authentication-zero 2.16.23 → 2.16.25

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3a209eab7a18b13d85da9a5590911a93b62bd7706e5479c31d4b336c20bdeb82
-  data.tar.gz: 2db4995530e23797b10116f163a814124a61b654be4237dbf9bfadbc0c7d67e5
+  metadata.gz: 7e2f92cea6894605d40f9db5bad75a4cb227a89043a19f8fe79172b83731b226
+  data.tar.gz: 85801b84481982cabfc5d1bbbbc554893d4597ed70a7550f1f4e299f8b4b81ae
 SHA512:
-  metadata.gz: 997b3dccdf8e4293d7f0d7dba947d7c5f7e5dafd8811c605e18ba6780970cf294082c67a3a9bf626dbbf18e2fb7ff8cfbd704ff4c56feae305de08919b0b493d
-  data.tar.gz: d4fecb6e1214271795a536b7abd4d7cb0bcc2a055d97cef197842211b6ced3b712c48aeaf4086465af230dd1e0fe0f027451019239c8a96cec00270ffd7fea47
+  metadata.gz: cc3bddc51a3cbe07dc2dd990ae65b9692699f3dad8d370da99952ee7cedb3c6d31699ee7804e5c0b5b0ff8a8e5b05182a9a1c40d58d04c364d7171f53c193b8d
+  data.tar.gz: 07bccc4f5eb51fac1da60e82bd3f819f2b29aec97085d73fd13d819ed69b81a704b12bd866e2340b6641ee860563d49a67bea43854a2efa0da23004c9501a598

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+## Authentication Zero 2.16.25 ##
+
+* Add new option to refresh otp secret
+
+## Authentication Zero 2.16.24 ##
+
+* Remove otp secret from client
+
 ## Authentication Zero 2.16.21 ##
 
 * Add two factor authentication using a hardware security key (--webauthn)

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    authentication-zero (2.16.23)
+    authentication-zero (2.16.25)
 
 GEM
   remote: https://rubygems.org/

data/lib/authentication_zero/version.rb

@@ -1,3 +1,3 @@
 module AuthenticationZero
-  VERSION = "2.16.23"
+  VERSION = "2.16.25"
 end

data/lib/generators/authentication/authentication_generator.rb

@@ -117,7 +117,8 @@ class AuthenticationGenerator < Rails::Generators::Base
 
   def install_javascript_dependencies
     return if options.api?
-    template "javascript/controllers/application.js", "app/javascript/controllers/application.js"
+
+    template "javascript/controllers/application.js", "app/javascript/controllers/application.js", force: true
 
     if webauthn?
       run "bin/importmap pin stimulus-web-authn" if importmaps?
@@ -195,7 +196,7 @@ class AuthenticationGenerator < Rails::Generators::Base
 
     if two_factor?
       route "resources :recovery_codes, only: [:index, :create]", namespace: [:two_factor_authentication, :profile]
-      route "resource  :totp,           only: [:new, :create]", namespace: [:two_factor_authentication, :profile]
+      route "resource  :totp,           only: [:new, :create, :update]", namespace: [:two_factor_authentication, :profile]
       route "resources :security_keys", namespace: [:two_factor_authentication, :profile] if webauthn?
 
       route "resource :recovery_codes, only: [:new, :create]", namespace: [:two_factor_authentication, :challenge]

data/lib/generators/authentication/templates/controllers/html/sessions_controller.rb.tt

@@ -16,7 +16,7 @@ class SessionsController < ApplicationController
 
     if user && user.authenticate(params[:password])
       <%- if two_factor? -%>
-      if user.otp_secret.present?
+      if user.otp_required_for_sign_in?
         session[:challenge_token] = user.signed_id(purpose: :authentication_challenge, expires_in: 20.minutes)
         redirect_to new_two_factor_authentication_challenge_totp_path
       else

data/lib/generators/authentication/templates/controllers/html/two_factor_authentication/profile/totps_controller.rb.tt

@@ -1,26 +1,35 @@
 class TwoFactorAuthentication::Profile::TotpsController < ApplicationController
   before_action :set_user
-  before_action :set_totp
+  before_action :set_totp, only: %i[ new create ]
 
   def new
-    @qr_code = RQRCode::QRCode.new(@totp.provisioning_uri(@user.email))
+    @qr_code = RQRCode::QRCode.new(provisioning_uri)
   end
 
   def create
     if @totp.verify(params[:code], drift_behind: 15)
-      @user.update! otp_secret: params[:secret]
+      @user.update! otp_required_for_sign_in: true
       redirect_to two_factor_authentication_profile_recovery_codes_path
     else
       redirect_to new_two_factor_authentication_profile_totp_path, alert: "That code didn't work. Please try again"
     end
   end
 
+  def update
+    @user.update! otp_secret: ROTP::Base32.random
+    redirect_to new_two_factor_authentication_profile_totp_path
+  end
+
   private
     def set_user
       @user = Current.user
     end
 
     def set_totp
-      @totp = ROTP::TOTP.new(params[:secret] || ROTP::Base32.random, issuer: "YourAppName")
+      @totp = ROTP::TOTP.new(@user.otp_secret, issuer: "YourAppName")
+    end
+
+    def provisioning_uri
+      @totp.provisioning_uri @user.email
     end
 end

data/lib/generators/authentication/templates/erb/home/index.html.erb.tt

@@ -16,7 +16,7 @@
   <%%= link_to "Two-Factor Authentication", new_two_factor_authentication_profile_totp_path %>
 </div>
 
-<%% if Current.user.otp_secret.present? %>
+<%% if Current.user.otp_required_for_sign_in? %>
   <div><%%= link_to "Recovery Codes", two_factor_authentication_profile_recovery_codes_path %></div>
   <%- if webauthn? -%>
   <div><%%= link_to "Security keys", two_factor_authentication_profile_security_keys_path %></div>

data/lib/generators/authentication/templates/erb/two_factor_authentication/profile/totps/new.html.erb.tt

@@ -1,5 +1,17 @@
 <p style="color: red"><%%= alert %></p>
 
+<%% if Current.user.otp_required_for_sign_in? %>
+  <h1>Want to replace your existing 2FA setup?</h1>
+
+  <p>Your account is already protected with two-factor authentication. You can replace that setup if you want to switch to a new phone or authenticator app.</p>
+
+  <p><strong>Do you want to continue? Your existing 2FA setup will no longer work.</strong></p>
+
+  <%%= button_to "Yes, replace my 2FA setup", two_factor_authentication_profile_totp_path, method: :patch %>
+
+  <hr>
+<%% end %>
+
 <h1>Upgrade your security with 2FA</h1>
 
 <h2>Step 1: Get an Authenticator App</h2>
@@ -15,8 +27,6 @@
 </figure>
 
 <%%= form_with(url: two_factor_authentication_profile_totp_path) do |form| %>
-  <%%= form.hidden_field :secret, value: @totp.secret %>
-
   <div>
     <%%= form.label :code, "After scanning with your camera, the app will generate a six-digit code. Enter it here:", style: "display: block" %>
     <%%= form.text_field :code, required: true, autofocus: true, autocomplete: :off %>

data/lib/generators/authentication/templates/migrations/create_users_migration.rb.tt

@@ -6,10 +6,11 @@ class <%= migration_class_name %> < ActiveRecord::Migration[<%= ActiveRecord::Mi
 
       t.boolean :verified, null: false, default: false
       <%- if two_factor? %>
-      t.string :otp_secret
+      t.boolean :otp_required_for_sign_in, null: false, default: false
+      t.string  :otp_secret, null: false
       <%- end -%>
       <%- if webauthn? %>
-      t.string :webauthn_id
+      t.string :webauthn_id, null: false
       <%- end -%>
       <%- if omniauthable? %>
       t.string :provider

data/lib/generators/authentication/templates/models/user.rb.tt

@@ -30,8 +30,13 @@ class User < ApplicationRecord
   before_validation if: :email_changed?, on: :update do
     self.verified = false
   end
+  <%- if two_factor? %>
+  before_create do
+    self.otp_secret = ROTP::Base32.random
+  end
+  <%- end -%>
   <%- if webauthn? %>
-  before_validation on: :create do
+  before_create do
     self.webauthn_id = WebAuthn.generate_user_id
   end
   <%- end -%>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authentication-zero
 version: !ruby/object:Gem::Version
-  version: 2.16.23
+  version: 2.16.25
 platform: ruby
 authors:
 - Nixon
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-04-12 00:00:00.000000000 Z
+date: 2023-04-13 00:00:00.000000000 Z
 dependencies: []
 description:
 email: