authentication-zero 2.16.20 → 2.16.21

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9e14fa9b399611bdbb9d3a01b3f81408fa45983d06b989d92da3669a8b777476
-  data.tar.gz: 95396bf303a6454d7d6605cbe53e41423ba2113bf9635ebbf2e177ca0f17c1f4
+  metadata.gz: c87cbd4d780d1170998c49949d6f28dbe0305df16880f012a7fd6a9cd19ce698
+  data.tar.gz: bb6dbd332c8d4fc221d4de3e8264204d0c999f1707f7529b3d547cb2eb4f5fe4
 SHA512:
-  metadata.gz: 4c2f8259a291ab4fa9fdb91521b3e8cf6ed03d678aa72ce148302f940575d7107132e7c71aea4aacf1f195b22ac500d528237add10a1db90853c8bd1b643f8f0
-  data.tar.gz: 01f856238d22656fcac3c71708ca36c69e8b5d44356934b4e021a84409f49dd48a432fcf3f3d58e383d3466be001b9f9d3d8558c368dc1d59bee28fccf1e54b0
+  metadata.gz: dc453d93036ca66a4df78da04c2fb1da2a21e862a409bad8608ec1661b315c9670e126b5de14ccd1b0a6b4fedb0445f258b0a472cb6f81c90ef588a178484cfc
+  data.tar.gz: c1d014b975a078302d919ba3ec52b4b2b4f0c94017cb04178785ae28bb5e5c8ff6e5d5e2fb84a8dc551cf3b5dc757c392af3061718ecf4e3a64c176292faaad2

data/.github/workflows/CI.yml

@@ -26,6 +26,9 @@ jobs:
       - name: Install Rubocop
         run: gem install rubocop rubocop-performance rubocop-minitest rubocop-packaging rubocop-minitest rubocop-rails
 
+      - name: Install Brakeman
+        run: gem install brakeman
+
       - name: Create fresh Rails app and run generator
         run: |
           rails new test-app
@@ -39,9 +42,6 @@ jobs:
       - name: Rubocop
         run: cd test-app && rubocop
 
-      - name: Install Brakeman
-        run: gem install brakeman
-
       - name: Brakeman
         run: cd test-app && brakeman
 
@@ -69,6 +69,9 @@ jobs:
       - name: Install Rubocop
         run: gem install rubocop rubocop-performance rubocop-minitest rubocop-packaging rubocop-minitest rubocop-rails
 
+      - name: Install Brakeman
+        run: gem install brakeman
+
       - name: Create fresh Rails app and run generator
         run: |
           rails new test-app
@@ -82,9 +85,6 @@ jobs:
       - name: Rubocop
         run: cd test-app && rubocop
 
-      - name: Install Brakeman
-        run: gem install brakeman
-
       - name: Brakeman
         run: cd test-app && brakeman
 

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+## Authentication Zero 2.16.21 ##
+
+* Add two factor authentication using a hardware security key (--webauthn)
+* Move two factor authentication to new namespaces
+
 ## Authentication Zero 2.16.18 ##
 
 * Use session to store the token for the 2fa challenge

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    authentication-zero (2.16.20)
+    authentication-zero (2.16.21)
 
 GEM
   remote: https://rubygems.org/

data/README.md

@@ -20,7 +20,7 @@ Since Authentication Zero generates this code into your application instead of b
 
 ## Features
 
-- **Simplest code ever (~200 lines of code)**
+- **Simple code**
 - **Inspired by hey.com**
 - Sign up
 - Email and password validations
@@ -29,6 +29,7 @@ Since Authentication Zero generates this code into your application instead of b
 - Authentication by token (--api)
 - Passwordless authentication (--passwordless)
 - Two factor authentication + recovery codes (--two-factor)
+- Two factor authentication using a hardware security key (--webauthn)
 - Social Login with OmniAuth (--omniauthable)
 - Send invitations (--invitable)
 - Sign-in as button functionallity (--masqueradable)
@@ -36,7 +37,7 @@ Since Authentication Zero generates this code into your application instead of b
 - Ask password before sensitive data changes, aka: sudo (--sudoable)
 - Reset the user password and send reset instructions
 - Reset the user password only from verified emails
-- Lock mechanism to prevent spamming (--lockable)
+- Lock mechanism to prevent email bombing (--lockable)
 - Rate limiting for your app, 1000 reqs/minute (--ratelimit)
 - Send e-mail confirmation when your email has been changed
 - Manage multiple sessions & devices

data/lib/authentication_zero/version.rb

@@ -1,3 +1,3 @@
 module AuthenticationZero
-  VERSION = "2.16.20"
+  VERSION = "2.16.21"
 end

data/lib/generators/authentication/authentication_generator.rb

@@ -12,6 +12,7 @@ class AuthenticationGenerator < Rails::Generators::Base
   class_option :omniauthable,  type: :boolean, desc: "Add social login support"
   class_option :trackable,     type: :boolean, desc: "Add activity log support"
   class_option :two_factor,    type: :boolean, desc: "Add two factor authentication"
+  class_option :webauthn,      type: :boolean, desc: "Add two factor authentication using a hardware security key"
   class_option :invitable,     type: :boolean, desc: "Add sending invitations"
   class_option :masqueradable, type: :boolean, desc: "Add sign-in as button functionallity"
 
@@ -42,6 +43,10 @@ class AuthenticationGenerator < Rails::Generators::Base
       gem "rotp", comment: "Use rotp for generating and validating one time passwords [https://github.com/mdp/rotp]"
       gem "rqrcode", comment: "Use rqrcode for creating and rendering QR codes into various formats [https://github.com/whomwah/rqrcode]"
     end
+
+    if webauthn?
+      gem "webauthn", comment: "Use webauthn for making rails become a conformant web authn relying party [https://github.com/cedarcode/webauthn-ruby]"
+    end
   end
 
   def add_environment_configurations
@@ -53,6 +58,7 @@ class AuthenticationGenerator < Rails::Generators::Base
   def create_configuration_files
     copy_file "config/redis/shared.yml", "config/redis/shared.yml" if redis?
     copy_file "config/initializers/omniauth.rb", "config/initializers/omniauth.rb" if omniauthable?
+    copy_file "config/initializers/webauthn.rb", "config/initializers/webauthn.rb" if webauthn?
   end
 
   def create_migrations
@@ -63,6 +69,7 @@ class AuthenticationGenerator < Rails::Generators::Base
     migration_template "migrations/create_sign_in_tokens_migration.rb", "#{db_migrate_path}/create_sign_in_tokens_migration.rb" if passwordless?
     migration_template "migrations/create_events_migration.rb", "#{db_migrate_path}/create_events.rb" if options.trackable?
     migration_template "migrations/create_recovery_codes_migration.rb", "#{db_migrate_path}/create_recovery_codes.rb" if two_factor?
+    migration_template "migrations/create_security_keys_migration.rb", "#{db_migrate_path}/create_security_keys.rb" if webauthn?
   end
 
   def create_models
@@ -74,6 +81,7 @@ class AuthenticationGenerator < Rails::Generators::Base
     template "models/current.rb", "app/models/current.rb"
     template "models/event.rb", "app/models/event.rb" if options.trackable?
     template "models/recovery_code.rb", "app/models/recovery_code.rb" if two_factor?
+    template "models/security_key.rb", "app/models/security_key.rb" if webauthn?
   end
 
   def create_fixture_file
@@ -84,7 +92,17 @@ class AuthenticationGenerator < Rails::Generators::Base
     template  "controllers/#{format_folder}/application_controller.rb", "app/controllers/application_controller.rb", force: true
 
     directory "controllers/#{format_folder}/identity", "app/controllers/identity"
-    directory "controllers/#{format_folder}/two_factor_authentication", "app/controllers/two_factor_authentication" if two_factor?
+
+    if two_factor?
+      template "controllers/html/two_factor_authentication/profile/totps_controller.rb", "app/controllers/two_factor_authentication/profile/totps_controller.rb"
+      template "controllers/html/two_factor_authentication/profile/recovery_codes_controller.rb", "app/controllers/two_factor_authentication/profile/recovery_codes_controller.rb"
+      template "controllers/html/two_factor_authentication/profile/security_keys_controller.rb", "app/controllers/two_factor_authentication/profile/security_keys_controller.rb" if webauthn?
+
+      template "controllers/html/two_factor_authentication/challenge/totps_controller.rb", "app/controllers/two_factor_authentication/challenge/totps_controller.rb"
+      template "controllers/html/two_factor_authentication/challenge/recovery_codes_controller.rb", "app/controllers/two_factor_authentication/challenge/recovery_codes_controller.rb"
+      template "controllers/html/two_factor_authentication/challenge/security_keys_controller.rb", "app/controllers/two_factor_authentication/challenge/security_keys_controller.rb" if webauthn?
+    end
+
     template  "controllers/#{format_folder}/sessions_controller.rb", "app/controllers/sessions_controller.rb"
     template  "controllers/#{format_folder}/passwords_controller.rb", "app/controllers/passwords_controller.rb"
     template  "controllers/#{format_folder}/invitations_controller.rb", "app/controllers/invitations_controller.rb" if invitable?
@@ -97,6 +115,16 @@ class AuthenticationGenerator < Rails::Generators::Base
     template  "controllers/#{format_folder}/authentications/events_controller.rb", "app/controllers/authentications/events_controller.rb" if options.trackable?
   end
 
+  def install_javascript_dependencies
+    return if options.api?
+    template "javascript/controllers/application.js", "app/javascript/controllers/application.js"
+
+    if webauthn?
+      run "bin/importmap pin stimulus-web-authn" if importmaps?
+      run "yarn add stimulus-web-authn" if node?
+    end
+  end
+
   def create_views
     if options.api?
       template "erb/user_mailer/email_verification.html.erb", "app/views/user_mailer/email_verification.html.erb"
@@ -122,8 +150,17 @@ class AuthenticationGenerator < Rails::Generators::Base
 
       directory "erb/sessions/passwordlesses", "app/views/sessions/passwordlesses" if passwordless?
 
-      directory "erb/two_factor_authentication", "app/views/two_factor_authentication" if two_factor?
       directory "erb/authentications/events", "app/views/authentications/events" if options.trackable?
+
+      if two_factor?
+        directory "erb/two_factor_authentication/profile/totps", "app/views/two_factor_authentication/profile/totps"
+        directory "erb/two_factor_authentication/profile/recovery_codes", "app/views/two_factor_authentication/profile/recovery_codes"
+        directory "erb/two_factor_authentication/profile/security_keys", "app/views/two_factor_authentication/profile/security_keys" if webauthn?
+
+        directory "erb/two_factor_authentication/challenge/totps", "app/views/two_factor_authentication/challenge/totps"
+        directory "erb/two_factor_authentication/challenge/recovery_codes", "app/views/two_factor_authentication/challenge/recovery_codes"
+        directory "erb/two_factor_authentication/challenge/security_keys", "app/views/two_factor_authentication/challenge/security_keys" if webauthn?
+      end
     end
   end
 
@@ -157,9 +194,13 @@ class AuthenticationGenerator < Rails::Generators::Base
     end
 
     if two_factor?
-      route "resources :recovery_codes, only: [:index, :create]", namespace: :two_factor_authentication
-      route "resource  :totp,           only: [:new, :create]", namespace: :two_factor_authentication
-      route "resource  :challenge,      only: [:new, :create]", namespace: :two_factor_authentication
+      route "resources :recovery_codes, only: [:index, :create]", namespace: [:two_factor_authentication, :profile]
+      route "resource  :totp,           only: [:new, :create]", namespace: [:two_factor_authentication, :profile]
+      route "resources :security_keys", namespace: [:two_factor_authentication, :profile] if webauthn?
+
+      route "resource :recovery_codes, only: [:new, :create]", namespace: [:two_factor_authentication, :challenge]
+      route "resource :totp,           only: [:new, :create]", namespace: [:two_factor_authentication, :challenge]
+      route "resource :security_keys,  only: [:new, :create]", namespace: [:two_factor_authentication, :challenge] if webauthn?
     end
 
     if options.trackable?
@@ -212,6 +253,10 @@ class AuthenticationGenerator < Rails::Generators::Base
       options.two_factor? && !options.api?
     end
 
+    def webauthn?
+      options.webauthn? && two_factor?
+    end
+
     def invitable?
       options.invitable? && !options.api?
     end
@@ -227,4 +272,12 @@ class AuthenticationGenerator < Rails::Generators::Base
     def redis?
       options.lockable? || options.ratelimit? || sudoable?
     end
+
+    def importmaps?
+      Rails.root.join("config/importmap.rb").exist?
+    end
+
+    def node?
+      Rails.root.join("package.json").exist?
+    end
 end

data/lib/generators/authentication/templates/config/initializers/webauthn.rb

@@ -0,0 +1,4 @@
+WebAuthn.configure do |config|
+  config.origin  = "http://localhost:3000"
+  config.rp_name = "Example Inc."
+end

data/lib/generators/authentication/templates/controllers/html/application_controller.rb.tt

@@ -28,7 +28,7 @@ class ApplicationController < ActionController::Base
     <%- if sudoable? %>
     def require_sudo
       unless Current.session.sudo?
-        redirect_to new_sessions_sudo_path(proceed_to_url: request.url)
+        redirect_to new_sessions_sudo_path(proceed_to_url: request.original_url)
       end
     end
     <%- end -%>

data/lib/generators/authentication/templates/controllers/html/sessions_controller.rb.tt

@@ -18,7 +18,7 @@ class SessionsController < ApplicationController
       <%- if two_factor? -%>
       if user.otp_secret.present?
         session[:challenge_token] = user.signed_id(purpose: :authentication_challenge, expires_in: 20.minutes)
-        redirect_to new_two_factor_authentication_challenge_path
+        redirect_to new_two_factor_authentication_challenge_totp_path
       else
         @session = user.sessions.create!
         cookies.signed.permanent[:session_token] = { value: @session.id, httponly: true }

data/lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenge/recovery_codes_controller.rb.tt

@@ -0,0 +1,30 @@
+class TwoFactorAuthentication::Challenge::RecoveryCodesController < ApplicationController
+  skip_before_action :authenticate
+
+  before_action :set_user
+
+  def new
+  end
+
+  def create
+    if recover_code = @user.recovery_codes.find_by(code: params[:code], used: false)
+      recover_code.update!(used: true); sign_in_and_redirect_to_root
+    else
+      redirect_to new_two_factor_authentication_challenge_recovery_codes_path, alert: "That code didn't work. Please try again"
+    end
+  end
+
+  private
+    def set_user
+      @user = User.find_signed!(session[:challenge_token], purpose: :authentication_challenge)
+    rescue StandardError
+      redirect_to sign_in_path, alert: "That's taking too long. Please re-enter your password and try again"
+    end
+
+    def sign_in_and_redirect_to_root
+      session = @user.sessions.create!
+      cookies.signed.permanent[:session_token] = { value: session.id, httponly: true }
+
+      redirect_to root_path, notice: "Signed in successfully"
+    end
+end

data/lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenge/security_keys_controller.rb.tt

@@ -0,0 +1,46 @@
+class TwoFactorAuthentication::Challenge::SecurityKeysController < ApplicationController
+  skip_before_action :authenticate
+
+  before_action :set_user
+
+  def new
+    respond_to do |format|
+      format.html
+      format.json { render json: options_for_get }
+    end
+  end
+
+  def create
+    if @user.security_keys.exists?(external_id: credential.id)
+      sign_in_and_redirect_to_root
+    else
+      render json: { error: "Verification failed: #{e.message}" }, status: :unprocessable_entity
+    end
+  end
+
+  private
+    def set_user
+      @user = User.find_signed!(session[:challenge_token], purpose: :authentication_challenge)
+    rescue StandardError
+      redirect_to sign_in_path, alert: "That's taking too long. Please re-enter your password and try again"
+    end
+
+    def sign_in_and_redirect_to_root
+      session = @user.sessions.create!
+      cookies.signed.permanent[:session_token] = { value: session.id, httponly: true }
+
+      render json: { status: "ok", location: root_url }, status: :created
+    end
+
+    def options_for_get
+      WebAuthn::Credential.options_for_get(allow: external_ids)
+    end
+
+    def external_ids
+      @user.security_keys.pluck(:external_id)
+    end
+
+    def credential
+      @credential ||= WebAuthn::Credential.from_get(params.require(:credential))
+    end
+end

data/lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenge/totps_controller.rb.tt

@@ -0,0 +1,32 @@
+class TwoFactorAuthentication::Challenge::TotpsController < ApplicationController
+  skip_before_action :authenticate
+
+  before_action :set_user
+
+  def new
+  end
+
+  def create
+    @totp = ROTP::TOTP.new(@user.otp_secret, issuer: "YourAppName")
+
+    if @totp.verify(params[:code], drift_behind: 15)
+      sign_in_and_redirect_to_root
+    else
+      redirect_to new_two_factor_authentication_challenge_totp_path, alert: "That code didn't work. Please try again"
+    end
+  end
+
+  private
+    def set_user
+      @user = User.find_signed!(session[:challenge_token], purpose: :authentication_challenge)
+    rescue StandardError
+      redirect_to sign_in_path, alert: "That's taking too long. Please re-enter your password and try again"
+    end
+
+    def sign_in_and_redirect_to_root
+      session = @user.sessions.create!
+      cookies.signed.permanent[:session_token] = { value: session.id, httponly: true }
+
+      redirect_to root_path, notice: "Signed in successfully"
+    end
+end

data/lib/generators/authentication/templates/controllers/html/two_factor_authentication/{recovery_codes_controller.rb.tt → profile/recovery_codes_controller.rb.tt}

@@ -1,4 +1,4 @@
-class TwoFactorAuthentication::RecoveryCodesController < ApplicationController
+class TwoFactorAuthentication::Profile::RecoveryCodesController < ApplicationController
   before_action :set_user
 
   def index
@@ -13,7 +13,7 @@ class TwoFactorAuthentication::RecoveryCodesController < ApplicationController
     @user.recovery_codes.delete_all
     @user.recovery_codes.create!(new_recovery_codes)
 
-    redirect_to two_factor_authentication_recovery_codes_path, notice: "Your new recovery codes have been generated"
+    redirect_to two_factor_authentication_profile_recovery_codes_path, notice: "Your new recovery codes have been generated"
   end
 
   private

data/lib/generators/authentication/templates/controllers/html/two_factor_authentication/profile/security_keys_controller.rb.tt

@@ -0,0 +1,62 @@
+class TwoFactorAuthentication::Profile::SecurityKeysController < ApplicationController
+  before_action :set_user
+  before_action :set_security_key, only: %i[ edit update destroy ]
+
+  def index
+    @security_keys = @user.security_keys
+  end
+
+  def new
+    respond_to do |format|
+      format.html
+      format.json { render json: options_for_create }
+    end
+  end
+
+  def edit
+  end
+
+  def create
+    @security_key = @user.security_keys.create!(credential_params)
+    render json: { status: "ok", location: edit_two_factor_authentication_profile_security_key_url(@security_key, confirmation: true) }, status: :created
+  end
+
+  def update
+    @security_key.update! name: params[:name]
+    redirect_to two_factor_authentication_profile_security_keys_path, notice: "Your changes have been saved"
+  end
+
+  def destroy
+    @security_key.destroy
+    redirect_to two_factor_authentication_profile_security_keys_path, notice: "#{@security_key.name} has been removed"
+  end
+
+  private
+    def set_user
+      @user = Current.user
+    end
+
+    def set_security_key
+      @security_key = @user.security_keys.find(params[:id])
+    end
+
+    def options_for_create
+      WebAuthn::Credential.options_for_create(user: user_info, exclude: external_ids)
+    end
+
+    def user_info
+      { id: @user.webauthn_id, name: @user.email }
+    end
+
+    def external_ids
+      @user.security_keys.pluck(:external_id)
+    end
+
+    def credential_params
+      { external_id: credential.id, name: "security key" }
+    end
+
+    def credential
+      @credential ||= WebAuthn::Credential.from_create(params.require(:credential))
+    end
+end

data/lib/generators/authentication/templates/controllers/html/two_factor_authentication/{totps_controller.rb.tt → profile/totps_controller.rb.tt}

@@ -1,4 +1,4 @@
-class TwoFactorAuthentication::TotpsController < ApplicationController
+class TwoFactorAuthentication::Profile::TotpsController < ApplicationController
   before_action :set_user
   before_action :set_totp
 
@@ -9,9 +9,9 @@ class TwoFactorAuthentication::TotpsController < ApplicationController
   def create
     if @totp.verify(params[:code], drift_behind: 15)
       @user.update! otp_secret: params[:secret]
-      redirect_to two_factor_authentication_recovery_codes_path
+      redirect_to two_factor_authentication_profile_recovery_codes_path
     else
-      redirect_to new_two_factor_authentication_totp_path, alert: "That code didn't work. Please try again"
+      redirect_to new_two_factor_authentication_profile_totp_path, alert: "That code didn't work. Please try again"
     end
   end
 

data/lib/generators/authentication/templates/erb/home/index.html.erb.tt

@@ -13,11 +13,14 @@
 </div>
 <%- if two_factor? %>
 <div>
-  <%%= link_to "Two-Factor Authentication", new_two_factor_authentication_totp_path %>
+  <%%= link_to "Two-Factor Authentication", new_two_factor_authentication_profile_totp_path %>
 </div>
 
 <%% if Current.user.otp_secret.present? %>
-  <div><%%= link_to "Recovery Codes", two_factor_authentication_recovery_codes_path %></div>
+  <div><%%= link_to "Recovery Codes", two_factor_authentication_profile_recovery_codes_path %></div>
+  <%- if webauthn? -%>
+  <div><%%= link_to "Security keys", two_factor_authentication_profile_security_keys_path %></div>
+  <%- end -%>
 <%% end %>
 <%- end -%>
 <%- if invitable? %>

data/lib/generators/authentication/templates/erb/two_factor_authentication/{challenges/_recovery_code_form.html.erb.tt → challenge/recovery_codes/new.html.erb.tt}

@@ -1,6 +1,6 @@
-<%%= form_with(url: two_factor_authentication_challenge_path) do |form| %>
-  <%%= form.hidden_field :scheme_type, value: "recovery_codes" %>
+<p style="color: red"><%%= alert %></p>
 
+<%%= form_with(url: two_factor_authentication_challenge_recovery_codes_path) do |form| %>
   <div>
     <%%= form.label :code do %>
       <h1>OK, enter one of your recovery codes below:</h1>
@@ -14,5 +14,5 @@
 <%% end %>
 
 <div>
-  <p>To access your account, enter one of the recovery codes (e.g., XXXXX-XXXXX) you saved when you set up your two-factor authentication device.</p>
+  <p>To access your account, enter one of the recovery codes (e.g., xxxxxxxxxx) you saved when you set up your two-factor authentication device.</p>
 </div>

data/lib/generators/authentication/templates/erb/two_factor_authentication/challenge/security_keys/new.html.erb.tt

@@ -0,0 +1,12 @@
+<div data-controller="web-authn"
+     data-web-authn-loading-class="web-authn-loading"
+     data-web-authn-fallback-url-value="<%%= new_two_factor_authentication_challenge_totp_path %>"
+     data-web-authn-challenge-url-value="<%%= new_two_factor_authentication_challenge_security_keys_url %>"
+     data-web-authn-verification-url-value="<%%= two_factor_authentication_challenge_security_keys_url %>">
+
+  <p data-web-authn-target="error" style="color: red" hidden></p>
+
+  <h1>Verify with your security key.</h1>
+  <%%= button_tag "Use security key", type: :button, data: { web_authn_target: "button", action: "web-authn#getCredential" } %>
+  <p>Have your security key ready. If it's the USB kind insert it now and then, if it has one, press the activation button when asked.</p>
+<div>

data/lib/generators/authentication/templates/erb/two_factor_authentication/challenge/totps/new.html.erb.tt

@@ -0,0 +1,26 @@
+<p style="color: red"><%%= alert %></p>
+
+<%%= form_with(url: two_factor_authentication_challenge_totp_path) do |form| %>
+  <div>
+    <%%= form.label :code do %>
+      <h1>Next, open the 2FA authenticator app on your phone and type the six digit code below:</h1>
+    <%% end %>
+    <%%= form.text_field :code, autofocus: true, required: true, autocomplete: :off %>
+  </div>
+
+  <div>
+    <%%= form.submit "Verify" %>
+  </div>
+<%% end %>
+
+<div>
+  <p><strong>Don't have your phone?</strong></p>
+  <div>
+    <%%= link_to "Use a recovery code to access your account.", new_two_factor_authentication_challenge_recovery_codes_path %>
+  </div>
+  <%- if webauthn? %>
+  <%% if @user.security_keys.exists? %>
+    <div><%%= link_to "Use a security key to access your account.", new_two_factor_authentication_challenge_security_keys_path %></div>
+  <%% end %>
+  <%- end -%>
+</div>

data/lib/generators/authentication/templates/erb/two_factor_authentication/{recovery_codes → profile/recovery_codes}/index.html.erb.tt

@@ -13,4 +13,4 @@
 
 <p>If you think your codes have fallen into the wrong hands, you can get a new set. Be sure to save the new ones because the old codes will stop working.</p>
 
-<%%= button_to "Generate new recovery codes", two_factor_authentication_recovery_codes_path %>
+<%%= button_to "Generate new recovery codes", two_factor_authentication_profile_recovery_codes_path %>

data/lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/_form_confirm.html.erb.tt

@@ -0,0 +1,13 @@
+<%%= form_with(url: two_factor_authentication_profile_security_key_path, method: :patch) do |form| %>
+  <p>One more step. Please give this security key a nickname to help you remember it.</p>
+
+  <div>
+    <%%= form.label :name, style: "display: block" %>
+    <%%= form.text_field :name, autofocus: true, required: true %>
+    <div>e.g., Macbook Touch ID</div>
+  </div>
+
+  <div>
+    <%%= form.submit "Save" %>
+  </div>
+<%% end %>

data/lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/_form_edit.html.erb.tt

@@ -0,0 +1,17 @@
+<%%= form_with(url: two_factor_authentication_profile_security_key_path, method: :patch) do |form| %>
+  <div>
+    <%%= form.label :name, style: "display: block" %>
+    <%%= form.text_field :name, value: @security_key.name, autofocus: true, required: true %>
+    <div>e.g., Macbook Touch ID</div>
+  </div>
+
+  <div>
+    <%%= form.submit "Save changes" %>
+  </div>
+<%% end %>
+
+<br>
+
+<div>
+  <%%= button_to "Remove this security key...", two_factor_authentication_profile_security_key_path(@security_key), method: :delete %>
+</div>

data/lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/_security_key.html.erb.tt

@@ -0,0 +1 @@
+<li><%%= link_to security_key.name, edit_two_factor_authentication_profile_security_key_path(security_key) %></li>

data/lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/edit.html.erb.tt

@@ -0,0 +1,3 @@
+<h1>Edit security key</h1>
+
+<%%= render params[:confirmation] ? "form_confirm" : "form_edit" %>

data/lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/index.html.erb.tt

@@ -0,0 +1,10 @@
+<p style="color: green"><%%= notice %></p>
+
+<h1>Security keys</h1>
+<p>A security key is a hardware device used to verify your identity. For example, a built-in fingerprint reader, a plug-in USB key, or a login system like Windows Hello.</p>
+
+<ul><%%= render @security_keys %></ul>
+
+<br>
+
+<%%= link_to "Add security key", new_two_factor_authentication_profile_security_key_path %>

data/lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/new.html.erb.tt

@@ -0,0 +1,12 @@
+<div data-controller="web-authn"
+     data-web-authn-loading-class="web-authn-loading"
+     data-web-authn-challenge-url-value="<%%= new_two_factor_authentication_profile_security_key_url %>"
+     data-web-authn-verification-url-value="<%%= two_factor_authentication_profile_security_keys_url %>">
+
+  <p data-web-authn-target="error" style="color: red" hidden></p>
+
+  <h1>Add a security key</h1>
+  <p>Have your security key ready. If it's the USB kind insert it now and then, if it has one, press the activation button when asked.</p>
+
+  <%%= button_tag "I'm ready, let's go", type: :button, data: { web_authn_target: "button", action: "web-authn#createCredential" } %>
+</div>

data/lib/generators/authentication/templates/erb/two_factor_authentication/{totps → profile/totps}/new.html.erb.tt

@@ -14,7 +14,7 @@
   <figcaption>Point your camera here</figcaption>
 </figure>
 
-<%%= form_with(url: two_factor_authentication_totp_path) do |form| %>
+<%%= form_with(url: two_factor_authentication_profile_totp_path) do |form| %>
   <%%= form.hidden_field :secret, value: @totp.secret %>
 
   <div>

data/lib/generators/authentication/templates/javascript/controllers/application.js.tt

@@ -0,0 +1,15 @@
+import { Application } from "@hotwired/stimulus"
+<%- if webauthn? -%>
+import WebAuthnController from "stimulus-web-authn"
+<%- end -%>
+
+const application = Application.start()
+<%- if webauthn? -%>
+application.register("web-authn", WebAuthnController)
+<%- end -%>
+
+// Configure Stimulus development experience
+application.debug = false
+window.Stimulus   = application
+
+export { application }

data/lib/generators/authentication/templates/migrations/create_security_keys_migration.rb.tt

@@ -0,0 +1,13 @@
+class <%= migration_class_name %> < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
+  def change
+    create_table :security_keys do |t|
+      t.references :user, null: false, foreign_key: true
+      t.string :name, null: false
+      t.string :external_id, null: false
+
+      t.timestamps
+    end
+
+    add_index :security_keys, :external_id, unique: true
+  end
+end

data/lib/generators/authentication/templates/migrations/create_users_migration.rb.tt

@@ -12,6 +12,9 @@ class <%= migration_class_name %> < ActiveRecord::Migration[<%= ActiveRecord::Mi
       t.string :provider
       t.string :uid
       <%- end -%>
+      <%- if webauthn? %>
+      t.string :webauthn_id
+      <%- end -%>
 
       t.timestamps
     end

data/lib/generators/authentication/templates/models/security_key.rb.tt

@@ -0,0 +1,3 @@
+class SecurityKey < ApplicationRecord
+  belongs_to :user
+end

data/lib/generators/authentication/templates/models/user.rb.tt

@@ -7,6 +7,9 @@ class User < ApplicationRecord
   <%- if two_factor? -%>
   has_many :recovery_codes, dependent: :destroy
   <%- end -%>
+  <%- if webauthn? -%>
+  has_many :security_keys, dependent: :destroy
+  <%- end -%>
   <%- if passwordless? -%>
   has_many :sign_in_tokens, dependent: :destroy
   <%- end -%>
@@ -27,6 +30,11 @@ class User < ApplicationRecord
   before_validation if: :email_changed?, on: :update do
     self.verified = false
   end
+  <%- if webauthn? %>
+  before_validation on: :create do
+    self.webauthn_id = WebAuthn.generate_user_id
+  end
+  <%- end -%>
 
   after_update if: :password_digest_previously_changed? do
     sessions.where.not(id: Current.session).delete_all

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authentication-zero
 version: !ruby/object:Gem::Version
-  version: 2.16.20
+  version: 2.16.21
 platform: ruby
 authors:
 - Nixon
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-04-09 00:00:00.000000000 Z
+date: 2023-04-12 00:00:00.000000000 Z
 dependencies: []
 description:
 email:
@@ -36,6 +36,7 @@ files:
 - lib/generators/authentication/USAGE
 - lib/generators/authentication/authentication_generator.rb
 - lib/generators/authentication/templates/config/initializers/omniauth.rb
+- lib/generators/authentication/templates/config/initializers/webauthn.rb
 - lib/generators/authentication/templates/config/redis/shared.yml
 - lib/generators/authentication/templates/controllers/api/application_controller.rb.tt
 - lib/generators/authentication/templates/controllers/api/authentications/events_controller.rb.tt
@@ -59,9 +60,12 @@ files:
 - lib/generators/authentication/templates/controllers/html/sessions/passwordlesses_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/sessions/sudos_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/sessions_controller.rb.tt
-- lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenges_controller.rb.tt
-- lib/generators/authentication/templates/controllers/html/two_factor_authentication/recovery_codes_controller.rb.tt
-- lib/generators/authentication/templates/controllers/html/two_factor_authentication/totps_controller.rb.tt
+- lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenge/recovery_codes_controller.rb.tt
+- lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenge/security_keys_controller.rb.tt
+- lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenge/totps_controller.rb.tt
+- lib/generators/authentication/templates/controllers/html/two_factor_authentication/profile/recovery_codes_controller.rb.tt
+- lib/generators/authentication/templates/controllers/html/two_factor_authentication/profile/security_keys_controller.rb.tt
+- lib/generators/authentication/templates/controllers/html/two_factor_authentication/profile/totps_controller.rb.tt
 - lib/generators/authentication/templates/erb/authentications/events/index.html.erb.tt
 - lib/generators/authentication/templates/erb/home/index.html.erb.tt
 - lib/generators/authentication/templates/erb/identity/emails/edit.html.erb.tt
@@ -74,21 +78,29 @@ files:
 - lib/generators/authentication/templates/erb/sessions/new.html.erb.tt
 - lib/generators/authentication/templates/erb/sessions/passwordlesses/new.html.erb.tt
 - lib/generators/authentication/templates/erb/sessions/sudos/new.html.erb.tt
-- lib/generators/authentication/templates/erb/two_factor_authentication/challenges/_recovery_code_form.html.erb.tt
-- lib/generators/authentication/templates/erb/two_factor_authentication/challenges/_totp_form.html.erb.tt
-- lib/generators/authentication/templates/erb/two_factor_authentication/challenges/new.html.erb.tt
-- lib/generators/authentication/templates/erb/two_factor_authentication/recovery_codes/_recovery_code.html.erb.tt
-- lib/generators/authentication/templates/erb/two_factor_authentication/recovery_codes/index.html.erb.tt
-- lib/generators/authentication/templates/erb/two_factor_authentication/totps/new.html.erb.tt
+- lib/generators/authentication/templates/erb/two_factor_authentication/challenge/recovery_codes/new.html.erb.tt
+- lib/generators/authentication/templates/erb/two_factor_authentication/challenge/security_keys/new.html.erb.tt
+- lib/generators/authentication/templates/erb/two_factor_authentication/challenge/totps/new.html.erb.tt
+- lib/generators/authentication/templates/erb/two_factor_authentication/profile/recovery_codes/_recovery_code.html.erb.tt
+- lib/generators/authentication/templates/erb/two_factor_authentication/profile/recovery_codes/index.html.erb.tt
+- lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/_form_confirm.html.erb.tt
+- lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/_form_edit.html.erb.tt
+- lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/_security_key.html.erb.tt
+- lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/edit.html.erb.tt
+- lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/index.html.erb.tt
+- lib/generators/authentication/templates/erb/two_factor_authentication/profile/security_keys/new.html.erb.tt
+- lib/generators/authentication/templates/erb/two_factor_authentication/profile/totps/new.html.erb.tt
 - lib/generators/authentication/templates/erb/user_mailer/email_verification.html.erb.tt
 - lib/generators/authentication/templates/erb/user_mailer/invitation_instructions.html.erb.tt
 - lib/generators/authentication/templates/erb/user_mailer/password_reset.html.erb.tt
 - lib/generators/authentication/templates/erb/user_mailer/passwordless.html.erb.tt
+- lib/generators/authentication/templates/javascript/controllers/application.js.tt
 - lib/generators/authentication/templates/mailers/user_mailer.rb.tt
 - lib/generators/authentication/templates/migrations/create_email_verification_tokens_migration.rb.tt
 - lib/generators/authentication/templates/migrations/create_events_migration.rb.tt
 - lib/generators/authentication/templates/migrations/create_password_reset_tokens_migration.rb.tt
 - lib/generators/authentication/templates/migrations/create_recovery_codes_migration.rb.tt
+- lib/generators/authentication/templates/migrations/create_security_keys_migration.rb.tt
 - lib/generators/authentication/templates/migrations/create_sessions_migration.rb.tt
 - lib/generators/authentication/templates/migrations/create_sign_in_tokens_migration.rb.tt
 - lib/generators/authentication/templates/migrations/create_users_migration.rb.tt
@@ -97,6 +109,7 @@ files:
 - lib/generators/authentication/templates/models/event.rb.tt
 - lib/generators/authentication/templates/models/password_reset_token.rb.tt
 - lib/generators/authentication/templates/models/recovery_code.rb.tt
+- lib/generators/authentication/templates/models/security_key.rb.tt
 - lib/generators/authentication/templates/models/session.rb.tt
 - lib/generators/authentication/templates/models/sign_in_token.rb.tt
 - lib/generators/authentication/templates/models/user.rb.tt

data/lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenges_controller.rb.tt

@@ -1,52 +0,0 @@
-class TwoFactorAuthentication::ChallengesController < ApplicationController
-  skip_before_action :authenticate
-
-  before_action :set_user
-
-  def new
-  end
-
-  def create
-    if params[:scheme_type] == "recovery_codes"
-      verify_recovery_code
-    else
-      verify_time_based_one_time_password
-    end
-  end
-
-  private
-    def set_user
-      @user = User.find_signed!(session[:challenge_token], purpose: :authentication_challenge)
-    rescue StandardError
-      redirect_to sign_in_path, alert: "That's taking too long. Please re-enter your password and try again"
-    end
-
-    def verify_recovery_code
-      if recover_code = @user.recovery_codes.find_by(code: params[:code], used: false)
-        recover_code.update!(used: true); sign_in_and_redirect_to_root
-      else
-        redirect_to_authentication_challenge
-      end
-    end
-
-    def verify_time_based_one_time_password
-      @totp = ROTP::TOTP.new(@user.otp_secret, issuer: "YourAppName")
-
-      if @totp.verify(params[:code], drift_behind: 15)
-        sign_in_and_redirect_to_root
-      else
-        redirect_to_authentication_challenge
-      end
-    end
-
-    def sign_in_and_redirect_to_root
-      session = @user.sessions.create!
-      cookies.signed.permanent[:session_token] = { value: session.id, httponly: true }
-
-      redirect_to root_path, notice: "Signed in successfully"
-    end
-
-    def redirect_to_authentication_challenge
-      redirect_to new_two_factor_authentication_challenge_path(scheme_type: params[:scheme_type]), alert: "That code didn't work. Please try again"
-    end
-end

data/lib/generators/authentication/templates/erb/two_factor_authentication/challenges/_totp_form.html.erb.tt

@@ -1,19 +0,0 @@
-<%%= form_with(url: two_factor_authentication_challenge_path) do |form| %>
-  <%%= form.hidden_field :scheme_type, value: "totp" %>
-
-  <div>
-    <%%= form.label :code do %>
-      <h1>Next, open the 2FA authenticator app on your phone and type the six digit code below:</h1>
-    <%% end %>
-    <%%= form.text_field :code, autofocus: true, required: true, autocomplete: :off %>
-  </div>
-
-  <div>
-    <%%= form.submit "Verify" %>
-  </div>
-<%% end %>
-
-<div>
-  <p><strong>Don't have your phone?</strong></p>
-  <%%= link_to "Use a recovery code to access your account.", new_two_factor_authentication_challenge_path(scheme_type: "recovery_codes") %>
-</div>

data/lib/generators/authentication/templates/erb/two_factor_authentication/challenges/new.html.erb.tt

@@ -1,7 +0,0 @@
-<p style="color: red"><%%= alert %></p>
-
-<%% if params[:scheme_type] == "recovery_codes" %>
-  <%%= render "recovery_code_form" %>
-<%% else %>
-  <%%= render "totp_form" %>
-<%% end %>