active_model_otp 1.2.0 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: a53fb4e15fa9408222f26928a84d9b1f67919b86
-  data.tar.gz: f436275d42c9e8e78c074809be7cbc06da3e9c16
+SHA256:
+  metadata.gz: 2a57a05fda7ae2023dc877a96228e00e5dbca948bc8d17c1058232a42086e285
+  data.tar.gz: 9d3a965117edbf33fb77585126be84e2fd44b613bbbc435c74627b198b87ee5f
 SHA512:
-  metadata.gz: 4c409cf8191c2511f7f7c984d0b2623463f65a835e5b86d6cec3dd59b9f91836f8a5d5308b164d328c773dbebe76c51e0c9ae0503048bc81e8326280d57a2379
-  data.tar.gz: 2b69f18d93545ea5e0e41bc3bc10930887f2f7f1b95dbee947b6e9eed256cc5b78f80014fa7e11e2f3d271f204ccf5dad9b412f9c1193404dcda64478e1d116a
+  metadata.gz: 847accabdd4eff2942a917f497197b3be90bb5cf9e9caefb0cd753635994e3bb8b730aab0d9387aa13c4e929793816333d094b620037a8f9c002a7cc3f3ebdcb
+  data.tar.gz: 6a47a8a378bdb2d9155a165e503f672b5c57576c7f9d4fdef271767422a2d9804a141252707cb0181b02c36a91024d1867b9114cdbc95e475c2e4b292f750b65

data/.github/workflows/active_model_otp.yml

@@ -0,0 +1,43 @@
+name: Active Model OTP
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    types: [opened, synchronize, reopened, edited]
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    
+    strategy:
+      matrix:
+        gemfile: [rails_4.2, rails_5.0, rails_5.1, rails_5.2, rails_6.0, rails_6.1]
+        ruby-version: [2.3, 2.4, 2.5, 2.6, 2.7, 3.0]
+        exclude:
+          - { gemfile: rails_6.0, ruby-version: 2.3 }
+          - { gemfile: rails_6.1, ruby-version: 2.3 }
+          - { gemfile: rails_6.0, ruby-version: 2.4 }
+          - { gemfile: rails_6.1, ruby-version: 2.4 }
+          - { gemfile: rails_4.2, ruby-version: 2.7 }
+          - { gemfile: rails_4.2, ruby-version: 3.0 }
+          - { gemfile: rails_5.0, ruby-version: 3.0 }
+          - { gemfile: rails_5.1, ruby-version: 3.0 }
+          - { gemfile: rails_5.2, ruby-version: 3.0 }
+    
+    env:
+      BUNDLE_GEMFILE: gemfiles/${{ matrix.gemfile }}.gemfile
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Install Ruby ${{ matrix.ruby-version }}
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby-version }}
+
+      - name: Install dependencies
+        run: bundle install
+
+      - name: Run tests with Ruby ${{ matrix.ruby-version }} and Gemfile ${{ matrix.gemfile }}
+        run: bundle exec rake

data/.gitignore

@@ -16,3 +16,4 @@ test/tmp
 test/version_tmp
 tmp
 .ruby-version
+gemfiles/*.lock

data/Appraisals

@@ -0,0 +1,36 @@
+appraise "rails-4.2" do
+  gem "activemodel", "~> 4.2"
+  gem "sqlite3", "~> 1.3.6"
+end
+
+appraise "rails-5.0" do
+  gem "activemodel", "~> 5.0"
+  gem "activemodel-serializers-xml"
+  gem "sqlite3", "~> 1.3.6"
+end
+
+appraise "rails-5.1" do
+  gem "activemodel", "~> 5.1"
+  gem "activemodel-serializers-xml"
+  gem "sqlite3", "~> 1.3.6"
+end
+
+appraise "rails-5.2" do
+  gem "activemodel", "~> 5.2"
+  gem "activemodel-serializers-xml"
+  gem "sqlite3", "~> 1.3.6"
+end
+
+appraise "rails-6.0" do
+  gem "activerecord", "~> 6.0"
+  gem "activemodel", "~> 6.0"
+  gem "activemodel-serializers-xml"
+  gem "sqlite3", "~> 1.4"
+end
+
+appraise "rails-6.1" do
+  gem "activerecord", "~> 6.1"
+  gem "activemodel", "~> 6.1"
+  gem "activemodel-serializers-xml"
+  gem "sqlite3", "~> 1.4"
+end

data/CHANGELOG.md

@@ -1,17 +1 @@
-#v1.2.0
-- Added Counter based OTP (HOTP) (@ResultsMayVary ) https://github.com/heapsource/active_model_otp/pull/19
-- Adding options to provisioning uri, so we can include issuer (@doon) https://github.com/heapsource/active_model_otp/pull/15
-
-#v1.1.0
-- Add function to re-geterante the OTP secret (@TikiTDO) https://github.com/heapsource/active_model_otp/pull/14
-- Added option to pass OTP length (@shivanibhanwal) https://github.com/heapsource/active_model_otp/pull/13
-
-#v1.0.0
-- Avoid overriding predefined otp_column value when initializing resource (Ilan Stern) https://github.com/heapsource/active_model_otp/pull/10
-- Pad OTP codes with less than 6 digits (Johan Brissmyr) https://github.com/heapsource/active_model_otp/pull/7
-- Get rid of deprecation warnings in Rails 4.1 (Nick DeMonner)
-
-#v0.1.0
-- OTP codes can be in 5 or 6 digits (André Luis Leal Cardoso Junior)
-- Require 'cgi', rotp needs it for encoding parameters (André Luis Leal Cardoso Junior)
-- Change column name for otp secret key (robertomiranda)
+CHANGELOG it's been deprecated in favor of https://github.com/heapsource/active_model_otp/releases

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2013 Guillermo Iguaran, Roberto Miranda, Firebase.co
+Copyright (c) 2013-2019 Roberto Miranda, Guillermo Iguaran and contributors.
 
 MIT License
 

data/README.md

@@ -1,12 +1,16 @@
 [![Build Status](https://travis-ci.org/heapsource/active_model_otp.png)](https://travis-ci.org/heapsource/active_model_otp)
 [![Gem Version](https://badge.fury.io/rb/active_model_otp.svg)](http://badge.fury.io/rb/active_model_otp)
-[![Dependency Status](https://gemnasium.com/heapsource/active_model_otp.svg)](https://gemnasium.com/heapsource/active_model_otp)
-[![Code Climate](https://codeclimate.com/github/heapsource/active_model_otp/badges/gpa.svg)](https://codeclimate.com/github/heapsource/active_model_otp)
+[![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
 
 
 # ActiveModel::Otp
 
-**ActiveModel::Otp** makes adding **Two Factor Authentication** (TFA) to a model simple. Let's see what's required to get AMo::Otp working in our Application, using Rails 4.0 (AMo::Otp is also compatible with Rails 3.x versions). We're going to use a User model and some authentication to do it. Inspired by AM::SecurePassword
+**ActiveModel::Otp** makes adding **Two Factor Authentication** (TFA) to a model simple. Let's see what's required to get AMo::Otp working in our Application, using Rails 5.0 (AMo::Otp is also compatible with Rails 4.x versions). We're going to use a User model and try to add options provided by **ActiveModel::Otp**. Inspired by AM::SecurePassword
+
+## Dependencies
+
+* [ROTP](https://github.com/mdp/rotp) 6.2.0 or higher
+* Ruby 2.3 or greater
 
 ## Installation
 
@@ -36,27 +40,27 @@ rails g migration AddOtpSecretKeyToUsers otp_secret_key:string
 We’ll then need to run rake db:migrate to update the users table in the database. The next step is to update the model code. We need to use has_one_time_password to make it use TFA.
 
 ```ruby
-class User < ActiveRecord::Base
+class User < ApplicationRecord
   has_one_time_password
 end
 ```
 
 Note: If you're adding this to an existing user model you'll need to generate *otp_secret_key* with a migration like:
 ```ruby
-User.all.each { |user| user.update_attribute(:otp_secret_key, ROTP::Base32.random_base32) }
+User.find_each { |user| user.update_attribute(:otp_secret_key, User.otp_random_secret) }
 ```
 
 To use a custom column to store the secret key field you can use the column_name option. It is also possible to generate codes with a specified length.
 
 ```ruby
-class User < ActiveRecord::Base
+class User < ApplicationRecord
   has_one_time_password column_name: :my_otp_secret_column, length: 4
 end
 ```
 
 ## Usage
 
-The has_one_time_password statement provides to the model some useful methods in order to implement our TFA system. AMo:Otp generates one time passwords according to [TOTP RFC 6238](http://tools.ietf.org/html/rfc4226) and the [HOTP RFC 4226](http://tools.ietf.org/html/rfc4226). This is compatible with Google Authenticator apps available for Android and iPhone, and now in use on GMail.
+The has_one_time_password statement provides to the model some useful methods in order to implement our TFA system. AMo:Otp generates one time passwords according to [TOTP RFC 6238](https://tools.ietf.org/html/rfc6238) and the [HOTP RFC 4226](https://www.ietf.org/rfc/rfc4226). This is compatible with Google Authenticator apps available for Android and iPhone, and now in use on GMail.
 
 The otp_secret_key is saved automatically when an object is created,
 
@@ -76,9 +80,6 @@ user.otp_code # => '850738'
 
 # Override current time
 user.otp_code(time: Time.now + 3600) # => '317438'
-
-# Don't zero-pad to six digits
-user.otp_code(padding: false) # => '438'
 ```
 
 ### Authenticating using a code
@@ -108,10 +109,15 @@ rails g migration AddCounterForOtpToUsers otp_counter:integer
       create    db/migrate/20130707010931_add_counter_for_otp_to_users.rb
 ```
 
+Set default value for otp_counter to 0.
+```ruby
+change_column :users, :otp_counter, :integer, default: 0
+```
+
 In addition set the counter flag option to true
 
 ```ruby
-class User < ActiveRecord::Base
+class User < ApplicationRecord
   has_one_time_password counter_based: true
 end
 ```
@@ -119,7 +125,7 @@ end
 And for a custom counter column
 
 ```ruby
-class User < ActiveRecord::Base
+class User < ApplicationRecord
   has_one_time_password counter_based: true, counter_column_name: :my_otp_secret_counter_column
 end
 ```
@@ -144,6 +150,51 @@ user.otp_code(auto_increment: true) # => '002811'
 user.otp_code # => '002811'
 ```
 
+## Backup codes
+
+We're going to add a field to our ``User`` Model, so each user can have an otp backup codes. The next step is to run the migration generator in order to add the backup codes field.
+
+```ruby
+rails g migration AddOtpBackupCodesToUsers otp_backup_codes:text
+=>
+      invoke  active_record
+      create    db/migrate/20210126030834_add_otp_backup_codes_to_users.rb
+```
+
+You can change backup codes column name by option `backup_codes_column_name`:
+
+```ruby
+class User < ApplicationRecord
+  has_one_time_password backup_codes_column_name: 'secret_codes'
+end
+```
+
+Then use array type in schema or serialize attribute in model as Array (depending on used db type). Or even consider to use some libs like (lockbox)[https://github.com/ankane/lockbox] with type array.
+
+After that user can use one of automatically generated backup codes for authentication using same method `authenticate_otp`.
+
+By default it generates 12 backup codes. You can change it by option `backup_codes_count`:
+
+```ruby
+class User < ApplicationRecord
+  has_one_time_password backup_codes_count: 6
+end
+```
+
+By default each backup code can be reused an infinite number of times. You can
+change it with option `one_time_backup_codes`:
+
+```ruby
+class User < ApplicationRecord
+  has_one_time_password one_time_backup_codes: true
+end
+```
+
+```ruby
+user.authenticate_otp('186522') # => true
+user.authenticate_otp('186522') # => false
+```
+
 ## Google Authenticator Compatible
 
 The library works with the Google Authenticator iPhone and Android app, and also includes the ability to generate provisioning URI's to use with the QR Code scanner built into the app.
@@ -154,10 +205,36 @@ user.provisioning_uri # => 'otpauth://totp/hello@heapsource.com?secret=2z6hxkdwi
 
 # Use a custom field to generate the provisioning_url
 user.provisioning_uri("hello") # => 'otpauth://totp/hello?secret=2z6hxkdwi3uvrnpn'
+
+# You can customize the generated url, by passing a hash of Options
+# `:issuer` lets you set the Issuer name in Google Authenticator, so it doesn't show as a blank entry.
+user.provisioning_uri(nil, issuer: 'MYAPP') #=> 'otpauth://totp/hello@heapsource.com?secret=2z6hxkdwi3uvrnpn&issuer=MYAPP'
 ```
 
 This can then be rendered as a QR Code which can be scanned and added to the users list of OTP credentials.
 
+### Setting up a customer interval 
+
+If you define a custom interval for TOTP codes, just as `has_one_time_password interval: 10` (for example), remember to include the interval also in `provisioning_uri` method. If not defined, the default value is 30 seconds (according to ROTP gem: https://github.com/mdp/rotp/blob/master/lib/rotp/totp.rb#L9)
+
+```ruby
+class User < ApplicationRecord
+  has_one_time_password interval: 10 # the interval value is in seconds
+end
+
+user = User.new
+user.provisioning_uri("hello", interval: 10) # => 'otpauth://totp/hello?secret=2z6hxkdwi3uvrnpn&period=10'
+
+# This code snippet generates OTP codes that expires every 10 seconds.
+```
+
+**Note**: Only some authenticator apps are compatible with custom `period` of tokens, for more details check these links:
+
+- https://labanskoller.se/blog/2019/07/11/many-common-mobile-authenticator-apps-accept-qr-codes-for-modes-they-dont-support
+- https://www.ibm.com/docs/en/sva/9.0.7?topic=authentication-configuring-totp-one-time-password-mechanism
+
+So, be careful and aware when using custom intervals/periods for your TOTP codes beyond the default 30 seconds :)
+
 ### Working example
 
 Scan the following barcode with your phone, using Google Authenticator
@@ -168,6 +245,7 @@ Now run the following and compare the output
 
 ```ruby
 require "active_model_otp"
+
 class User
   extend ActiveModel::Callbacks
   include ActiveModel::Validations
@@ -178,6 +256,7 @@ class User
 
   has_one_time_password
 end
+
 user = User.new
 user.email = 'roberto@heapsource.com'
 user.otp_secret_key = "2z6hxkdwi3uvrnpn"
@@ -187,10 +266,10 @@ puts "Current code #{user.otp_code}"
 **Note:** otp_secret_key must be generated using RFC 3548 base32 key strings (for compatilibity with google authenticator)
 
 ### Useful Examples
-
+- [Drifting Ruby Tutorial](https://www.driftingruby.com/episodes/two-factor-authentication)
 - [Generate QR code with rqrcode gem](https://github.com/heapsource/active_model_otp/wiki/Generate-QR-code-with-rqrcode-gem)
 - Generating QR Code with Google Charts API
-- [Sendind code via email with Twilio](https://github.com/heapsource/active_model_otp/wiki/Send-code-via-Twilio-SMS)
+- [Sending code via SMS with Twilio](https://github.com/heapsource/active_model_otp/wiki/Send-code-via-Twilio-SMS)
 - [Using with Mongoid](https://github.com/heapsource/active_model_otp/wiki/Using-with-Mongoid)
 
 ## Contributing

data/active_model_otp.gemspec

@@ -8,7 +8,7 @@ Gem::Specification.new do |spec|
   spec.version       = ActiveModel::Otp::VERSION
   spec.authors       = ["Guillermo Iguaran", "Roberto Miranda", "Heapsource"]
   spec.email         = ["guilleiguaran@gmail.com", "rjmaltamar@gmail.com", "hello@firebase.co"]
-  spec.description   = %q{Adds methods to set and authenticate against one time passwords. Inspired in AM::SecurePassword"}
+  spec.description   = %q{Adds methods to set and authenticate against one time passwords 2FA(Two factor Authentication). Inspired in AM::SecurePassword"}
   spec.summary       = "Adds methods to set and authenticate against one time passwords."
   spec.homepage      = ""
   spec.license       = "MIT"
@@ -18,10 +18,19 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
+  spec.required_ruby_version = ">= 2.3"
+
   spec.add_dependency "activemodel"
-  spec.add_dependency "rotp"
+  spec.add_dependency "rotp", "~> 6.2.0"
 
-  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "activerecord"
   spec.add_development_dependency "rake"
   spec.add_development_dependency "minitest", "~> 5.4.2"
+  spec.add_development_dependency "appraisal"
+
+  if RUBY_PLATFORM == "java"
+    spec.add_development_dependency "activerecord-jdbcsqlite3-adapter"
+  else
+    spec.add_development_dependency "sqlite3"
+  end
 end

data/gemfiles/rails_4.2.gemfile

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "activemodel", "~> 4.2"
+gem "sqlite3", "~> 1.3.6"
+
+gemspec path: "../"

data/gemfiles/rails_5.0.gemfile

@@ -0,0 +1,9 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "activemodel", "~> 5.0"
+gem "activemodel-serializers-xml"
+gem "sqlite3", "~> 1.3.6"
+
+gemspec path: "../"

data/gemfiles/rails_5.1.gemfile

@@ -0,0 +1,9 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "activemodel", "~> 5.1"
+gem "activemodel-serializers-xml"
+gem "sqlite3", "~> 1.3.6"
+
+gemspec path: "../"

data/gemfiles/rails_5.2.gemfile

@@ -0,0 +1,9 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "activemodel", "~> 5.2"
+gem "activemodel-serializers-xml"
+gem "sqlite3", "~> 1.3.6"
+
+gemspec path: "../"

data/gemfiles/rails_6.0.gemfile

@@ -0,0 +1,10 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "activerecord", "~> 6.0"
+gem "activemodel", "~> 6.0"
+gem "activemodel-serializers-xml"
+gem "sqlite3", "~> 1.4"
+
+gemspec path: "../"

data/gemfiles/rails_6.1.gemfile

@@ -0,0 +1,10 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "activerecord", "~> 6.1"
+gem "activemodel", "~> 6.1"
+gem "activemodel-serializers-xml"
+gem "sqlite3", "~> 1.4"
+
+gemspec path: "../"

data/lib/active_model/one_time_password.rb

@@ -2,25 +2,50 @@ module ActiveModel
   module OneTimePassword
     extend ActiveSupport::Concern
 
-    module ClassMethods
+    OTP_DEFAULT_COLUMN_NAME = 'otp_secret_key'.freeze
+    OTP_DEFAULT_COUNTER_COLUMN_NAME = 'otp_counter'.freeze
+    OTP_DEFAULT_BACKUP_CODES_COLUMN_NAME = 'otp_backup_codes'.freeze
+    OTP_DEFAULT_DIGITS = 6
+    OTP_DEFAULT_BACKUP_CODES_COUNT = 12
+    OTP_COUNTER_ENABLED_BY_DEFAULT = false
+    OTP_BACKUP_CODES_ENABLED_BY_DEFAULT = false
 
+    module ClassMethods
       def has_one_time_password(options = {})
-        cattr_accessor :otp_column_name, :otp_counter_column_name
-        class_attribute :otp_digits, :otp_counter_based
-
-        self.otp_column_name = (options[:column_name] || "otp_secret_key").to_s
-        self.otp_digits = options[:length] || 6
-
-        self.otp_counter_based = (options[:counter_based] || false)
+        cattr_accessor :otp_column_name, :otp_counter_column_name,
+                       :otp_backup_codes_column_name
+        class_attribute :otp_digits, :otp_counter_based,
+                        :otp_backup_codes_count, :otp_one_time_backup_codes,
+                        :otp_interval
+
+        self.otp_column_name = (
+          options[:column_name] || OTP_DEFAULT_COLUMN_NAME
+        ).to_s
+        self.otp_digits = options[:length] || OTP_DEFAULT_DIGITS
+        self.otp_counter_based = (
+          options[:counter_based] || OTP_COUNTER_ENABLED_BY_DEFAULT
+        )
         self.otp_counter_column_name = (
-          options[:counter_column_name] || "otp_counter"
-          ).to_s
+          options[:counter_column_name] || OTP_DEFAULT_COUNTER_COLUMN_NAME
+        ).to_s
+        self.otp_interval = options[:interval]
+        self.otp_backup_codes_column_name = (
+          options[:backup_codes_column_name] ||
+          OTP_DEFAULT_BACKUP_CODES_COLUMN_NAME
+        ).to_s
+        self.otp_backup_codes_count = (
+          options[:backup_codes_count] || OTP_DEFAULT_BACKUP_CODES_COUNT
+        )
+        self.otp_one_time_backup_codes = (
+          options[:one_time_backup_codes] || OTP_BACKUP_CODES_ENABLED_BY_DEFAULT
+        )
 
         include InstanceMethodsOnActivation
 
-        before_create do
+        before_create(**options.slice(:if, :unless)) do
           self.otp_regenerate_secret if !otp_column
           self.otp_regenerate_counter if otp_counter_based && !otp_counter
+          otp_regenerate_backup_codes if backup_codes_enabled?
         end
 
         if respond_to?(:attributes_protected_by_default)
@@ -29,11 +54,17 @@ module ActiveModel
           end
         end
       end
+
+      # Defaults to 160 bit long secret
+      # (meaning a 32 character long base32 secret)
+      def otp_random_secret(length = 20)
+        ROTP::Base32.random(length)
+      end
     end
 
     module InstanceMethodsOnActivation
       def otp_regenerate_secret
-        self.otp_column = ROTP::Base32.random_base32
+        self.otp_column = self.class.otp_random_secret
       end
 
       def otp_regenerate_counter
@@ -41,67 +72,140 @@ module ActiveModel
       end
 
       def authenticate_otp(code, options = {})
+        return true if backup_codes_enabled? && authenticate_backup_code(code)
+
         if otp_counter_based
-          hotp = ROTP::HOTP.new(otp_column, digits: otp_digits)
-          result = hotp.verify(code, otp_counter)
-          if result && options[:auto_increment]
-            self.otp_counter += 1
-            save if !new_record?
-          end
-          result
+          otp_counter == authenticate_hotp(code, options)
         else
-          totp = ROTP::TOTP.new(otp_column, digits: otp_digits)
-          if drift = options[:drift]
-            totp.verify_with_drift(code, drift)
-          else
-            totp.verify(code)
-          end
+          authenticate_totp(code, options).present?
         end
       end
 
       def otp_code(options = {})
         if otp_counter_based
-          if options[:auto_increment]
-            self.otp_counter += 1
-            save if !new_record?
-          end
-          ROTP::HOTP.new(otp_column, digits: otp_digits).at(self.otp_counter)
+          hotp_code(options)
         else
-          if options.is_a? Hash
-            time = options.fetch(:time, Time.now)
-            padding = options.fetch(:padding, true)
-          else
-            time = options
-            padding = true
-          end
-          ROTP::TOTP.new(otp_column, digits: otp_digits).at(time, padding)
+          totp_code(options)
         end
       end
 
       def provisioning_uri(account = nil, options = {})
         account ||= self.email if self.respond_to?(:email)
+        account ||= ""
 
         if otp_counter_based
-          ROTP::HOTP.new(otp_column, options).provisioning_uri(account)
+          ROTP::HOTP
+            .new(otp_column, options)
+            .provisioning_uri(account, self.otp_counter)
         else
-          ROTP::TOTP.new(otp_column, options).provisioning_uri(account)
+          ROTP::TOTP
+            .new(otp_column, options)
+            .provisioning_uri(account)
         end
       end
 
       def otp_column
-        self.send(self.class.otp_column_name)
+        self.public_send(self.class.otp_column_name)
       end
 
       def otp_column=(attr)
-        self.send("#{self.class.otp_column_name}=", attr)
+        self.public_send("#{self.class.otp_column_name}=", attr)
       end
 
       def otp_counter
-        self.send(self.class.otp_counter_column_name)
+        if self.class.otp_counter_column_name != "otp_counter"
+          self.public_send(self.class.otp_counter_column_name)
+        else
+          super
+        end
       end
 
       def otp_counter=(attr)
-        self.send("#{self.class.otp_counter_column_name}=", attr)
+        if self.class.otp_counter_column_name != "otp_counter"
+          self.public_send("#{self.class.otp_counter_column_name}=", attr)
+        else
+          super
+        end
+      end
+
+      def serializable_hash(options = nil)
+        options ||= {}
+        options[:except] = Array(options[:except])
+        options[:except] << self.class.otp_column_name
+        super(options)
+      end
+
+      def otp_regenerate_backup_codes
+        otp = ROTP::OTP.new(otp_column)
+        backup_codes = Array.new(self.class.otp_backup_codes_count) do
+          otp.generate_otp((SecureRandom.random_number(9e5) + 1e5).to_i)
+        end
+
+        public_send("#{self.class.otp_backup_codes_column_name}=", backup_codes)
+      end
+
+      def backup_codes_enabled?
+        self.class.attribute_method?(self.class.otp_backup_codes_column_name)
+      end
+
+      private
+
+      def authenticate_hotp(code, options = {})
+        hotp = ROTP::HOTP.new(otp_column, digits: otp_digits)
+        result = hotp.verify(code, otp_counter)
+        if result && options[:auto_increment]
+          self.otp_counter += 1
+          save if respond_to?(:changed?) && !new_record?
+        end
+        result
+      end
+
+      def authenticate_totp(code, options = {})
+        totp = ROTP::TOTP.new(
+          otp_column,
+          digits: otp_digits,
+          interval: otp_interval
+        )
+        if (drift = options[:drift])
+          totp.verify(code, drift_behind: drift)
+        else
+          totp.verify(code)
+        end
+      end
+
+      def hotp_code(options = {})
+        if options[:auto_increment]
+          self.otp_counter += 1
+          save if respond_to?(:changed?) && !new_record?
+        end
+        ROTP::HOTP.new(otp_column, digits: otp_digits).at(otp_counter)
+      end
+
+      def totp_code(options = {})
+        time = if options.is_a?(Hash)
+                 options.fetch(:time, Time.now)
+               else
+                 options
+               end
+        ROTP::TOTP.new(
+          otp_column,
+          digits: otp_digits,
+          interval: otp_interval
+        ).at(time)
+      end
+
+      def authenticate_backup_code(code)
+        backup_codes_column_name = self.class.otp_backup_codes_column_name
+        backup_codes = public_send(backup_codes_column_name)
+        return false unless backup_codes.present? && backup_codes.include?(code)
+
+        if self.class.otp_one_time_backup_codes
+          backup_codes.delete(code)
+          public_send("#{backup_codes_column_name}=", backup_codes)
+          save if respond_to?(:changed?) && !new_record?
+        end
+
+        true
       end
     end
   end

data/lib/active_model/otp/version.rb

@@ -1,5 +1,5 @@
 module ActiveModel
   module Otp
-    VERSION = "1.2.0"
+    VERSION = '2.3.0'.freeze
   end
 end

data/test/models/activerecord_user.rb

@@ -0,0 +1,3 @@
+class ActiverecordUser < ActiveRecord::Base
+  has_one_time_password counter_based: true
+end

data/test/models/default_interval_user.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class DefaultIntervalUser < ActiveRecord::Base
+  has_one_time_password interval: 500
+end

data/test/models/interval_user.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class IntervalUser < ActiveRecord::Base
+  has_one_time_password interval: 2
+end

data/test/models/member.rb

@@ -0,0 +1,10 @@
+class Member
+  extend ActiveModel::Callbacks
+  include ActiveModel::Validations
+  include ActiveModel::OneTimePassword
+
+  define_model_callbacks :create
+  attr_accessor :otp_secret_key, :otp_counter, :email
+
+  has_one_time_password counter_based: true
+end

data/test/models/opt_in_two_factor.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class OptInTwoFactor
+  extend ActiveModel::Callbacks
+  include ActiveModel::Validations
+  include ActiveModel::OneTimePassword
+
+  define_model_callbacks :create
+  attr_accessor :otp_secret_key, :email
+
+  has_one_time_password unless: :otp_opt_in?
+
+  def otp_opt_in?
+    true
+  end
+end

data/test/models/user.rb

@@ -1,10 +1,15 @@
 class User
   extend ActiveModel::Callbacks
+  include ActiveModel::Serializers::JSON
   include ActiveModel::Validations
   include ActiveModel::OneTimePassword
 
   define_model_callbacks :create
-  attr_accessor :otp_secret_key, :email
+  attr_accessor :otp_secret_key, :otp_backup_codes, :email
 
-  has_one_time_password
+  has_one_time_password one_time_backup_codes: true
+
+  def attributes
+    { "otp_secret_key" => otp_secret_key, "email" => email }
+  end
 end

data/test/one_time_password_test.rb

@@ -1,6 +1,8 @@
-require "test_helper"
+# frozen_string_literal: true
 
-class OtpTest < MiniTest::Unit::TestCase
+require 'test_helper'
+
+class OtpTest < MiniTest::Test
   def setup
     @user = User.new
     @user.email = 'roberto@heapsource.com'
@@ -9,23 +11,79 @@ class OtpTest < MiniTest::Unit::TestCase
     @visitor = Visitor.new
     @visitor.email = 'roberto@heapsource.com'
     @visitor.run_callbacks :create
+
+    @member = Member.new
+    @member.email = nil
+    @member.run_callbacks :create
+
+    @ar_user = ActiverecordUser.new
+    @ar_user.email = 'roberto@heapsource.com'
+    @ar_user.run_callbacks :create
+
+    @opt_in = OptInTwoFactor.new
+    @opt_in.email = 'roberto@heapsource.com'
+    @opt_in.run_callbacks :create
   end
 
   def test_authenticate_with_otp
     code = @user.otp_code
-
     assert @user.authenticate_otp(code)
 
     code = @visitor.otp_code
     assert @visitor.authenticate_otp(code)
   end
 
+  def test_counter_based_otp
+    code = @member.otp_code
+    assert @member.authenticate_otp(code)
+    assert @member.authenticate_otp(code, auto_increment: true)
+    assert !@member.authenticate_otp(code)
+    @member.otp_counter -= 1
+    assert @member.authenticate_otp(code)
+    assert code == @member.otp_code
+    assert code != @member.otp_code(auto_increment: true)
+  end
+
+  def test_counter_based_otp_active_record
+    code = @ar_user.otp_code
+    assert @ar_user.authenticate_otp(code)
+    assert @ar_user.authenticate_otp(code, auto_increment: true)
+    assert !@ar_user.authenticate_otp(code)
+    @ar_user.otp_counter -= 1
+    assert @ar_user.authenticate_otp(code)
+    assert code == @ar_user.otp_code
+    assert code != @ar_user.otp_code(auto_increment: true)
+  end
+
+  def test_opt_in_two_factor
+    assert @opt_in.otp_column.nil?
+
+    @opt_in.otp_regenerate_secret
+    code = @opt_in.otp_code
+    assert_equal true, @opt_in.authenticate_otp(code)
+  end
+
   def test_authenticate_with_otp_when_drift_is_allowed
     code = @user.otp_code(Time.now - 30)
-    assert @user.authenticate_otp(code, drift: 60)
+    assert_equal true, @user.authenticate_otp(code, drift: 60)
 
     code = @visitor.otp_code(Time.now - 30)
-    assert @visitor.authenticate_otp(code, drift: 60)
+    assert_equal true, @visitor.authenticate_otp(code, drift: 60)
+  end
+
+  def test_authenticate_with_backup_code
+    backup_code = @user.public_send(@user.otp_backup_codes_column_name).first
+    assert_equal true, @user.authenticate_otp(backup_code)
+
+    backup_code = @user.public_send(@user.otp_backup_codes_column_name).last
+    @user.otp_regenerate_backup_codes
+    assert_equal true, !@user.authenticate_otp(backup_code)
+  end
+
+  def test_authenticate_with_one_time_backup_code
+    backup_code = @user.public_send(@user.otp_backup_codes_column_name).first
+    assert_equal true, @user.authenticate_otp(backup_code)
+    assert_equal true, !@user.authenticate_otp(backup_code)
   end
 
   def test_otp_code
@@ -34,38 +92,61 @@ class OtpTest < MiniTest::Unit::TestCase
   end
 
   def test_otp_code_with_specific_length
-    assert_match(/^\d{4}$/, @visitor.otp_code(time: 2160, padding: true).to_s)
-    assert_operator(@visitor.otp_code(time: 2160, padding: false).to_s.length, :<= , 4)
+    assert_match(/^\d{4}$/, @visitor.otp_code(2160).to_s)
+    assert_operator(@visitor.otp_code(2160).to_s.length, :<=, 4)
   end
 
   def test_otp_code_without_specific_length
-   assert_match(/^\d{6}$/, @user.otp_code(time: 2160, padding: true).to_s)
-   assert_operator(@user.otp_code(time: 2160, padding: false).to_s.length, :<= , 6)
-  end
-
-  def test_otp_code_padding
-    @user.otp_column = 'kw5jhligwqaiw7jc'
-    assert_match(/^\d{6}$/, @user.otp_code(time: 2160, padding: true).to_s)
-    # Modified this spec as it is not guranteed that without padding we will always
-    # get a 3 digit number
-    assert_operator(@user.otp_code(time: 2160, padding: false).to_s.length, :<= , 6)
+    assert_match(/^\d{6}$/, @user.otp_code(2160).to_s)
+    assert_operator(@user.otp_code(2160).to_s.length, :<=, 6)
   end
 
   def test_provisioning_uri_with_provided_account
-    assert_match %r{otpauth://totp/roberto\?secret=\w{16}}, @user.provisioning_uri("roberto")
-    assert_match %r{otpauth://totp/roberto\?secret=\w{16}}, @visitor.provisioning_uri("roberto")
+    totp = %r{^otpauth://totp/roberto\?secret=\w{32}$}
+    hotp = %r{^otpauth://hotp/roberto\?secret=\w{32}&counter=1$}
+
+    assert_match totp, @user.provisioning_uri('roberto')
+    assert_match totp, @visitor.provisioning_uri('roberto')
+    assert_match hotp, @member.provisioning_uri('roberto')
   end
 
   def test_provisioning_uri_with_email_field
-    assert_match %r{otpauth://totp/roberto@heapsource\.com\?secret=\w{16}}, @user.provisioning_uri
-    assert_match %r{otpauth://totp/roberto@heapsource\.com\?secret=\w{16}}, @visitor.provisioning_uri
+    totp = %r{^otpauth://totp/roberto%40heapsource\.com\?secret=\w{32}$}
+    hotp = %r{^otpauth://hotp/\?secret=\w{32}&counter=1$}
+
+    assert_match totp, @user.provisioning_uri
+    assert_match totp, @visitor.provisioning_uri
+    assert_match hotp, @member.provisioning_uri
   end
 
   def test_provisioning_uri_with_options
-    assert_match  %r{otpauth://totp/roberto@heapsource\.com\?issuer=Example&secret=\w{16}},@user.provisioning_uri(nil,issuer: "Example")
-    assert_match %r{otpauth://totp/roberto@heapsource\.com\?issuer=Example&secret=\w{16}}, @visitor.provisioning_uri(nil,issuer: "Example")
-    assert_match %r{otpauth://totp/roberto\?issuer=Example&secret=\w{16}}, @user.provisioning_uri("roberto", issuer: "Example")
-    assert_match %r{otpauth://totp/roberto\?issuer=Example&secret=\w{16}}, @visitor.provisioning_uri("roberto", issuer: "Example")
+    account = %r{
+      ^otpauth://totp/Example\:roberto\?secret=\w{32}&issuer=Example$
+    }x
+
+    email = %r{
+      ^otpauth://totp/Example\:roberto%40heapsource\.com\?secret=\w{32}
+      &issuer=Example$
+    }x
+
+    assert_match(
+      account, @user.provisioning_uri('roberto', issuer: 'Example')
+    )
+
+    assert_match(
+      account, @visitor.provisioning_uri('roberto', issuer: 'Example')
+    )
+
+    assert_match email, @user.provisioning_uri(nil, issuer: 'Example')
+    assert_match email, @visitor.provisioning_uri(nil, issuer: 'Example')
+  end
+
+  def test_provisioning_uri_with_incremented_counter
+    2.times { @member.otp_code(auto_increment: true) }
+
+    hotp = %r{^otpauth://hotp/\?secret=\w{32}&counter=3$}
+
+    assert_match hotp, @member.provisioning_uri
   end
 
   def test_regenerate_otp
@@ -73,4 +154,32 @@ class OtpTest < MiniTest::Unit::TestCase
     @user.otp_regenerate_secret
     assert secret != @user.otp_column
   end
+
+  def test_hide_secret_key_in_serialize
+    refute_match(/otp_secret_key/, @user.to_json)
+  end
+
+  def test_otp_random_secret
+    assert_match(/^.{32}$/, @user.class.otp_random_secret)
+  end
+
+  def test_otp_interval
+    @interval_user = IntervalUser.new
+    @interval_user.email = 'roberto@heapsource.com'
+    @interval_user.run_callbacks :create
+    otp_code = @interval_user.otp_code
+    2.times { assert_match(otp_code, @interval_user.otp_code) }
+    sleep 5
+    refute_match(otp_code, @interval_user.otp_code)
+  end
+
+  def test_otp_default_interval
+    @default_interval_user = DefaultIntervalUser.new
+    @default_interval_user.email = 'roberto@heapsource.com'
+    @default_interval_user.run_callbacks :create
+    otp_code = @default_interval_user.otp_code
+    2.times { assert_match(otp_code, @default_interval_user.otp_code) }
+    sleep 5
+    assert_match(otp_code, @default_interval_user.otp_code)
+  end
 end

data/test/schema.rb

@@ -0,0 +1,27 @@
+ActiveRecord::Schema.define do
+  self.verbose = false
+
+  create_table :activerecord_users, force: true do |t|
+    t.string :key
+    t.string :email
+    t.integer :otp_counter
+    t.string :otp_secret_key
+    t.timestamps
+  end
+
+  create_table :interval_users, force: true do |t|
+    t.string :key
+    t.string :email
+    t.integer :otp_counter
+    t.string :otp_secret_key
+    t.timestamps
+  end
+
+  create_table :default_interval_users, force: true do |t|
+    t.string :key
+    t.string :email
+    t.integer :otp_counter
+    t.string :otp_secret_key
+    t.timestamps
+  end
+end

data/test/test_helper.rb

@@ -8,5 +8,14 @@ require "rubygems"
 require "active_model_otp"
 require "minitest/autorun"
 require "minitest/unit"
+require "active_record"
+
+begin
+  require "activemodel-serializers-xml"
+rescue LoadError
+end
+
+ActiveRecord::Base.establish_connection adapter: "sqlite3", database: ":memory:"
+load "#{ File.dirname(__FILE__) }/schema.rb"
 
 Dir["models/*.rb"].each {|file| require file }

metadata

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: active_model_otp
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 2.3.0
 platform: ruby
 authors:
 - Guillermo Iguaran
 - Roberto Miranda
 - Heapsource
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-02-26 00:00:00.000000000 Z
+date: 2021-06-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
@@ -30,30 +30,30 @@ dependencies:
   name: rotp
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 6.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 6.2.0
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: activerecord
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -82,8 +82,36 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 5.4.2
-description: Adds methods to set and authenticate against one time passwords. Inspired
-  in AM::SecurePassword"
+- !ruby/object:Gem::Dependency
+  name: appraisal
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Adds methods to set and authenticate against one time passwords 2FA(Two
+  factor Authentication). Inspired in AM::SecurePassword"
 email:
 - guilleiguaran@gmail.com
 - rjmaltamar@gmail.com
@@ -92,26 +120,39 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/active_model_otp.yml"
 - ".gitignore"
-- ".travis.yml"
+- Appraisals
 - CHANGELOG.md
 - Gemfile
 - LICENSE.txt
 - README.md
 - Rakefile
 - active_model_otp.gemspec
+- gemfiles/rails_4.2.gemfile
+- gemfiles/rails_5.0.gemfile
+- gemfiles/rails_5.1.gemfile
+- gemfiles/rails_5.2.gemfile
+- gemfiles/rails_6.0.gemfile
+- gemfiles/rails_6.1.gemfile
 - lib/active_model/one_time_password.rb
 - lib/active_model/otp/version.rb
 - lib/active_model_otp.rb
+- test/models/activerecord_user.rb
+- test/models/default_interval_user.rb
+- test/models/interval_user.rb
+- test/models/member.rb
+- test/models/opt_in_two_factor.rb
 - test/models/user.rb
 - test/models/visitor.rb
 - test/one_time_password_test.rb
+- test/schema.rb
 - test/test_helper.rb
 homepage: ''
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -119,20 +160,25 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.3'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.2.2
-signing_key: 
+rubygems_version: 3.0.3
+signing_key:
 specification_version: 4
 summary: Adds methods to set and authenticate against one time passwords.
 test_files:
+- test/models/activerecord_user.rb
+- test/models/default_interval_user.rb
+- test/models/interval_user.rb
+- test/models/member.rb
+- test/models/opt_in_two_factor.rb
 - test/models/user.rb
 - test/models/visitor.rb
 - test/one_time_password_test.rb
+- test/schema.rb
 - test/test_helper.rb

data/.travis.yml

@@ -1,10 +0,0 @@
-rvm:
-  - 1.9.3
-  - 2.0.0
-  - 2.1
-matrix:
-  include:
-    - rvm: jruby
-      env: JRUBY_OPTS="--1.9 --server -Xcext.enabled=true"
-notifications:
-  email: false