active_model_otp 2.3.0 → 2.3.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2a57a05fda7ae2023dc877a96228e00e5dbca948bc8d17c1058232a42086e285
-  data.tar.gz: 9d3a965117edbf33fb77585126be84e2fd44b613bbbc435c74627b198b87ee5f
+  metadata.gz: 98c3fad16e797e0483e6aeebcdae72e868dd699b82f07400ad0ee9b0261dbd2a
+  data.tar.gz: 3454ea7c190b0f7f69b50cf617c132a46e1a22f7f5554e4159acec61dd40979f
 SHA512:
-  metadata.gz: 847accabdd4eff2942a917f497197b3be90bb5cf9e9caefb0cd753635994e3bb8b730aab0d9387aa13c4e929793816333d094b620037a8f9c002a7cc3f3ebdcb
-  data.tar.gz: 6a47a8a378bdb2d9155a165e503f672b5c57576c7f9d4fdef271767422a2d9804a141252707cb0181b02c36a91024d1867b9114cdbc95e475c2e4b292f750b65
+  metadata.gz: 93a2cec634c0b00a4480598f0dc5fe8bfcf27a9dcc35fb6603eb7bbdfb90fc4f85f94443fbe4b9df9acb6113facd7c14bc12368f0ad15f4df2c0cd5b5498f6bf
+  data.tar.gz: 232296291239477d07f49ba75bc9db6288a8a3e039f6b1bc93bb3f9ce57d07d8e3624450ebc425e4b7532073f5937506f97f67ec014cc9c6e2312c30aeeb755e

data/.github/workflows/active_model_otp.yml

@@ -9,22 +9,48 @@ on:
 jobs:
   ci:
     runs-on: ubuntu-latest
-    
+
     strategy:
       matrix:
-        gemfile: [rails_4.2, rails_5.0, rails_5.1, rails_5.2, rails_6.0, rails_6.1]
-        ruby-version: [2.3, 2.4, 2.5, 2.6, 2.7, 3.0]
+        gemfile: [rails_4.2, rails_5.0, rails_5.1, rails_5.2, rails_6.0, rails_6.1, rails_7.0]
+        ruby-version: [2.3, 2.4, 2.5, 2.6, 2.7, 3.0, 3.1, 3.2]
         exclude:
-          - { gemfile: rails_6.0, ruby-version: 2.3 }
-          - { gemfile: rails_6.1, ruby-version: 2.3 }
-          - { gemfile: rails_6.0, ruby-version: 2.4 }
-          - { gemfile: rails_6.1, ruby-version: 2.4 }
+          - { gemfile: rails_4.2, ruby-version: 2.5 }
+          - { gemfile: rails_4.2, ruby-version: 2.6 }
           - { gemfile: rails_4.2, ruby-version: 2.7 }
           - { gemfile: rails_4.2, ruby-version: 3.0 }
+          - { gemfile: rails_4.2, ruby-version: 3.1 }
+          - { gemfile: rails_4.2, ruby-version: 3.2 }
+          - { gemfile: rails_5.0, ruby-version: 2.5 }
+          - { gemfile: rails_5.0, ruby-version: 2.6 }
+          - { gemfile: rails_5.0, ruby-version: 2.7 }
           - { gemfile: rails_5.0, ruby-version: 3.0 }
+          - { gemfile: rails_5.0, ruby-version: 3.1 }
+          - { gemfile: rails_5.0, ruby-version: 3.2 }
+          - { gemfile: rails_5.1, ruby-version: 2.6 }
+          - { gemfile: rails_5.1, ruby-version: 2.7 }
           - { gemfile: rails_5.1, ruby-version: 3.0 }
+          - { gemfile: rails_5.1, ruby-version: 3.1 }
+          - { gemfile: rails_5.1, ruby-version: 3.2 }
+          - { gemfile: rails_5.2, ruby-version: 2.7 }
           - { gemfile: rails_5.2, ruby-version: 3.0 }
-    
+          - { gemfile: rails_5.2, ruby-version: 3.1 }
+          - { gemfile: rails_5.2, ruby-version: 3.2 }
+          - { gemfile: rails_6.0, ruby-version: 2.3 }
+          - { gemfile: rails_6.0, ruby-version: 2.4 }
+          - { gemfile: rails_6.0, ruby-version: 3.0 }
+          - { gemfile: rails_6.0, ruby-version: 3.1 }
+          - { gemfile: rails_6.0, ruby-version: 3.2 }
+          - { gemfile: rails_6.1, ruby-version: 2.3 }
+          - { gemfile: rails_6.1, ruby-version: 2.4 }
+          - { gemfile: rails_6.1, ruby-version: 3.0 }
+          - { gemfile: rails_6.1, ruby-version: 3.1 }
+          - { gemfile: rails_6.1, ruby-version: 3.2 }
+          - { gemfile: rails_7.0, ruby-version: 2.3 }
+          - { gemfile: rails_7.0, ruby-version: 2.4 }
+          - { gemfile: rails_7.0, ruby-version: 2.5 }
+          - { gemfile: rails_7.0, ruby-version: 2.6 }
+
     env:
       BUNDLE_GEMFILE: gemfiles/${{ matrix.gemfile }}.gemfile
 

data/Appraisals

@@ -34,3 +34,10 @@ appraise "rails-6.1" do
   gem "activemodel-serializers-xml"
   gem "sqlite3", "~> 1.4"
 end
+
+appraise "rails-7.0" do
+  gem "activerecord", "~> 7.0"
+  gem "activemodel", "~> 7.0"
+  gem "activemodel-serializers-xml"
+  gem "sqlite3", "~> 1.6"
+end

data/README.md

@@ -1,4 +1,4 @@
-[![Build Status](https://travis-ci.org/heapsource/active_model_otp.png)](https://travis-ci.org/heapsource/active_model_otp)
+[![Active Model OTP](https://github.com/heapsource/active_model_otp/actions/workflows/active_model_otp.yml/badge.svg?branch=main)](https://github.com/heapsource/active_model_otp/actions/workflows/active_model_otp.yml)
 [![Gem Version](https://badge.fury.io/rb/active_model_otp.svg)](http://badge.fury.io/rb/active_model_otp)
 [![Reviewed by Hound](https://img.shields.io/badge/Reviewed_by-Hound-8E64B0.svg)](https://houndci.com)
 
@@ -98,9 +98,31 @@ sleep 30 # lets wait again
 user.authenticate_otp('186522', drift: 60) # => true
 ```
 
+### Preventing reuse of Time based OTP's
+
+By keeping track of the last time a user's OTP was verified, we can prevent token reuse during the interval window (default 30 seconds). It is useful with SMS, that is commonly used in combination with `drift` to extend the life of the code.
+
+```ruby
+rails g migration AddLastOtpAtToUsers last_otp_at:integer
+=>
+      invoke  active_record
+      create    db/migrate/20220407010931_add_last_otp_at_to_users.rb
+```
+
+```ruby
+class User < ApplicationRecord
+  has_one_time_password after_column_name: :last_otp_at
+end
+```
+
+```ruby
+user.authenticate_otp('186522') # => true
+user.authenticate_otp('186522') # => false
+```
+
 ## Counter based OTP
 
-An additonal counter field is required in our ``User`` Model
+An additional counter field is required in our ``User`` Model
 
 ```ruby
 rails g migration AddCounterForOtpToUsers otp_counter:integer
@@ -213,7 +235,7 @@ user.provisioning_uri(nil, issuer: 'MYAPP') #=> 'otpauth://totp/hello@heapsource
 
 This can then be rendered as a QR Code which can be scanned and added to the users list of OTP credentials.
 
-### Setting up a customer interval 
+### Setting up a customer interval
 
 If you define a custom interval for TOTP codes, just as `has_one_time_password interval: 10` (for example), remember to include the interval also in `provisioning_uri` method. If not defined, the default value is 30 seconds (according to ROTP gem: https://github.com/mdp/rotp/blob/master/lib/rotp/totp.rb#L9)
 

data/gemfiles/rails_7.0.gemfile

@@ -0,0 +1,10 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "activerecord", "~> 7.0"
+gem "activemodel", "~> 7.0"
+gem "activemodel-serializers-xml"
+gem "sqlite3", "~> 1.6"
+
+gemspec path: "../"

data/lib/active_model/one_time_password.rb

@@ -13,32 +13,20 @@ module ActiveModel
     module ClassMethods
       def has_one_time_password(options = {})
         cattr_accessor :otp_column_name, :otp_counter_column_name,
-                       :otp_backup_codes_column_name
+                       :otp_backup_codes_column_name, :otp_after_column_name
         class_attribute :otp_digits, :otp_counter_based,
                         :otp_backup_codes_count, :otp_one_time_backup_codes,
                         :otp_interval
 
-        self.otp_column_name = (
-          options[:column_name] || OTP_DEFAULT_COLUMN_NAME
-        ).to_s
+        self.otp_column_name = (options[:column_name] || OTP_DEFAULT_COLUMN_NAME).to_s
         self.otp_digits = options[:length] || OTP_DEFAULT_DIGITS
-        self.otp_counter_based = (
-          options[:counter_based] || OTP_COUNTER_ENABLED_BY_DEFAULT
-        )
-        self.otp_counter_column_name = (
-          options[:counter_column_name] || OTP_DEFAULT_COUNTER_COLUMN_NAME
-        ).to_s
+        self.otp_counter_based = options[:counter_based] || OTP_COUNTER_ENABLED_BY_DEFAULT
+        self.otp_counter_column_name = (options[:counter_column_name] || OTP_DEFAULT_COUNTER_COLUMN_NAME).to_s
         self.otp_interval = options[:interval]
-        self.otp_backup_codes_column_name = (
-          options[:backup_codes_column_name] ||
-          OTP_DEFAULT_BACKUP_CODES_COLUMN_NAME
-        ).to_s
-        self.otp_backup_codes_count = (
-          options[:backup_codes_count] || OTP_DEFAULT_BACKUP_CODES_COUNT
-        )
-        self.otp_one_time_backup_codes = (
-          options[:one_time_backup_codes] || OTP_BACKUP_CODES_ENABLED_BY_DEFAULT
-        )
+        self.otp_after_column_name = options[:after_column_name]
+        self.otp_backup_codes_column_name = (options[:backup_codes_column_name] || OTP_DEFAULT_BACKUP_CODES_COLUMN_NAME).to_s
+        self.otp_backup_codes_count = options[:backup_codes_count] || OTP_DEFAULT_BACKUP_CODES_COUNT
+        self.otp_one_time_backup_codes = options[:one_time_backup_codes] || OTP_BACKUP_CODES_ENABLED_BY_DEFAULT
 
         include InstanceMethodsOnActivation
 
@@ -72,6 +60,7 @@ module ActiveModel
       end
 
       def authenticate_otp(code, options = {})
+        return false if code.nil? || code.empty?
         return true if backup_codes_enabled? && authenticate_backup_code(code)
 
         if otp_counter_based
@@ -94,13 +83,9 @@ module ActiveModel
         account ||= ""
 
         if otp_counter_based
-          ROTP::HOTP
-            .new(otp_column, options)
-            .provisioning_uri(account, self.otp_counter)
+          ROTP::HOTP.new(otp_column, options).provisioning_uri(account, self.otp_counter)
         else
-          ROTP::TOTP
-            .new(otp_column, options)
-            .provisioning_uri(account)
+          ROTP::TOTP.new(otp_column, options).provisioning_uri(account)
         end
       end
 
@@ -132,6 +117,7 @@ module ActiveModel
         options ||= {}
         options[:except] = Array(options[:except])
         options[:except] << self.class.otp_column_name
+
         super(options)
       end
 
@@ -153,45 +139,42 @@ module ActiveModel
       def authenticate_hotp(code, options = {})
         hotp = ROTP::HOTP.new(otp_column, digits: otp_digits)
         result = hotp.verify(code, otp_counter)
+
         if result && options[:auto_increment]
           self.otp_counter += 1
           save if respond_to?(:changed?) && !new_record?
         end
+
         result
       end
 
       def authenticate_totp(code, options = {})
-        totp = ROTP::TOTP.new(
-          otp_column,
-          digits: otp_digits,
-          interval: otp_interval
-        )
-        if (drift = options[:drift])
-          totp.verify(code, drift_behind: drift)
-        else
-          totp.verify(code)
+        totp = ROTP::TOTP.new(otp_column, digits: otp_digits, interval: otp_interval)
+
+        otp_after = public_send(otp_after_column_name) if otp_after_column_name_enabled?
+
+        totp.verify(code, drift_behind: options[:drift] || 0, after: otp_after).tap do |updated_last_otp_at|
+          updated_last_otp_at && otp_after_column_name_enabled? && update(otp_after_column_name => updated_last_otp_at)
         end
       end
 
+      def otp_after_column_name_enabled?
+        otp_after_column_name && respond_to?(otp_after_column_name)
+      end
+
       def hotp_code(options = {})
         if options[:auto_increment]
           self.otp_counter += 1
           save if respond_to?(:changed?) && !new_record?
         end
+
         ROTP::HOTP.new(otp_column, digits: otp_digits).at(otp_counter)
       end
 
       def totp_code(options = {})
-        time = if options.is_a?(Hash)
-                 options.fetch(:time, Time.now)
-               else
-                 options
-               end
-        ROTP::TOTP.new(
-          otp_column,
-          digits: otp_digits,
-          interval: otp_interval
-        ).at(time)
+        time = options.is_a?(Hash) ? options.fetch(:time, Time.now) : options
+
+        ROTP::TOTP.new(otp_column, digits: otp_digits, interval: otp_interval).at(time)
       end
 
       def authenticate_backup_code(code)

data/lib/active_model/otp/version.rb

@@ -1,5 +1,5 @@
 module ActiveModel
   module Otp
-    VERSION = '2.3.0'.freeze
+    VERSION = '2.3.2'.freeze
   end
 end

data/test/models/after_user.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class AfterUser < ActiveRecord::Base
+  has_one_time_password after_column_name: :last_otp_at
+end

data/test/one_time_password_test.rb

@@ -3,6 +3,8 @@
 require 'test_helper'
 
 class OtpTest < MiniTest::Test
+  include ActiveSupport::Testing::TimeHelpers
+
   def setup
     @user = User.new
     @user.email = 'roberto@heapsource.com'
@@ -23,6 +25,10 @@ class OtpTest < MiniTest::Test
     @opt_in = OptInTwoFactor.new
     @opt_in.email = 'roberto@heapsource.com'
     @opt_in.run_callbacks :create
+
+    @after_user = AfterUser.new
+    @after_user.email = 'roberto@heapsource.com'
+    @after_user.run_callbacks :create
   end
 
   def test_authenticate_with_otp
@@ -33,6 +39,23 @@ class OtpTest < MiniTest::Test
     assert @visitor.authenticate_otp(code)
   end
 
+  def test_authenticate_with_otp_passing_false_or_empty_codes
+    refute @user.authenticate_otp(nil)
+    refute @user.authenticate_otp('')
+
+    refute @visitor.authenticate_otp(nil)
+    refute @visitor.authenticate_otp('')
+
+    refute @member.authenticate_otp(nil)
+    refute @member.authenticate_otp('')
+
+    refute @ar_user.authenticate_otp(nil)
+    refute @ar_user.authenticate_otp('')
+
+    refute @opt_in.authenticate_otp(nil)
+    refute @opt_in.authenticate_otp('')
+  end
+
   def test_counter_based_otp
     code = @member.otp_code
     assert @member.authenticate_otp(code)
@@ -71,6 +94,18 @@ class OtpTest < MiniTest::Test
     assert_equal true, @visitor.authenticate_otp(code, drift: 60)
   end
 
+  def test_authenticate_with_otp_when_after_is_allowed
+    code = @user.otp_code
+    assert_equal true, @user.authenticate_otp(code)
+    assert_equal true, @user.authenticate_otp(code)
+
+    code = @after_user.otp_code
+    assert_equal true, @after_user.authenticate_otp(code)
+    assert_equal false, @after_user.authenticate_otp(code)
+    assert_equal false, @after_user.authenticate_otp('1111111')
+    assert_equal false, @after_user.authenticate_otp(code)
+  end
+
   def test_authenticate_with_backup_code
     backup_code = @user.public_send(@user.otp_backup_codes_column_name).first
     assert_equal true, @user.authenticate_otp(backup_code)
@@ -98,7 +133,7 @@ class OtpTest < MiniTest::Test
 
   def test_otp_code_without_specific_length
     assert_match(/^\d{6}$/, @user.otp_code(2160).to_s)
-    assert_operator(@user.otp_code(2160).to_s.length, :<=, 6)
+    assert @user.otp_code(2160).to_s.length <= 6
   end
 
   def test_provisioning_uri_with_provided_account
@@ -129,13 +164,8 @@ class OtpTest < MiniTest::Test
       &issuer=Example$
     }x
 
-    assert_match(
-      account, @user.provisioning_uri('roberto', issuer: 'Example')
-    )
-
-    assert_match(
-      account, @visitor.provisioning_uri('roberto', issuer: 'Example')
-    )
+    assert_match account, @user.provisioning_uri('roberto', issuer: 'Example')
+    assert_match account, @visitor.provisioning_uri('roberto', issuer: 'Example')
 
     assert_match email, @user.provisioning_uri(nil, issuer: 'Example')
     assert_match email, @visitor.provisioning_uri(nil, issuer: 'Example')
@@ -169,8 +199,10 @@ class OtpTest < MiniTest::Test
     @interval_user.run_callbacks :create
     otp_code = @interval_user.otp_code
     2.times { assert_match(otp_code, @interval_user.otp_code) }
-    sleep 5
-    refute_match(otp_code, @interval_user.otp_code)
+
+    travel 5.seconds do
+      refute_match(otp_code, @interval_user.otp_code)
+    end
   end
 
   def test_otp_default_interval
@@ -178,8 +210,11 @@ class OtpTest < MiniTest::Test
     @default_interval_user.email = 'roberto@heapsource.com'
     @default_interval_user.run_callbacks :create
     otp_code = @default_interval_user.otp_code
+
     2.times { assert_match(otp_code, @default_interval_user.otp_code) }
-    sleep 5
-    assert_match(otp_code, @default_interval_user.otp_code)
+
+    travel 5.seconds do
+      assert_match(otp_code, @default_interval_user.otp_code)
+    end
   end
 end

data/test/schema.rb

@@ -24,4 +24,13 @@ ActiveRecord::Schema.define do
     t.string :otp_secret_key
     t.timestamps
   end
+
+  create_table :after_users, force: true do |t|
+    t.string :key
+    t.string :email
+    t.integer :otp_counter
+    t.string :otp_secret_key
+    t.integer :last_otp_at
+    t.timestamps
+  end
 end

data/test/test_helper.rb

@@ -9,6 +9,7 @@ require "active_model_otp"
 require "minitest/autorun"
 require "minitest/unit"
 require "active_record"
+require "active_support/testing/time_helpers"
 
 begin
   require "activemodel-serializers-xml"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: active_model_otp
 version: !ruby/object:Gem::Version
-  version: 2.3.0
+  version: 2.3.2
 platform: ruby
 authors:
 - Guillermo Iguaran
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-06-22 00:00:00.000000000 Z
+date: 2023-04-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activemodel
@@ -135,10 +135,12 @@ files:
 - gemfiles/rails_5.2.gemfile
 - gemfiles/rails_6.0.gemfile
 - gemfiles/rails_6.1.gemfile
+- gemfiles/rails_7.0.gemfile
 - lib/active_model/one_time_password.rb
 - lib/active_model/otp/version.rb
 - lib/active_model_otp.rb
 - test/models/activerecord_user.rb
+- test/models/after_user.rb
 - test/models/default_interval_user.rb
 - test/models/interval_user.rb
 - test/models/member.rb
@@ -167,12 +169,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.4.1
 signing_key:
 specification_version: 4
 summary: Adds methods to set and authenticate against one time passwords.
 test_files:
 - test/models/activerecord_user.rb
+- test/models/after_user.rb
 - test/models/default_interval_user.rb
 - test/models/interval_user.rb
 - test/models/member.rb