authentication-zero 2.16.19 → 2.16.21
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/workflows/CI.yml +6 -6
- data/CHANGELOG.md +5 -0
- data/Gemfile.lock +1 -1
- data/README.md +3 -2
- data/lib/authentication_zero/version.rb +1 -1
- data/lib/generators/authentication/authentication_generator.rb +58 -5
- data/lib/generators/authentication/templates/config/initializers/webauthn.rb +4 -0
- data/lib/generators/authentication/templates/config/redis/shared.yml +0 -5
- data/lib/generators/authentication/templates/controllers/api/application_controller.rb.tt +10 -10
- data/lib/generators/authentication/templates/controllers/api/identity/email_verifications_controller.rb.tt +1 -1
- data/lib/generators/authentication/templates/controllers/api/identity/emails_controller.rb.tt +1 -5
- data/lib/generators/authentication/templates/controllers/api/identity/password_resets_controller.rb.tt +1 -1
- data/lib/generators/authentication/templates/controllers/html/application_controller.rb.tt +17 -16
- data/lib/generators/authentication/templates/controllers/html/identity/email_verifications_controller.rb.tt +1 -1
- data/lib/generators/authentication/templates/controllers/html/identity/emails_controller.rb.tt +1 -5
- data/lib/generators/authentication/templates/controllers/html/identity/password_resets_controller.rb.tt +1 -1
- data/lib/generators/authentication/templates/controllers/html/sessions/passwordlesses_controller.rb.tt +1 -1
- data/lib/generators/authentication/templates/controllers/html/sessions_controller.rb.tt +1 -1
- data/lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenge/recovery_codes_controller.rb.tt +30 -0
- data/lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenge/security_keys_controller.rb.tt +46 -0
- data/lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenge/totps_controller.rb.tt +32 -0
- data/lib/generators/authentication/templates/controllers/html/two_factor_authentication/{recovery_codes_controller.rb.tt → profile/recovery_codes_controller.rb.tt} +2 -2
- data/lib/generators/authentication/templates/controllers/html/two_factor_authentication/profile/security_keys_controller.rb.tt +62 -0
- data/lib/generators/authentication/templates/controllers/html/two_factor_authentication/{totps_controller.rb.tt → profile/totps_controller.rb.tt} +3 -3
- data/lib/generators/authentication/templates/erb/home/index.html.erb.tt +46 -41
- data/lib/generators/authentication/templates/erb/two_factor_authentication/{challenges/_recovery_code_form.html.erb.tt → challenge/recovery_codes/new.html.erb.tt} +3 -3
- data/lib/generators/authentication/templates/erb/two_factor_authentication/challenge/security_keys/new.html.erb.tt +12 -0
- data/lib/generators/authentication/templates/erb/two_factor_authentication/challenge/totps/new.html.erb.tt +26 -0
- data/lib/generators/authentication/templates/erb/two_factor_authentication/{recovery_codes → profile/recovery_codes}/index.html.erb.tt +1 -1
- data/lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/_form_confirm.html.erb.tt +13 -0
- data/lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/_form_edit.html.erb.tt +17 -0
- data/lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/_security_key.html.erb.tt +1 -0
- data/lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/edit.html.erb.tt +3 -0
- data/lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/index.html.erb.tt +10 -0
- data/lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/new.html.erb.tt +12 -0
- data/lib/generators/authentication/templates/erb/two_factor_authentication/{totps → profile/totps}/new.html.erb.tt +1 -1
- data/lib/generators/authentication/templates/javascript/controllers/application.js.tt +15 -0
- data/lib/generators/authentication/templates/migrations/create_security_keys_migration.rb.tt +13 -0
- data/lib/generators/authentication/templates/migrations/create_users_migration.rb.tt +3 -0
- data/lib/generators/authentication/templates/models/security_key.rb.tt +3 -0
- data/lib/generators/authentication/templates/models/user.rb.tt +9 -2
- metadata +24 -11
- data/lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenges_controller.rb.tt +0 -52
- data/lib/generators/authentication/templates/erb/two_factor_authentication/challenges/_totp_form.html.erb.tt +0 -19
- data/lib/generators/authentication/templates/erb/two_factor_authentication/challenges/new.html.erb.tt +0 -7
- /data/lib/generators/authentication/templates/erb/two_factor_authentication/{recovery_codes → profile/recovery_codes}/_recovery_code.html.erb.tt +0 -0
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c87cbd4d780d1170998c49949d6f28dbe0305df16880f012a7fd6a9cd19ce698
|
|
4
|
+
data.tar.gz: bb6dbd332c8d4fc221d4de3e8264204d0c999f1707f7529b3d547cb2eb4f5fe4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: dc453d93036ca66a4df78da04c2fb1da2a21e862a409bad8608ec1661b315c9670e126b5de14ccd1b0a6b4fedb0445f258b0a472cb6f81c90ef588a178484cfc
|
|
7
|
+
data.tar.gz: c1d014b975a078302d919ba3ec52b4b2b4f0c94017cb04178785ae28bb5e5c8ff6e5d5e2fb84a8dc551cf3b5dc757c392af3061718ecf4e3a64c176292faaad2
|
data/.github/workflows/CI.yml
CHANGED
|
@@ -26,6 +26,9 @@ jobs:
|
|
|
26
26
|
- name: Install Rubocop
|
|
27
27
|
run: gem install rubocop rubocop-performance rubocop-minitest rubocop-packaging rubocop-minitest rubocop-rails
|
|
28
28
|
|
|
29
|
+
- name: Install Brakeman
|
|
30
|
+
run: gem install brakeman
|
|
31
|
+
|
|
29
32
|
- name: Create fresh Rails app and run generator
|
|
30
33
|
run: |
|
|
31
34
|
rails new test-app
|
|
@@ -39,9 +42,6 @@ jobs:
|
|
|
39
42
|
- name: Rubocop
|
|
40
43
|
run: cd test-app && rubocop
|
|
41
44
|
|
|
42
|
-
- name: Install Brakeman
|
|
43
|
-
run: gem install brakeman
|
|
44
|
-
|
|
45
45
|
- name: Brakeman
|
|
46
46
|
run: cd test-app && brakeman
|
|
47
47
|
|
|
@@ -69,6 +69,9 @@ jobs:
|
|
|
69
69
|
- name: Install Rubocop
|
|
70
70
|
run: gem install rubocop rubocop-performance rubocop-minitest rubocop-packaging rubocop-minitest rubocop-rails
|
|
71
71
|
|
|
72
|
+
- name: Install Brakeman
|
|
73
|
+
run: gem install brakeman
|
|
74
|
+
|
|
72
75
|
- name: Create fresh Rails app and run generator
|
|
73
76
|
run: |
|
|
74
77
|
rails new test-app
|
|
@@ -82,9 +85,6 @@ jobs:
|
|
|
82
85
|
- name: Rubocop
|
|
83
86
|
run: cd test-app && rubocop
|
|
84
87
|
|
|
85
|
-
- name: Install Brakeman
|
|
86
|
-
run: gem install brakeman
|
|
87
|
-
|
|
88
88
|
- name: Brakeman
|
|
89
89
|
run: cd test-app && brakeman
|
|
90
90
|
|
data/CHANGELOG.md
CHANGED
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
|
@@ -20,7 +20,7 @@ Since Authentication Zero generates this code into your application instead of b
|
|
|
20
20
|
|
|
21
21
|
## Features
|
|
22
22
|
|
|
23
|
-
- **
|
|
23
|
+
- **Simple code**
|
|
24
24
|
- **Inspired by hey.com**
|
|
25
25
|
- Sign up
|
|
26
26
|
- Email and password validations
|
|
@@ -29,6 +29,7 @@ Since Authentication Zero generates this code into your application instead of b
|
|
|
29
29
|
- Authentication by token (--api)
|
|
30
30
|
- Passwordless authentication (--passwordless)
|
|
31
31
|
- Two factor authentication + recovery codes (--two-factor)
|
|
32
|
+
- Two factor authentication using a hardware security key (--webauthn)
|
|
32
33
|
- Social Login with OmniAuth (--omniauthable)
|
|
33
34
|
- Send invitations (--invitable)
|
|
34
35
|
- Sign-in as button functionallity (--masqueradable)
|
|
@@ -36,7 +37,7 @@ Since Authentication Zero generates this code into your application instead of b
|
|
|
36
37
|
- Ask password before sensitive data changes, aka: sudo (--sudoable)
|
|
37
38
|
- Reset the user password and send reset instructions
|
|
38
39
|
- Reset the user password only from verified emails
|
|
39
|
-
- Lock mechanism to prevent
|
|
40
|
+
- Lock mechanism to prevent email bombing (--lockable)
|
|
40
41
|
- Rate limiting for your app, 1000 reqs/minute (--ratelimit)
|
|
41
42
|
- Send e-mail confirmation when your email has been changed
|
|
42
43
|
- Manage multiple sessions & devices
|
|
@@ -12,6 +12,7 @@ class AuthenticationGenerator < Rails::Generators::Base
|
|
|
12
12
|
class_option :omniauthable, type: :boolean, desc: "Add social login support"
|
|
13
13
|
class_option :trackable, type: :boolean, desc: "Add activity log support"
|
|
14
14
|
class_option :two_factor, type: :boolean, desc: "Add two factor authentication"
|
|
15
|
+
class_option :webauthn, type: :boolean, desc: "Add two factor authentication using a hardware security key"
|
|
15
16
|
class_option :invitable, type: :boolean, desc: "Add sending invitations"
|
|
16
17
|
class_option :masqueradable, type: :boolean, desc: "Add sign-in as button functionallity"
|
|
17
18
|
|
|
@@ -42,6 +43,10 @@ class AuthenticationGenerator < Rails::Generators::Base
|
|
|
42
43
|
gem "rotp", comment: "Use rotp for generating and validating one time passwords [https://github.com/mdp/rotp]"
|
|
43
44
|
gem "rqrcode", comment: "Use rqrcode for creating and rendering QR codes into various formats [https://github.com/whomwah/rqrcode]"
|
|
44
45
|
end
|
|
46
|
+
|
|
47
|
+
if webauthn?
|
|
48
|
+
gem "webauthn", comment: "Use webauthn for making rails become a conformant web authn relying party [https://github.com/cedarcode/webauthn-ruby]"
|
|
49
|
+
end
|
|
45
50
|
end
|
|
46
51
|
|
|
47
52
|
def add_environment_configurations
|
|
@@ -53,6 +58,7 @@ class AuthenticationGenerator < Rails::Generators::Base
|
|
|
53
58
|
def create_configuration_files
|
|
54
59
|
copy_file "config/redis/shared.yml", "config/redis/shared.yml" if redis?
|
|
55
60
|
copy_file "config/initializers/omniauth.rb", "config/initializers/omniauth.rb" if omniauthable?
|
|
61
|
+
copy_file "config/initializers/webauthn.rb", "config/initializers/webauthn.rb" if webauthn?
|
|
56
62
|
end
|
|
57
63
|
|
|
58
64
|
def create_migrations
|
|
@@ -63,6 +69,7 @@ class AuthenticationGenerator < Rails::Generators::Base
|
|
|
63
69
|
migration_template "migrations/create_sign_in_tokens_migration.rb", "#{db_migrate_path}/create_sign_in_tokens_migration.rb" if passwordless?
|
|
64
70
|
migration_template "migrations/create_events_migration.rb", "#{db_migrate_path}/create_events.rb" if options.trackable?
|
|
65
71
|
migration_template "migrations/create_recovery_codes_migration.rb", "#{db_migrate_path}/create_recovery_codes.rb" if two_factor?
|
|
72
|
+
migration_template "migrations/create_security_keys_migration.rb", "#{db_migrate_path}/create_security_keys.rb" if webauthn?
|
|
66
73
|
end
|
|
67
74
|
|
|
68
75
|
def create_models
|
|
@@ -74,6 +81,7 @@ class AuthenticationGenerator < Rails::Generators::Base
|
|
|
74
81
|
template "models/current.rb", "app/models/current.rb"
|
|
75
82
|
template "models/event.rb", "app/models/event.rb" if options.trackable?
|
|
76
83
|
template "models/recovery_code.rb", "app/models/recovery_code.rb" if two_factor?
|
|
84
|
+
template "models/security_key.rb", "app/models/security_key.rb" if webauthn?
|
|
77
85
|
end
|
|
78
86
|
|
|
79
87
|
def create_fixture_file
|
|
@@ -84,7 +92,17 @@ class AuthenticationGenerator < Rails::Generators::Base
|
|
|
84
92
|
template "controllers/#{format_folder}/application_controller.rb", "app/controllers/application_controller.rb", force: true
|
|
85
93
|
|
|
86
94
|
directory "controllers/#{format_folder}/identity", "app/controllers/identity"
|
|
87
|
-
|
|
95
|
+
|
|
96
|
+
if two_factor?
|
|
97
|
+
template "controllers/html/two_factor_authentication/profile/totps_controller.rb", "app/controllers/two_factor_authentication/profile/totps_controller.rb"
|
|
98
|
+
template "controllers/html/two_factor_authentication/profile/recovery_codes_controller.rb", "app/controllers/two_factor_authentication/profile/recovery_codes_controller.rb"
|
|
99
|
+
template "controllers/html/two_factor_authentication/profile/security_keys_controller.rb", "app/controllers/two_factor_authentication/profile/security_keys_controller.rb" if webauthn?
|
|
100
|
+
|
|
101
|
+
template "controllers/html/two_factor_authentication/challenge/totps_controller.rb", "app/controllers/two_factor_authentication/challenge/totps_controller.rb"
|
|
102
|
+
template "controllers/html/two_factor_authentication/challenge/recovery_codes_controller.rb", "app/controllers/two_factor_authentication/challenge/recovery_codes_controller.rb"
|
|
103
|
+
template "controllers/html/two_factor_authentication/challenge/security_keys_controller.rb", "app/controllers/two_factor_authentication/challenge/security_keys_controller.rb" if webauthn?
|
|
104
|
+
end
|
|
105
|
+
|
|
88
106
|
template "controllers/#{format_folder}/sessions_controller.rb", "app/controllers/sessions_controller.rb"
|
|
89
107
|
template "controllers/#{format_folder}/passwords_controller.rb", "app/controllers/passwords_controller.rb"
|
|
90
108
|
template "controllers/#{format_folder}/invitations_controller.rb", "app/controllers/invitations_controller.rb" if invitable?
|
|
@@ -97,6 +115,16 @@ class AuthenticationGenerator < Rails::Generators::Base
|
|
|
97
115
|
template "controllers/#{format_folder}/authentications/events_controller.rb", "app/controllers/authentications/events_controller.rb" if options.trackable?
|
|
98
116
|
end
|
|
99
117
|
|
|
118
|
+
def install_javascript_dependencies
|
|
119
|
+
return if options.api?
|
|
120
|
+
template "javascript/controllers/application.js", "app/javascript/controllers/application.js"
|
|
121
|
+
|
|
122
|
+
if webauthn?
|
|
123
|
+
run "bin/importmap pin stimulus-web-authn" if importmaps?
|
|
124
|
+
run "yarn add stimulus-web-authn" if node?
|
|
125
|
+
end
|
|
126
|
+
end
|
|
127
|
+
|
|
100
128
|
def create_views
|
|
101
129
|
if options.api?
|
|
102
130
|
template "erb/user_mailer/email_verification.html.erb", "app/views/user_mailer/email_verification.html.erb"
|
|
@@ -122,8 +150,17 @@ class AuthenticationGenerator < Rails::Generators::Base
|
|
|
122
150
|
|
|
123
151
|
directory "erb/sessions/passwordlesses", "app/views/sessions/passwordlesses" if passwordless?
|
|
124
152
|
|
|
125
|
-
directory "erb/two_factor_authentication", "app/views/two_factor_authentication" if two_factor?
|
|
126
153
|
directory "erb/authentications/events", "app/views/authentications/events" if options.trackable?
|
|
154
|
+
|
|
155
|
+
if two_factor?
|
|
156
|
+
directory "erb/two_factor_authentication/profile/totps", "app/views/two_factor_authentication/profile/totps"
|
|
157
|
+
directory "erb/two_factor_authentication/profile/recovery_codes", "app/views/two_factor_authentication/profile/recovery_codes"
|
|
158
|
+
directory "erb/two_factor_authentication/profile/security_keys", "app/views/two_factor_authentication/profile/security_keys" if webauthn?
|
|
159
|
+
|
|
160
|
+
directory "erb/two_factor_authentication/challenge/totps", "app/views/two_factor_authentication/challenge/totps"
|
|
161
|
+
directory "erb/two_factor_authentication/challenge/recovery_codes", "app/views/two_factor_authentication/challenge/recovery_codes"
|
|
162
|
+
directory "erb/two_factor_authentication/challenge/security_keys", "app/views/two_factor_authentication/challenge/security_keys" if webauthn?
|
|
163
|
+
end
|
|
127
164
|
end
|
|
128
165
|
end
|
|
129
166
|
|
|
@@ -157,9 +194,13 @@ class AuthenticationGenerator < Rails::Generators::Base
|
|
|
157
194
|
end
|
|
158
195
|
|
|
159
196
|
if two_factor?
|
|
160
|
-
route "resources :recovery_codes, only: [:index, :create]", namespace: :two_factor_authentication
|
|
161
|
-
route "resource :totp, only: [:new, :create]", namespace: :two_factor_authentication
|
|
162
|
-
route "
|
|
197
|
+
route "resources :recovery_codes, only: [:index, :create]", namespace: [:two_factor_authentication, :profile]
|
|
198
|
+
route "resource :totp, only: [:new, :create]", namespace: [:two_factor_authentication, :profile]
|
|
199
|
+
route "resources :security_keys", namespace: [:two_factor_authentication, :profile] if webauthn?
|
|
200
|
+
|
|
201
|
+
route "resource :recovery_codes, only: [:new, :create]", namespace: [:two_factor_authentication, :challenge]
|
|
202
|
+
route "resource :totp, only: [:new, :create]", namespace: [:two_factor_authentication, :challenge]
|
|
203
|
+
route "resource :security_keys, only: [:new, :create]", namespace: [:two_factor_authentication, :challenge] if webauthn?
|
|
163
204
|
end
|
|
164
205
|
|
|
165
206
|
if options.trackable?
|
|
@@ -212,6 +253,10 @@ class AuthenticationGenerator < Rails::Generators::Base
|
|
|
212
253
|
options.two_factor? && !options.api?
|
|
213
254
|
end
|
|
214
255
|
|
|
256
|
+
def webauthn?
|
|
257
|
+
options.webauthn? && two_factor?
|
|
258
|
+
end
|
|
259
|
+
|
|
215
260
|
def invitable?
|
|
216
261
|
options.invitable? && !options.api?
|
|
217
262
|
end
|
|
@@ -227,4 +272,12 @@ class AuthenticationGenerator < Rails::Generators::Base
|
|
|
227
272
|
def redis?
|
|
228
273
|
options.lockable? || options.ratelimit? || sudoable?
|
|
229
274
|
end
|
|
275
|
+
|
|
276
|
+
def importmaps?
|
|
277
|
+
Rails.root.join("config/importmap.rb").exist?
|
|
278
|
+
end
|
|
279
|
+
|
|
280
|
+
def node?
|
|
281
|
+
Rails.root.join("package.json").exist?
|
|
282
|
+
end
|
|
230
283
|
end
|
|
@@ -6,10 +6,5 @@ development: &development
|
|
|
6
6
|
url: <%= ENV.fetch("REDIS_URL", "redis://127.0.0.1:6379/0") %>
|
|
7
7
|
timeout: 1
|
|
8
8
|
|
|
9
|
-
# You can also specify host, port, and db instead of url
|
|
10
|
-
# host: <%= ENV.fetch("REDIS_SHARED_HOST", "127.0.0.1") %>
|
|
11
|
-
# port: <%= ENV.fetch("REDIS_SHARED_PORT", "6379") %>
|
|
12
|
-
# db: <%= ENV.fetch("REDIS_SHARED_DB", "11") %>
|
|
13
|
-
|
|
14
9
|
test:
|
|
15
10
|
<<: *development
|
|
@@ -3,16 +3,6 @@ class ApplicationController < ActionController::API
|
|
|
3
3
|
|
|
4
4
|
before_action :set_current_request_details
|
|
5
5
|
before_action :authenticate
|
|
6
|
-
<%- if options.lockable? %>
|
|
7
|
-
def require_lock(wait: 1.hour, attempts: 10)
|
|
8
|
-
counter = Kredis.counter("require_lock:#{request.remote_ip}:#{controller_path}:#{action_name}", expires_in: wait)
|
|
9
|
-
counter.increment
|
|
10
|
-
|
|
11
|
-
if counter.value > attempts
|
|
12
|
-
render json: { error: "You've exceeded the maximum number of attempts" }, status: :too_many_requests
|
|
13
|
-
end
|
|
14
|
-
end
|
|
15
|
-
<%- end -%>
|
|
16
6
|
|
|
17
7
|
private
|
|
18
8
|
def authenticate
|
|
@@ -27,4 +17,14 @@ class ApplicationController < ActionController::API
|
|
|
27
17
|
Current.user_agent = request.user_agent
|
|
28
18
|
Current.ip_address = request.ip
|
|
29
19
|
end
|
|
20
|
+
<%- if options.lockable? %>
|
|
21
|
+
def require_lock(wait: 1.hour, attempts: 10)
|
|
22
|
+
counter = Kredis.counter("require_lock:#{request.remote_ip}:#{controller_path}:#{action_name}", expires_in: wait)
|
|
23
|
+
counter.increment
|
|
24
|
+
|
|
25
|
+
if counter.value > attempts
|
|
26
|
+
render json: { error: "You've exceeded the maximum number of attempts" }, status: :too_many_requests
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
<%- end -%>
|
|
30
30
|
end
|
|
@@ -13,7 +13,7 @@ class Identity::EmailVerificationsController < ApplicationController
|
|
|
13
13
|
|
|
14
14
|
private
|
|
15
15
|
def set_user
|
|
16
|
-
|
|
16
|
+
token = EmailVerificationToken.find_signed!(params[:sid]); @user = token.user
|
|
17
17
|
rescue StandardError
|
|
18
18
|
render json: { error: "That email verification link is invalid" }, status: :bad_request
|
|
19
19
|
end
|
data/lib/generators/authentication/templates/controllers/api/identity/emails_controller.rb.tt
CHANGED
|
@@ -4,7 +4,7 @@ class Identity::EmailsController < ApplicationController
|
|
|
4
4
|
def update
|
|
5
5
|
if !@user.authenticate(params[:current_password])
|
|
6
6
|
render json: { error: "The password you entered is incorrect" }, status: :bad_request
|
|
7
|
-
elsif @user.update(
|
|
7
|
+
elsif @user.update(email: params[:email])
|
|
8
8
|
render_show
|
|
9
9
|
else
|
|
10
10
|
render json: @user.errors, status: :unprocessable_entity
|
|
@@ -16,10 +16,6 @@ class Identity::EmailsController < ApplicationController
|
|
|
16
16
|
@user = Current.user
|
|
17
17
|
end
|
|
18
18
|
|
|
19
|
-
def user_params
|
|
20
|
-
params.permit(:email)
|
|
21
|
-
end
|
|
22
|
-
|
|
23
19
|
def render_show
|
|
24
20
|
if @user.email_previously_changed?
|
|
25
21
|
resend_email_verification; render(json: @user)
|
|
@@ -28,7 +28,7 @@ class Identity::PasswordResetsController < ApplicationController
|
|
|
28
28
|
|
|
29
29
|
private
|
|
30
30
|
def set_user
|
|
31
|
-
|
|
31
|
+
token = PasswordResetToken.find_signed!(params[:sid]); @user = token.user
|
|
32
32
|
rescue StandardError
|
|
33
33
|
render json: { error: "That password reset link is invalid" }, status: :bad_request
|
|
34
34
|
end
|
|
@@ -1,22 +1,6 @@
|
|
|
1
1
|
class ApplicationController < ActionController::Base
|
|
2
2
|
before_action :set_current_request_details
|
|
3
3
|
before_action :authenticate
|
|
4
|
-
<%- if sudoable? %>
|
|
5
|
-
def require_sudo
|
|
6
|
-
return if Current.session.sudo?
|
|
7
|
-
redirect_to new_sessions_sudo_path(proceed_to_url: request.url)
|
|
8
|
-
end
|
|
9
|
-
<%- end -%>
|
|
10
|
-
<%- if options.lockable? %>
|
|
11
|
-
def require_lock(wait: 1.hour, attempts: 10)
|
|
12
|
-
counter = Kredis.counter("require_lock:#{request.remote_ip}:#{controller_path}:#{action_name}", expires_in: wait)
|
|
13
|
-
counter.increment
|
|
14
|
-
|
|
15
|
-
if counter.value > attempts
|
|
16
|
-
redirect_to root_path, alert: "You've exceeded the maximum number of attempts"
|
|
17
|
-
end
|
|
18
|
-
end
|
|
19
|
-
<%- end -%>
|
|
20
4
|
|
|
21
5
|
private
|
|
22
6
|
def authenticate
|
|
@@ -31,4 +15,21 @@ class ApplicationController < ActionController::Base
|
|
|
31
15
|
Current.user_agent = request.user_agent
|
|
32
16
|
Current.ip_address = request.ip
|
|
33
17
|
end
|
|
18
|
+
<%- if options.lockable? %>
|
|
19
|
+
def require_lock(wait: 1.hour, attempts: 10)
|
|
20
|
+
counter = Kredis.counter("require_lock:#{request.remote_ip}:#{controller_path}:#{action_name}", expires_in: wait)
|
|
21
|
+
counter.increment
|
|
22
|
+
|
|
23
|
+
if counter.value > attempts
|
|
24
|
+
redirect_to root_path, alert: "You've exceeded the maximum number of attempts"
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
<%- end -%>
|
|
28
|
+
<%- if sudoable? %>
|
|
29
|
+
def require_sudo
|
|
30
|
+
unless Current.session.sudo?
|
|
31
|
+
redirect_to new_sessions_sudo_path(proceed_to_url: request.original_url)
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
<%- end -%>
|
|
34
35
|
end
|
|
@@ -15,7 +15,7 @@ class Identity::EmailVerificationsController < ApplicationController
|
|
|
15
15
|
|
|
16
16
|
private
|
|
17
17
|
def set_user
|
|
18
|
-
|
|
18
|
+
token = EmailVerificationToken.find_signed!(params[:sid]); @user = token.user
|
|
19
19
|
rescue StandardError
|
|
20
20
|
redirect_to edit_identity_email_path, alert: "That email verification link is invalid"
|
|
21
21
|
end
|
data/lib/generators/authentication/templates/controllers/html/identity/emails_controller.rb.tt
CHANGED
|
@@ -7,7 +7,7 @@ class Identity::EmailsController < ApplicationController
|
|
|
7
7
|
def update
|
|
8
8
|
if !@user.authenticate(params[:current_password])
|
|
9
9
|
redirect_to edit_identity_email_path, alert: "The password you entered is incorrect"
|
|
10
|
-
elsif @user.update(
|
|
10
|
+
elsif @user.update(email: params[:email])
|
|
11
11
|
redirect_to_root
|
|
12
12
|
else
|
|
13
13
|
render :edit, status: :unprocessable_entity
|
|
@@ -19,10 +19,6 @@ class Identity::EmailsController < ApplicationController
|
|
|
19
19
|
@user = Current.user
|
|
20
20
|
end
|
|
21
21
|
|
|
22
|
-
def user_params
|
|
23
|
-
params.permit(:email)
|
|
24
|
-
end
|
|
25
|
-
|
|
26
22
|
def redirect_to_root
|
|
27
23
|
if @user.email_previously_changed?
|
|
28
24
|
resend_email_verification
|
|
@@ -31,7 +31,7 @@ class Identity::PasswordResetsController < ApplicationController
|
|
|
31
31
|
|
|
32
32
|
private
|
|
33
33
|
def set_user
|
|
34
|
-
|
|
34
|
+
token = PasswordResetToken.find_signed!(params[:sid]); @user = token.user
|
|
35
35
|
rescue StandardError
|
|
36
36
|
redirect_to new_identity_password_reset_path, alert: "That password reset link is invalid"
|
|
37
37
|
end
|
|
@@ -27,7 +27,7 @@ class Sessions::PasswordlessesController < ApplicationController
|
|
|
27
27
|
|
|
28
28
|
private
|
|
29
29
|
def set_user
|
|
30
|
-
|
|
30
|
+
token = SignInToken.find_signed!(params[:sid]); @user = token.user
|
|
31
31
|
rescue StandardError
|
|
32
32
|
redirect_to new_sessions_passwordless_path, alert: "That sign in link is invalid"
|
|
33
33
|
end
|
|
@@ -18,7 +18,7 @@ class SessionsController < ApplicationController
|
|
|
18
18
|
<%- if two_factor? -%>
|
|
19
19
|
if user.otp_secret.present?
|
|
20
20
|
session[:challenge_token] = user.signed_id(purpose: :authentication_challenge, expires_in: 20.minutes)
|
|
21
|
-
redirect_to
|
|
21
|
+
redirect_to new_two_factor_authentication_challenge_totp_path
|
|
22
22
|
else
|
|
23
23
|
@session = user.sessions.create!
|
|
24
24
|
cookies.signed.permanent[:session_token] = { value: @session.id, httponly: true }
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
class TwoFactorAuthentication::Challenge::RecoveryCodesController < ApplicationController
|
|
2
|
+
skip_before_action :authenticate
|
|
3
|
+
|
|
4
|
+
before_action :set_user
|
|
5
|
+
|
|
6
|
+
def new
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def create
|
|
10
|
+
if recover_code = @user.recovery_codes.find_by(code: params[:code], used: false)
|
|
11
|
+
recover_code.update!(used: true); sign_in_and_redirect_to_root
|
|
12
|
+
else
|
|
13
|
+
redirect_to new_two_factor_authentication_challenge_recovery_codes_path, alert: "That code didn't work. Please try again"
|
|
14
|
+
end
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
private
|
|
18
|
+
def set_user
|
|
19
|
+
@user = User.find_signed!(session[:challenge_token], purpose: :authentication_challenge)
|
|
20
|
+
rescue StandardError
|
|
21
|
+
redirect_to sign_in_path, alert: "That's taking too long. Please re-enter your password and try again"
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
def sign_in_and_redirect_to_root
|
|
25
|
+
session = @user.sessions.create!
|
|
26
|
+
cookies.signed.permanent[:session_token] = { value: session.id, httponly: true }
|
|
27
|
+
|
|
28
|
+
redirect_to root_path, notice: "Signed in successfully"
|
|
29
|
+
end
|
|
30
|
+
end
|
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
class TwoFactorAuthentication::Challenge::SecurityKeysController < ApplicationController
|
|
2
|
+
skip_before_action :authenticate
|
|
3
|
+
|
|
4
|
+
before_action :set_user
|
|
5
|
+
|
|
6
|
+
def new
|
|
7
|
+
respond_to do |format|
|
|
8
|
+
format.html
|
|
9
|
+
format.json { render json: options_for_get }
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def create
|
|
14
|
+
if @user.security_keys.exists?(external_id: credential.id)
|
|
15
|
+
sign_in_and_redirect_to_root
|
|
16
|
+
else
|
|
17
|
+
render json: { error: "Verification failed: #{e.message}" }, status: :unprocessable_entity
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
private
|
|
22
|
+
def set_user
|
|
23
|
+
@user = User.find_signed!(session[:challenge_token], purpose: :authentication_challenge)
|
|
24
|
+
rescue StandardError
|
|
25
|
+
redirect_to sign_in_path, alert: "That's taking too long. Please re-enter your password and try again"
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def sign_in_and_redirect_to_root
|
|
29
|
+
session = @user.sessions.create!
|
|
30
|
+
cookies.signed.permanent[:session_token] = { value: session.id, httponly: true }
|
|
31
|
+
|
|
32
|
+
render json: { status: "ok", location: root_url }, status: :created
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
def options_for_get
|
|
36
|
+
WebAuthn::Credential.options_for_get(allow: external_ids)
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
def external_ids
|
|
40
|
+
@user.security_keys.pluck(:external_id)
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
def credential
|
|
44
|
+
@credential ||= WebAuthn::Credential.from_get(params.require(:credential))
|
|
45
|
+
end
|
|
46
|
+
end
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
class TwoFactorAuthentication::Challenge::TotpsController < ApplicationController
|
|
2
|
+
skip_before_action :authenticate
|
|
3
|
+
|
|
4
|
+
before_action :set_user
|
|
5
|
+
|
|
6
|
+
def new
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def create
|
|
10
|
+
@totp = ROTP::TOTP.new(@user.otp_secret, issuer: "YourAppName")
|
|
11
|
+
|
|
12
|
+
if @totp.verify(params[:code], drift_behind: 15)
|
|
13
|
+
sign_in_and_redirect_to_root
|
|
14
|
+
else
|
|
15
|
+
redirect_to new_two_factor_authentication_challenge_totp_path, alert: "That code didn't work. Please try again"
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
private
|
|
20
|
+
def set_user
|
|
21
|
+
@user = User.find_signed!(session[:challenge_token], purpose: :authentication_challenge)
|
|
22
|
+
rescue StandardError
|
|
23
|
+
redirect_to sign_in_path, alert: "That's taking too long. Please re-enter your password and try again"
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
def sign_in_and_redirect_to_root
|
|
27
|
+
session = @user.sessions.create!
|
|
28
|
+
cookies.signed.permanent[:session_token] = { value: session.id, httponly: true }
|
|
29
|
+
|
|
30
|
+
redirect_to root_path, notice: "Signed in successfully"
|
|
31
|
+
end
|
|
32
|
+
end
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
class TwoFactorAuthentication::RecoveryCodesController < ApplicationController
|
|
1
|
+
class TwoFactorAuthentication::Profile::RecoveryCodesController < ApplicationController
|
|
2
2
|
before_action :set_user
|
|
3
3
|
|
|
4
4
|
def index
|
|
@@ -13,7 +13,7 @@ class TwoFactorAuthentication::RecoveryCodesController < ApplicationController
|
|
|
13
13
|
@user.recovery_codes.delete_all
|
|
14
14
|
@user.recovery_codes.create!(new_recovery_codes)
|
|
15
15
|
|
|
16
|
-
redirect_to
|
|
16
|
+
redirect_to two_factor_authentication_profile_recovery_codes_path, notice: "Your new recovery codes have been generated"
|
|
17
17
|
end
|
|
18
18
|
|
|
19
19
|
private
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
class TwoFactorAuthentication::Profile::SecurityKeysController < ApplicationController
|
|
2
|
+
before_action :set_user
|
|
3
|
+
before_action :set_security_key, only: %i[ edit update destroy ]
|
|
4
|
+
|
|
5
|
+
def index
|
|
6
|
+
@security_keys = @user.security_keys
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def new
|
|
10
|
+
respond_to do |format|
|
|
11
|
+
format.html
|
|
12
|
+
format.json { render json: options_for_create }
|
|
13
|
+
end
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def edit
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def create
|
|
20
|
+
@security_key = @user.security_keys.create!(credential_params)
|
|
21
|
+
render json: { status: "ok", location: edit_two_factor_authentication_profile_security_key_url(@security_key, confirmation: true) }, status: :created
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
def update
|
|
25
|
+
@security_key.update! name: params[:name]
|
|
26
|
+
redirect_to two_factor_authentication_profile_security_keys_path, notice: "Your changes have been saved"
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def destroy
|
|
30
|
+
@security_key.destroy
|
|
31
|
+
redirect_to two_factor_authentication_profile_security_keys_path, notice: "#{@security_key.name} has been removed"
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
private
|
|
35
|
+
def set_user
|
|
36
|
+
@user = Current.user
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
def set_security_key
|
|
40
|
+
@security_key = @user.security_keys.find(params[:id])
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
def options_for_create
|
|
44
|
+
WebAuthn::Credential.options_for_create(user: user_info, exclude: external_ids)
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
def user_info
|
|
48
|
+
{ id: @user.webauthn_id, name: @user.email }
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
def external_ids
|
|
52
|
+
@user.security_keys.pluck(:external_id)
|
|
53
|
+
end
|
|
54
|
+
|
|
55
|
+
def credential_params
|
|
56
|
+
{ external_id: credential.id, name: "security key" }
|
|
57
|
+
end
|
|
58
|
+
|
|
59
|
+
def credential
|
|
60
|
+
@credential ||= WebAuthn::Credential.from_create(params.require(:credential))
|
|
61
|
+
end
|
|
62
|
+
end
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
class TwoFactorAuthentication::TotpsController < ApplicationController
|
|
1
|
+
class TwoFactorAuthentication::Profile::TotpsController < ApplicationController
|
|
2
2
|
before_action :set_user
|
|
3
3
|
before_action :set_totp
|
|
4
4
|
|
|
@@ -9,9 +9,9 @@ class TwoFactorAuthentication::TotpsController < ApplicationController
|
|
|
9
9
|
def create
|
|
10
10
|
if @totp.verify(params[:code], drift_behind: 15)
|
|
11
11
|
@user.update! otp_secret: params[:secret]
|
|
12
|
-
redirect_to
|
|
12
|
+
redirect_to two_factor_authentication_profile_recovery_codes_path
|
|
13
13
|
else
|
|
14
|
-
redirect_to
|
|
14
|
+
redirect_to new_two_factor_authentication_profile_totp_path, alert: "That code didn't work. Please try again"
|
|
15
15
|
end
|
|
16
16
|
end
|
|
17
17
|
|
|
@@ -1,47 +1,52 @@
|
|
|
1
1
|
<p style="color: green"><%%= notice %></p>
|
|
2
2
|
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
<%-
|
|
22
|
-
|
|
23
|
-
<div>
|
|
24
|
-
<%%= link_to "Send invitation", new_invitation_path %>
|
|
25
|
-
</div>
|
|
26
|
-
<%- end -%>
|
|
27
|
-
<%- if masqueradable? %>
|
|
28
|
-
<div>
|
|
29
|
-
<%%= button_to "Signin as last user", user_masquerade_path(User.last) %>
|
|
30
|
-
</div>
|
|
31
|
-
<%- end -%>
|
|
32
|
-
<%- if two_factor? %>
|
|
33
|
-
<div>
|
|
34
|
-
<%%= link_to "Two-Factor Authentication", new_two_factor_authentication_totp_path %>
|
|
35
|
-
</div>
|
|
36
|
-
|
|
37
|
-
<%% if Current.user.otp_secret.present? %>
|
|
38
|
-
<div><%%= link_to "Recovery Codes", two_factor_authentication_recovery_codes_path %></div>
|
|
39
|
-
<%% end %>
|
|
3
|
+
<p>Signed as <%%= Current.user.email %></p>
|
|
4
|
+
|
|
5
|
+
<h2>Login and verification</h2>
|
|
6
|
+
|
|
7
|
+
<div>
|
|
8
|
+
<%%= link_to "Change password", edit_password_path %>
|
|
9
|
+
</div>
|
|
10
|
+
|
|
11
|
+
<div>
|
|
12
|
+
<%%= link_to "Change email address", edit_identity_email_path %>
|
|
13
|
+
</div>
|
|
14
|
+
<%- if two_factor? %>
|
|
15
|
+
<div>
|
|
16
|
+
<%%= link_to "Two-Factor Authentication", new_two_factor_authentication_profile_totp_path %>
|
|
17
|
+
</div>
|
|
18
|
+
|
|
19
|
+
<%% if Current.user.otp_secret.present? %>
|
|
20
|
+
<div><%%= link_to "Recovery Codes", two_factor_authentication_profile_recovery_codes_path %></div>
|
|
21
|
+
<%- if webauthn? -%>
|
|
22
|
+
<div><%%= link_to "Security keys", two_factor_authentication_profile_security_keys_path %></div>
|
|
40
23
|
<%- end -%>
|
|
24
|
+
<%% end %>
|
|
25
|
+
<%- end -%>
|
|
26
|
+
<%- if invitable? %>
|
|
27
|
+
<div>
|
|
28
|
+
<%%= link_to "Send invitation", new_invitation_path %>
|
|
29
|
+
</div>
|
|
30
|
+
<%- end -%>
|
|
31
|
+
<%- if masqueradable? %>
|
|
32
|
+
<div>
|
|
33
|
+
<%%= button_to "Signin as last user", user_masquerade_path(User.last) %>
|
|
34
|
+
</div>
|
|
35
|
+
<%- end -%>
|
|
36
|
+
|
|
37
|
+
<h2>Access history</h2>
|
|
41
38
|
|
|
42
|
-
|
|
39
|
+
<div>
|
|
40
|
+
<%%= link_to "Devices & Sessions", sessions_path %>
|
|
41
|
+
</div>
|
|
42
|
+
<%- if options.trackable? %>
|
|
43
|
+
<div>
|
|
44
|
+
<%%= link_to "Activity Log", authentications_events_path %>
|
|
45
|
+
</div>
|
|
46
|
+
<%- end -%>
|
|
43
47
|
|
|
48
|
+
<br>
|
|
49
|
+
|
|
50
|
+
<div>
|
|
44
51
|
<%%= button_to "Log out", Current.session, method: :delete %>
|
|
45
|
-
|
|
46
|
-
Please <%%= link_to "sign in", sign_in_path %> or <%%= link_to "sign up", sign_up_path %>.
|
|
47
|
-
<%% end %>
|
|
52
|
+
</div>
|
|
@@ -1,6 +1,6 @@
|
|
|
1
|
-
|
|
2
|
-
<%%= form.hidden_field :scheme_type, value: "recovery_codes" %>
|
|
1
|
+
<p style="color: red"><%%= alert %></p>
|
|
3
2
|
|
|
3
|
+
<%%= form_with(url: two_factor_authentication_challenge_recovery_codes_path) do |form| %>
|
|
4
4
|
<div>
|
|
5
5
|
<%%= form.label :code do %>
|
|
6
6
|
<h1>OK, enter one of your recovery codes below:</h1>
|
|
@@ -14,5 +14,5 @@
|
|
|
14
14
|
<%% end %>
|
|
15
15
|
|
|
16
16
|
<div>
|
|
17
|
-
<p>To access your account, enter one of the recovery codes (e.g.,
|
|
17
|
+
<p>To access your account, enter one of the recovery codes (e.g., xxxxxxxxxx) you saved when you set up your two-factor authentication device.</p>
|
|
18
18
|
</div>
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
<div data-controller="web-authn"
|
|
2
|
+
data-web-authn-loading-class="web-authn-loading"
|
|
3
|
+
data-web-authn-fallback-url-value="<%%= new_two_factor_authentication_challenge_totp_path %>"
|
|
4
|
+
data-web-authn-challenge-url-value="<%%= new_two_factor_authentication_challenge_security_keys_url %>"
|
|
5
|
+
data-web-authn-verification-url-value="<%%= two_factor_authentication_challenge_security_keys_url %>">
|
|
6
|
+
|
|
7
|
+
<p data-web-authn-target="error" style="color: red" hidden></p>
|
|
8
|
+
|
|
9
|
+
<h1>Verify with your security key.</h1>
|
|
10
|
+
<%%= button_tag "Use security key", type: :button, data: { web_authn_target: "button", action: "web-authn#getCredential" } %>
|
|
11
|
+
<p>Have your security key ready. If it's the USB kind insert it now and then, if it has one, press the activation button when asked.</p>
|
|
12
|
+
<div>
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
<p style="color: red"><%%= alert %></p>
|
|
2
|
+
|
|
3
|
+
<%%= form_with(url: two_factor_authentication_challenge_totp_path) do |form| %>
|
|
4
|
+
<div>
|
|
5
|
+
<%%= form.label :code do %>
|
|
6
|
+
<h1>Next, open the 2FA authenticator app on your phone and type the six digit code below:</h1>
|
|
7
|
+
<%% end %>
|
|
8
|
+
<%%= form.text_field :code, autofocus: true, required: true, autocomplete: :off %>
|
|
9
|
+
</div>
|
|
10
|
+
|
|
11
|
+
<div>
|
|
12
|
+
<%%= form.submit "Verify" %>
|
|
13
|
+
</div>
|
|
14
|
+
<%% end %>
|
|
15
|
+
|
|
16
|
+
<div>
|
|
17
|
+
<p><strong>Don't have your phone?</strong></p>
|
|
18
|
+
<div>
|
|
19
|
+
<%%= link_to "Use a recovery code to access your account.", new_two_factor_authentication_challenge_recovery_codes_path %>
|
|
20
|
+
</div>
|
|
21
|
+
<%- if webauthn? %>
|
|
22
|
+
<%% if @user.security_keys.exists? %>
|
|
23
|
+
<div><%%= link_to "Use a security key to access your account.", new_two_factor_authentication_challenge_security_keys_path %></div>
|
|
24
|
+
<%% end %>
|
|
25
|
+
<%- end -%>
|
|
26
|
+
</div>
|
|
@@ -13,4 +13,4 @@
|
|
|
13
13
|
|
|
14
14
|
<p>If you think your codes have fallen into the wrong hands, you can get a new set. Be sure to save the new ones because the old codes will stop working.</p>
|
|
15
15
|
|
|
16
|
-
<%%= button_to "Generate new recovery codes",
|
|
16
|
+
<%%= button_to "Generate new recovery codes", two_factor_authentication_profile_recovery_codes_path %>
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
<%%= form_with(url: two_factor_authentication_profile_security_key_path, method: :patch) do |form| %>
|
|
2
|
+
<p>One more step. Please give this security key a nickname to help you remember it.</p>
|
|
3
|
+
|
|
4
|
+
<div>
|
|
5
|
+
<%%= form.label :name, style: "display: block" %>
|
|
6
|
+
<%%= form.text_field :name, autofocus: true, required: true %>
|
|
7
|
+
<div>e.g., Macbook Touch ID</div>
|
|
8
|
+
</div>
|
|
9
|
+
|
|
10
|
+
<div>
|
|
11
|
+
<%%= form.submit "Save" %>
|
|
12
|
+
</div>
|
|
13
|
+
<%% end %>
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
<%%= form_with(url: two_factor_authentication_profile_security_key_path, method: :patch) do |form| %>
|
|
2
|
+
<div>
|
|
3
|
+
<%%= form.label :name, style: "display: block" %>
|
|
4
|
+
<%%= form.text_field :name, value: @security_key.name, autofocus: true, required: true %>
|
|
5
|
+
<div>e.g., Macbook Touch ID</div>
|
|
6
|
+
</div>
|
|
7
|
+
|
|
8
|
+
<div>
|
|
9
|
+
<%%= form.submit "Save changes" %>
|
|
10
|
+
</div>
|
|
11
|
+
<%% end %>
|
|
12
|
+
|
|
13
|
+
<br>
|
|
14
|
+
|
|
15
|
+
<div>
|
|
16
|
+
<%%= button_to "Remove this security key...", two_factor_authentication_profile_security_key_path(@security_key), method: :delete %>
|
|
17
|
+
</div>
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
<li><%%= link_to security_key.name, edit_two_factor_authentication_profile_security_key_path(security_key) %></li>
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
<p style="color: green"><%%= notice %></p>
|
|
2
|
+
|
|
3
|
+
<h1>Security keys</h1>
|
|
4
|
+
<p>A security key is a hardware device used to verify your identity. For example, a built-in fingerprint reader, a plug-in USB key, or a login system like Windows Hello.</p>
|
|
5
|
+
|
|
6
|
+
<ul><%%= render @security_keys %></ul>
|
|
7
|
+
|
|
8
|
+
<br>
|
|
9
|
+
|
|
10
|
+
<%%= link_to "Add security key", new_two_factor_authentication_profile_security_key_path %>
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
<div data-controller="web-authn"
|
|
2
|
+
data-web-authn-loading-class="web-authn-loading"
|
|
3
|
+
data-web-authn-challenge-url-value="<%%= new_two_factor_authentication_profile_security_key_url %>"
|
|
4
|
+
data-web-authn-verification-url-value="<%%= two_factor_authentication_profile_security_keys_url %>">
|
|
5
|
+
|
|
6
|
+
<p data-web-authn-target="error" style="color: red" hidden></p>
|
|
7
|
+
|
|
8
|
+
<h1>Add a security key</h1>
|
|
9
|
+
<p>Have your security key ready. If it's the USB kind insert it now and then, if it has one, press the activation button when asked.</p>
|
|
10
|
+
|
|
11
|
+
<%%= button_tag "I'm ready, let's go", type: :button, data: { web_authn_target: "button", action: "web-authn#createCredential" } %>
|
|
12
|
+
</div>
|
|
@@ -14,7 +14,7 @@
|
|
|
14
14
|
<figcaption>Point your camera here</figcaption>
|
|
15
15
|
</figure>
|
|
16
16
|
|
|
17
|
-
<%%= form_with(url:
|
|
17
|
+
<%%= form_with(url: two_factor_authentication_profile_totp_path) do |form| %>
|
|
18
18
|
<%%= form.hidden_field :secret, value: @totp.secret %>
|
|
19
19
|
|
|
20
20
|
<div>
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
import { Application } from "@hotwired/stimulus"
|
|
2
|
+
<%- if webauthn? -%>
|
|
3
|
+
import WebAuthnController from "stimulus-web-authn"
|
|
4
|
+
<%- end -%>
|
|
5
|
+
|
|
6
|
+
const application = Application.start()
|
|
7
|
+
<%- if webauthn? -%>
|
|
8
|
+
application.register("web-authn", WebAuthnController)
|
|
9
|
+
<%- end -%>
|
|
10
|
+
|
|
11
|
+
// Configure Stimulus development experience
|
|
12
|
+
application.debug = false
|
|
13
|
+
window.Stimulus = application
|
|
14
|
+
|
|
15
|
+
export { application }
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
class <%= migration_class_name %> < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
|
|
2
|
+
def change
|
|
3
|
+
create_table :security_keys do |t|
|
|
4
|
+
t.references :user, null: false, foreign_key: true
|
|
5
|
+
t.string :name, null: false
|
|
6
|
+
t.string :external_id, null: false
|
|
7
|
+
|
|
8
|
+
t.timestamps
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
add_index :security_keys, :external_id, unique: true
|
|
12
|
+
end
|
|
13
|
+
end
|
|
@@ -3,14 +3,16 @@ class User < ApplicationRecord
|
|
|
3
3
|
|
|
4
4
|
has_many :email_verification_tokens, dependent: :destroy
|
|
5
5
|
has_many :password_reset_tokens, dependent: :destroy
|
|
6
|
+
has_many :sessions, dependent: :destroy
|
|
6
7
|
<%- if two_factor? -%>
|
|
7
8
|
has_many :recovery_codes, dependent: :destroy
|
|
8
9
|
<%- end -%>
|
|
10
|
+
<%- if webauthn? -%>
|
|
11
|
+
has_many :security_keys, dependent: :destroy
|
|
12
|
+
<%- end -%>
|
|
9
13
|
<%- if passwordless? -%>
|
|
10
14
|
has_many :sign_in_tokens, dependent: :destroy
|
|
11
15
|
<%- end -%>
|
|
12
|
-
|
|
13
|
-
has_many :sessions, dependent: :destroy
|
|
14
16
|
<%- if options.trackable? -%>
|
|
15
17
|
has_many :events, dependent: :destroy
|
|
16
18
|
<%- end -%>
|
|
@@ -28,6 +30,11 @@ class User < ApplicationRecord
|
|
|
28
30
|
before_validation if: :email_changed?, on: :update do
|
|
29
31
|
self.verified = false
|
|
30
32
|
end
|
|
33
|
+
<%- if webauthn? %>
|
|
34
|
+
before_validation on: :create do
|
|
35
|
+
self.webauthn_id = WebAuthn.generate_user_id
|
|
36
|
+
end
|
|
37
|
+
<%- end -%>
|
|
31
38
|
|
|
32
39
|
after_update if: :password_digest_previously_changed? do
|
|
33
40
|
sessions.where.not(id: Current.session).delete_all
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: authentication-zero
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.16.
|
|
4
|
+
version: 2.16.21
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Nixon
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-04-
|
|
11
|
+
date: 2023-04-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies: []
|
|
13
13
|
description:
|
|
14
14
|
email:
|
|
@@ -36,6 +36,7 @@ files:
|
|
|
36
36
|
- lib/generators/authentication/USAGE
|
|
37
37
|
- lib/generators/authentication/authentication_generator.rb
|
|
38
38
|
- lib/generators/authentication/templates/config/initializers/omniauth.rb
|
|
39
|
+
- lib/generators/authentication/templates/config/initializers/webauthn.rb
|
|
39
40
|
- lib/generators/authentication/templates/config/redis/shared.yml
|
|
40
41
|
- lib/generators/authentication/templates/controllers/api/application_controller.rb.tt
|
|
41
42
|
- lib/generators/authentication/templates/controllers/api/authentications/events_controller.rb.tt
|
|
@@ -59,9 +60,12 @@ files:
|
|
|
59
60
|
- lib/generators/authentication/templates/controllers/html/sessions/passwordlesses_controller.rb.tt
|
|
60
61
|
- lib/generators/authentication/templates/controllers/html/sessions/sudos_controller.rb.tt
|
|
61
62
|
- lib/generators/authentication/templates/controllers/html/sessions_controller.rb.tt
|
|
62
|
-
- lib/generators/authentication/templates/controllers/html/two_factor_authentication/
|
|
63
|
-
- lib/generators/authentication/templates/controllers/html/two_factor_authentication/
|
|
64
|
-
- lib/generators/authentication/templates/controllers/html/two_factor_authentication/totps_controller.rb.tt
|
|
63
|
+
- lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenge/recovery_codes_controller.rb.tt
|
|
64
|
+
- lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenge/security_keys_controller.rb.tt
|
|
65
|
+
- lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenge/totps_controller.rb.tt
|
|
66
|
+
- lib/generators/authentication/templates/controllers/html/two_factor_authentication/profile/recovery_codes_controller.rb.tt
|
|
67
|
+
- lib/generators/authentication/templates/controllers/html/two_factor_authentication/profile/security_keys_controller.rb.tt
|
|
68
|
+
- lib/generators/authentication/templates/controllers/html/two_factor_authentication/profile/totps_controller.rb.tt
|
|
65
69
|
- lib/generators/authentication/templates/erb/authentications/events/index.html.erb.tt
|
|
66
70
|
- lib/generators/authentication/templates/erb/home/index.html.erb.tt
|
|
67
71
|
- lib/generators/authentication/templates/erb/identity/emails/edit.html.erb.tt
|
|
@@ -74,21 +78,29 @@ files:
|
|
|
74
78
|
- lib/generators/authentication/templates/erb/sessions/new.html.erb.tt
|
|
75
79
|
- lib/generators/authentication/templates/erb/sessions/passwordlesses/new.html.erb.tt
|
|
76
80
|
- lib/generators/authentication/templates/erb/sessions/sudos/new.html.erb.tt
|
|
77
|
-
- lib/generators/authentication/templates/erb/two_factor_authentication/
|
|
78
|
-
- lib/generators/authentication/templates/erb/two_factor_authentication/
|
|
79
|
-
- lib/generators/authentication/templates/erb/two_factor_authentication/
|
|
80
|
-
- lib/generators/authentication/templates/erb/two_factor_authentication/recovery_codes/_recovery_code.html.erb.tt
|
|
81
|
-
- lib/generators/authentication/templates/erb/two_factor_authentication/recovery_codes/index.html.erb.tt
|
|
82
|
-
- lib/generators/authentication/templates/erb/two_factor_authentication/
|
|
81
|
+
- lib/generators/authentication/templates/erb/two_factor_authentication/challenge/recovery_codes/new.html.erb.tt
|
|
82
|
+
- lib/generators/authentication/templates/erb/two_factor_authentication/challenge/security_keys/new.html.erb.tt
|
|
83
|
+
- lib/generators/authentication/templates/erb/two_factor_authentication/challenge/totps/new.html.erb.tt
|
|
84
|
+
- lib/generators/authentication/templates/erb/two_factor_authentication/profile/recovery_codes/_recovery_code.html.erb.tt
|
|
85
|
+
- lib/generators/authentication/templates/erb/two_factor_authentication/profile/recovery_codes/index.html.erb.tt
|
|
86
|
+
- lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/_form_confirm.html.erb.tt
|
|
87
|
+
- lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/_form_edit.html.erb.tt
|
|
88
|
+
- lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/_security_key.html.erb.tt
|
|
89
|
+
- lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/edit.html.erb.tt
|
|
90
|
+
- lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/index.html.erb.tt
|
|
91
|
+
- lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/new.html.erb.tt
|
|
92
|
+
- lib/generators/authentication/templates/erb/two_factor_authentication/profile/totps/new.html.erb.tt
|
|
83
93
|
- lib/generators/authentication/templates/erb/user_mailer/email_verification.html.erb.tt
|
|
84
94
|
- lib/generators/authentication/templates/erb/user_mailer/invitation_instructions.html.erb.tt
|
|
85
95
|
- lib/generators/authentication/templates/erb/user_mailer/password_reset.html.erb.tt
|
|
86
96
|
- lib/generators/authentication/templates/erb/user_mailer/passwordless.html.erb.tt
|
|
97
|
+
- lib/generators/authentication/templates/javascript/controllers/application.js.tt
|
|
87
98
|
- lib/generators/authentication/templates/mailers/user_mailer.rb.tt
|
|
88
99
|
- lib/generators/authentication/templates/migrations/create_email_verification_tokens_migration.rb.tt
|
|
89
100
|
- lib/generators/authentication/templates/migrations/create_events_migration.rb.tt
|
|
90
101
|
- lib/generators/authentication/templates/migrations/create_password_reset_tokens_migration.rb.tt
|
|
91
102
|
- lib/generators/authentication/templates/migrations/create_recovery_codes_migration.rb.tt
|
|
103
|
+
- lib/generators/authentication/templates/migrations/create_security_keys_migration.rb.tt
|
|
92
104
|
- lib/generators/authentication/templates/migrations/create_sessions_migration.rb.tt
|
|
93
105
|
- lib/generators/authentication/templates/migrations/create_sign_in_tokens_migration.rb.tt
|
|
94
106
|
- lib/generators/authentication/templates/migrations/create_users_migration.rb.tt
|
|
@@ -97,6 +109,7 @@ files:
|
|
|
97
109
|
- lib/generators/authentication/templates/models/event.rb.tt
|
|
98
110
|
- lib/generators/authentication/templates/models/password_reset_token.rb.tt
|
|
99
111
|
- lib/generators/authentication/templates/models/recovery_code.rb.tt
|
|
112
|
+
- lib/generators/authentication/templates/models/security_key.rb.tt
|
|
100
113
|
- lib/generators/authentication/templates/models/session.rb.tt
|
|
101
114
|
- lib/generators/authentication/templates/models/sign_in_token.rb.tt
|
|
102
115
|
- lib/generators/authentication/templates/models/user.rb.tt
|
|
@@ -1,52 +0,0 @@
|
|
|
1
|
-
class TwoFactorAuthentication::ChallengesController < ApplicationController
|
|
2
|
-
skip_before_action :authenticate
|
|
3
|
-
|
|
4
|
-
before_action :set_user
|
|
5
|
-
|
|
6
|
-
def new
|
|
7
|
-
end
|
|
8
|
-
|
|
9
|
-
def create
|
|
10
|
-
if params[:scheme_type] == "recovery_codes"
|
|
11
|
-
verify_recovery_code
|
|
12
|
-
else
|
|
13
|
-
verify_time_based_one_time_password
|
|
14
|
-
end
|
|
15
|
-
end
|
|
16
|
-
|
|
17
|
-
private
|
|
18
|
-
def set_user
|
|
19
|
-
@user = User.find_signed!(session[:challenge_token], purpose: :authentication_challenge)
|
|
20
|
-
rescue StandardError
|
|
21
|
-
redirect_to sign_in_path, alert: "That's taking too long. Please re-enter your password and try again"
|
|
22
|
-
end
|
|
23
|
-
|
|
24
|
-
def verify_recovery_code
|
|
25
|
-
if recover_code = @user.recovery_codes.find_by(code: params[:code], used: false)
|
|
26
|
-
recover_code.update!(used: true); sign_in_and_redirect_to_root
|
|
27
|
-
else
|
|
28
|
-
redirect_to_authentication_challenge
|
|
29
|
-
end
|
|
30
|
-
end
|
|
31
|
-
|
|
32
|
-
def verify_time_based_one_time_password
|
|
33
|
-
@totp = ROTP::TOTP.new(@user.otp_secret, issuer: "YourAppName")
|
|
34
|
-
|
|
35
|
-
if @totp.verify(params[:code], drift_behind: 15)
|
|
36
|
-
sign_in_and_redirect_to_root
|
|
37
|
-
else
|
|
38
|
-
redirect_to_authentication_challenge
|
|
39
|
-
end
|
|
40
|
-
end
|
|
41
|
-
|
|
42
|
-
def sign_in_and_redirect_to_root
|
|
43
|
-
session = @user.sessions.create!
|
|
44
|
-
cookies.signed.permanent[:session_token] = { value: session.id, httponly: true }
|
|
45
|
-
|
|
46
|
-
redirect_to root_path, notice: "Signed in successfully"
|
|
47
|
-
end
|
|
48
|
-
|
|
49
|
-
def redirect_to_authentication_challenge
|
|
50
|
-
redirect_to new_two_factor_authentication_challenge_path(scheme_type: params[:scheme_type]), alert: "That code didn't work. Please try again"
|
|
51
|
-
end
|
|
52
|
-
end
|
|
@@ -1,19 +0,0 @@
|
|
|
1
|
-
<%%= form_with(url: two_factor_authentication_challenge_path) do |form| %>
|
|
2
|
-
<%%= form.hidden_field :scheme_type, value: "totp" %>
|
|
3
|
-
|
|
4
|
-
<div>
|
|
5
|
-
<%%= form.label :code do %>
|
|
6
|
-
<h1>Next, open the 2FA authenticator app on your phone and type the six digit code below:</h1>
|
|
7
|
-
<%% end %>
|
|
8
|
-
<%%= form.text_field :code, autofocus: true, required: true, autocomplete: :off %>
|
|
9
|
-
</div>
|
|
10
|
-
|
|
11
|
-
<div>
|
|
12
|
-
<%%= form.submit "Verify" %>
|
|
13
|
-
</div>
|
|
14
|
-
<%% end %>
|
|
15
|
-
|
|
16
|
-
<div>
|
|
17
|
-
<p><strong>Don't have your phone?</strong></p>
|
|
18
|
-
<%%= link_to "Use a recovery code to access your account.", new_two_factor_authentication_challenge_path(scheme_type: "recovery_codes") %>
|
|
19
|
-
</div>
|