (options[:column_name] || "otp_secret_key").to_s
         self.otp_digits = options[:length] || 6
 
+        self.otp_counter_based = (options[:counter_based] || false)
+        self.otp_counter_column_name = (options[:counter_column_name] || "otp_counter").to_s
+
+        self.otp_backup_codes_column_name = (
+          options[:backup_codes_column_name] || 'otp_backup_codes'
+        ).to_s
+        self.otp_backup_codes_count = options[:backup_codes_count] || 12
+        self.otp_one_time_backup_codes = (
+          options[:one_time_backup_codes] || false
+        )
+
         include InstanceMethodsOnActivation
 
-        before_create { self.otp_regenerate_secret if !self.otp_column}
+        before_create(**options.slice(:if, :unless)) do
+          self.otp_regenerate_secret if !otp_column
+          self.otp_regenerate_counter if otp_counter_based && !otp_counter
+          otp_regenerate_backup_codes if backup_codes_enabled?
+        end
 
         if respond_to?(:attributes_protected_by_default)
           def self.attributes_protected_by_default #:nodoc:
-            super + [self.otp_column_name]
+            super + [otp_column_name, otp_counter_column_name]
           end
         end
       end
+
+      # Defaults to 160 bit long secret
+      # (meaning a 32 character long base32 secret)
+      def otp_random_secret(length = 20)
+        ROTP::Base32.random(length)
+      end
     end
 
     module InstanceMethodsOnActivation
       def otp_regenerate_secret
-        self.otp_column = ROTP::Base32.random_base32
+        self.otp_column = self.class.otp_random_secret
+      end
+
+      def otp_regenerate_counter
+        self.otp_counter = 1
       end
 
       def authenticate_otp(code, options = {})
-        totp = ROTP::TOTP.new(self.otp_column, {digits: self.otp_digits})
-        if drift = options[:drift]
-          totp.verify_with_drift(code, drift)
+        return true if backup_codes_enabled? && authenticate_backup_code(code)
+
+        if otp_counter_based
+          otp_counter == authenticate_hotp(code, options)
         else
-          totp.verify(code)
+          authenticate_totp(code, options).present?
         end
       end
 
       def otp_code(options = {})
-        if options.is_a? Hash
-          time = options.fetch(:time, Time.now)
-          padding = options.fetch(:padding, true)
+        if otp_counter_based
+          hotp_code(options)
         else
-          time = options
-          padding = true
+          totp_code(options)
         end
-        ROTP::TOTP.new(self.otp_column, {digits: self.otp_digits}).at(time, padding)
       end
 
-      def provisioning_uri(account = nil)
+      def provisioning_uri(account = nil, options = {})
         account ||= self.email if self.respond_to?(:email)
-        ROTP::TOTP.new(self.otp_column).provisioning_uri(account)
+        account ||= ""
+
+        if otp_counter_based
+          ROTP::HOTP
+            .new(otp_column, options)
+            .provisioning_uri(account, self.otp_counter)
+        else
+          ROTP::TOTP
+            .new(otp_column, options)
+            .provisioning_uri(account)
+        end
       end
 
       def otp_column
-        self.send(self.class.otp_column_name)
+        self.public_send(self.class.otp_column_name)
       end
 
       def otp_column=(attr)
-        self.send("#{self.class.otp_column_name}=", attr)
+        self.public_send("#{self.class.otp_column_name}=", attr)
+      end
+
+      def otp_counter
+        if self.class.otp_counter_column_name != "otp_counter"
+          self.public_send(self.class.otp_counter_column_name)
+        else
+          super
+        end
+      end
+
+      def otp_counter=(attr)
+        if self.class.otp_counter_column_name != "otp_counter"
+          self.public_send("#{self.class.otp_counter_column_name}=", attr)
+        else
+          super
+        end
+      end
+
+      def serializable_hash(options = nil)
+        options ||= {}
+        options[:except] = Array(options[:except])
+        options[:except] << self.class.otp_column_name
+        super(options)
+      end
+
+      def otp_regenerate_backup_codes
+        otp = ROTP::OTP.new(otp_column)
+        backup_codes = Array.new(self.class.otp_backup_codes_count) do
+          otp.generate_otp((SecureRandom.random_number(9e5) + 1e5).to_i)
+        end
+
+        public_send("#{self.class.otp_backup_codes_column_name}=", backup_codes)
+      end
+
+      def backup_codes_enabled?
+        self.class.attribute_method?(self.class.otp_backup_codes_column_name)
+      end
+
+      private
+
+      def authenticate_hotp(code, options = {})
+        hotp = ROTP::HOTP.new(otp_column, digits: otp_digits)
+        result = hotp.verify(code, otp_counter)
+        if result && options[:auto_increment]
+          self.otp_counter += 1
+          save if respond_to?(:changed?) && !new_record?
+        end
+        result
+      end
+
+      def authenticate_totp(code, options = {})
+        totp = ROTP::TOTP.new(otp_column, digits: otp_digits)
+        if (drift = options[:drift])
+          totp.verify(code, drift_behind: drift)
+        else
+          totp.verify(code)
+        end
+      end
+
+      def hotp_code(options = {})
+        if options[:auto_increment]
+          self.otp_counter += 1
+          save if respond_to?(:changed?) && !new_record?
+        end
+        ROTP::HOTP.new(otp_column, digits: otp_digits).at(otp_counter)
+      end
+
+      def totp_code(options = {})
+        time = if options.is_a?(Hash)
+                 options.fetch(:time, Time.now)
+               else
+                 options
+               end
+        ROTP::TOTP.new(otp_column, digits: otp_digits).at(time)
+      end
+
+      def authenticate_backup_code(code)
+        backup_codes_column_name = self.class.otp_backup_codes_column_name
+        backup_codes = public_send(backup_codes_column_name)
+        return false unless backup_codes.present? && backup_codes.include?(code)
+
+        if self.class.otp_one_time_backup_codes
+          backup_codes.delete(code)
+          public_send("#{backup_codes_column_name}=", backup_codes)
+          save if respond_to?(:changed?) && !new_record?
+        end
+
+        true
       end
     end
   end

data/lib/active_model/otp/version.rb

@@ -1,5 +1,5 @@
 module ActiveModel
   module Otp
-    VERSION = "1.1.0"
+    VERSION = "2.2.0".freeze
   end
 end

data/test/models/activerecord_user.rb

@@ -0,0 +1,3 @@
+class ActiverecordUser < ActiveRecord::Base
+  has_one_time_password counter_based: true
+end

data/test/models/member.rb

@@ -0,0 +1,10 @@
+class Member
+  extend ActiveModel::Callbacks
+  include ActiveModel::Validations
+  include ActiveModel::OneTimePassword
+
+  define_model_callbacks :create
+  attr_accessor :otp_secret_key, :otp_counter, :email
+
+  has_one_time_password counter_based: true
+end

data/test/models/opt_in_two_factor.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class OptInTwoFactor
+  extend ActiveModel::Callbacks
+  include ActiveModel::Validations
+  include ActiveModel::OneTimePassword
+
+  define_model_callbacks :create
+  attr_accessor :otp_secret_key, :email
+
+  has_one_time_password unless: :otp_opt_in?
+
+  def otp_opt_in?
+    true
+  end
+end

data/test/models/user.rb

@@ -1,10 +1,15 @@
 class User
   extend ActiveModel::Callbacks
+  include ActiveModel::Serializers::JSON
   include ActiveModel::Validations
   include ActiveModel::OneTimePassword
 
   define_model_callbacks :create
-  attr_accessor :otp_secret_key, :email
+  attr_accessor :otp_secret_key, :otp_backup_codes, :email
 
-  has_one_time_password
+  has_one_time_password one_time_backup_codes: true
+
+  def attributes
+    { "otp_secret_key" => otp_secret_key, "email" => email }
+  end
 end

data/test/one_time_password_test.rb

@@ -1,6 +1,8 @@
-require "test_helper"
+# frozen_string_literal: true
 
-class OtpTest < MiniTest::Unit::TestCase
+require 'test_helper'
+
+class OtpTest < MiniTest::Test
   def setup
     @user = User.new
     @user.email = 'roberto@heapsource.com'
@@ -9,23 +11,79 @@ class OtpTest < MiniTest::Unit::TestCase
     @visitor = Visitor.new
     @visitor.email = 'roberto@heapsource.com'
     @visitor.run_callbacks :create
+
+    @member = Member.new
+    @member.email = nil
+    @member.run_callbacks :create
+
+    @ar_user = ActiverecordUser.new
+    @ar_user.email = 'roberto@heapsource.com'
+    @ar_user.run_callbacks :create
+
+    @opt_in = OptInTwoFactor.new
+    @opt_in.email = 'roberto@heapsource.com'
+    @opt_in.run_callbacks :create
   end
 
   def test_authenticate_with_otp
     code = @user.otp_code
-
     assert @user.authenticate_otp(code)
 
     code = @visitor.otp_code
     assert @visitor.authenticate_otp(code)
   end
 
+  def test_counter_based_otp
+    code = @member.otp_code
+    assert @member.authenticate_otp(code)
+    assert @member.authenticate_otp(code, auto_increment: true)
+    assert !@member.authenticate_otp(code)
+    @member.otp_counter -= 1
+    assert @member.authenticate_otp(code)
+    assert code == @member.otp_code
+    assert code != @member.otp_code(auto_increment: true)
+  end
+
+  def test_counter_based_otp_active_record
+    code = @ar_user.otp_code
+    assert @ar_user.authenticate_otp(code)
+    assert @ar_user.authenticate_otp(code, auto_increment: true)
+    assert !@ar_user.authenticate_otp(code)
+    @ar_user.otp_counter -= 1
+    assert @ar_user.authenticate_otp(code)
+    assert code == @ar_user.otp_code
+    assert code != @ar_user.otp_code(auto_increment: true)
+  end
+
+  def test_opt_in_two_factor
+    assert @opt_in.otp_column.nil?
+
+    @opt_in.otp_regenerate_secret
+    code = @opt_in.otp_code
+    assert_equal true, @opt_in.authenticate_otp(code)
+  end
+
   def test_authenticate_with_otp_when_drift_is_allowed
     code = @user.otp_code(Time.now - 30)
-    assert @user.authenticate_otp(code, drift: 60)
+    assert_equal true, @user.authenticate_otp(code, drift: 60)
 
     code = @visitor.otp_code(Time.now - 30)
-    assert @visitor.authenticate_otp(code, drift: 60)
+    assert_equal true, @visitor.authenticate_otp(code, drift: 60)
+  end
+
+  def test_authenticate_with_backup_code
+    backup_code = @user.public_send(@user.otp_backup_codes_column_name).first
+    assert_equal true, @user.authenticate_otp(backup_code)
+
+    backup_code = @user.public_send(@user.otp_backup_codes_column_name).last
+    @user.otp_regenerate_backup_codes
+    assert_equal true, !@user.authenticate_otp(backup_code)
+  end
+
+  def test_authenticate_with_one_time_backup_code
+    backup_code = @user.public_send(@user.otp_backup_codes_column_name).first
+    assert_equal true, @user.authenticate_otp(backup_code)
+    assert_equal true, !@user.authenticate_otp(backup_code)
   end
 
   def test_otp_code
@@ -34,31 +92,61 @@ class OtpTest < MiniTest::Unit::TestCase
   end
 
   def test_otp_code_with_specific_length
-    assert_match(/^\d{4}$/, @visitor.otp_code(time: 2160, padding: true).to_s)
-    assert_operator(@visitor.otp_code(time: 2160, padding: false).to_s.length, :<= , 4)
+    assert_match(/^\d{4}$/, @visitor.otp_code(2160).to_s)
+    assert_operator(@visitor.otp_code(2160).to_s.length, :<=, 4)
   end
 
   def test_otp_code_without_specific_length
-   assert_match(/^\d{6}$/, @user.otp_code(time: 2160, padding: true).to_s)
-   assert_operator(@user.otp_code(time: 2160, padding: false).to_s.length, :<= , 6)
-  end
-
-  def test_otp_code_padding
-    @user.otp_column = 'kw5jhligwqaiw7jc'
-    assert_match(/^\d{6}$/, @user.otp_code(time: 2160, padding: true).to_s)
-    # Modified this spec as it is not guranteed that without padding we will always
-    # get a 3 digit number
-    assert_operator(@user.otp_code(time: 2160, padding: false).to_s.length, :<= , 6)
+    assert_match(/^\d{6}$/, @user.otp_code(2160).to_s)
+    assert_operator(@user.otp_code(2160).to_s.length, :<=, 6)
   end
 
   def test_provisioning_uri_with_provided_account
-    assert_match %r{otpauth://totp/roberto\?secret=\w{16}}, @user.provisioning_uri("roberto")
-    assert_match %r{otpauth://totp/roberto\?secret=\w{16}}, @visitor.provisioning_uri("roberto")
+    totp = %r{^otpauth://totp/roberto\?secret=\w{32}$}
+    hotp = %r{^otpauth://hotp/roberto\?secret=\w{32}&counter=1$}
+
+    assert_match totp, @user.provisioning_uri('roberto')
+    assert_match totp, @visitor.provisioning_uri('roberto')
+    assert_match hotp, @member.provisioning_uri('roberto')
   end
 
   def test_provisioning_uri_with_email_field
-    assert_match %r{otpauth://totp/roberto@heapsource\.com\?secret=\w{16}}, @user.provisioning_uri
-    assert_match %r{otpauth://totp/roberto@heapsource\.com\?secret=\w{16}}, @visitor.provisioning_uri
+    totp = %r{^otpauth://totp/roberto%40heapsource\.com\?secret=\w{32}$}
+    hotp = %r{^otpauth://hotp/\?secret=\w{32}&counter=1$}
+
+    assert_match totp, @user.provisioning_uri
+    assert_match totp, @visitor.provisioning_uri
+    assert_match hotp, @member.provisioning_uri
+  end
+
+  def test_provisioning_uri_with_options
+    account = %r{
+      ^otpauth://totp/Example\:roberto\?secret=\w{32}&issuer=Example$
+    }x
+
+    email = %r{
+      ^otpauth://totp/Example\:roberto%40heapsource\.com\?secret=\w{32}
+      &issuer=Example$
+    }x
+
+    assert_match(
+      account, @user.provisioning_uri('roberto', issuer: 'Example')
+    )
+
+    assert_match(
+      account, @visitor.provisioning_uri('roberto', issuer: 'Example')
+    )
+
+    assert_match email, @user.provisioning_uri(nil, issuer: 'Example')
+    assert_match email, @visitor.provisioning_uri(nil, issuer: 'Example')
+  end
+
+  def test_provisioning_uri_with_incremented_counter
+    2.times { @member.otp_code(auto_increment: true) }
+
+    hotp = %r{^otpauth://hotp/\?secret=\w{32}&counter=3$}
+
+    assert_match hotp, @member.provisioning_uri
   end
 
   def test_regenerate_otp
@@ -66,4 +154,12 @@ class OtpTest < MiniTest::Unit::TestCase
     @user.otp_regenerate_secret
     assert secret != @user.otp_column
   end
+
+  def test_hide_secret_key_in_serialize
+    refute_match(/otp_secret_key/, @user.to_json)
+  end
+
+  def test_otp_random_secret
+    assert_match(/^.{32}$/, @user.class.otp_random_secret)
+  end
 end

data/test/schema.rb

@@ -0,0 +1,11 @@
+ActiveRecord::Schema.define do
+  self.verbose = false
+
+  create_table :activerecord_users, force: true do |t|
+    t.string :key
+    t.string :email
+    t.integer :otp_counter
+    t.string :otp_secret_key
+    t.timestamps
+  end
+end

data/test/test_helper.rb

@@ -8,5 +8,14 @@ require "rubygems"
 require "active_model_otp"
 require "minitest/autorun"
 require "minitest/unit"
+require "active_record"
+
+begin
+  require "activemodel-serializers-xml"
+rescue LoadError
+end
+
+ActiveRecord::Base.establish_connection adapter: "sqlite3", database: ":memory:"
+load "#{ File.dirname(__FILE__) }/schema.rb"
 
 Dir["models/*.rb"].each {|file| require file }

metadata

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: active_model_otp
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 2.2.0
 platform: ruby
 authors:
 - Guillermo Iguaran
 - Roberto Miranda
 - Heapsource
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-10-10 00:00:00.000000000 Z
+date: 2021-05-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
@@ -30,30 +30,30 @@ dependencies:
   name: rotp
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 6.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 6.2.0
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -82,8 +82,36 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 5.4.2
-description: Adds methods to set and authenticate against one time passwords. Inspired
-  in AM::SecurePassword"
+- !ruby/object:Gem::Dependency
+  name: appraisal
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Adds methods to set and authenticate against one time passwords 2FA(Two
+  factor Authentication). Inspired in AM::SecurePassword"
 email:
 - guilleiguaran@gmail.com
 - rjmaltamar@gmail.com
@@ -94,24 +122,35 @@ extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".travis.yml"
+- Appraisals
 - CHANGELOG.md
 - Gemfile
 - LICENSE.txt
 - README.md
 - Rakefile
 - active_model_otp.gemspec
+- gemfiles/rails_4.2.gemfile
+- gemfiles/rails_5.0.gemfile
+- gemfiles/rails_5.1.gemfile
+- gemfiles/rails_5.2.gemfile
+- gemfiles/rails_6.0.gemfile
+- gemfiles/rails_6.1.gemfile
 - lib/active_model/one_time_password.rb
 - lib/active_model/otp/version.rb
 - lib/active_model_otp.rb
+- test/models/activerecord_user.rb
+- test/models/member.rb
+- test/models/opt_in_two_factor.rb
 - test/models/user.rb
 - test/models/visitor.rb
 - test/one_time_password_test.rb
+- test/schema.rb
 - test/test_helper.rb
 homepage: ''
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -119,20 +158,23 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.3'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.2.2
-signing_key: 
+rubygems_version: 3.0.3
+signing_key:
 specification_version: 4
 summary: Adds methods to set and authenticate against one time passwords.
 test_files:
+- test/models/activerecord_user.rb
+- test/models/member.rb
+- test/models/opt_in_two_factor.rb
 - test/models/user.rb
 - test/models/visitor.rb
 - test/one_time_password_test.rb
+- test/schema.rb
 - test/test_helper.rb