RubyGems - authentication-zero - Versions diffs - 2.9.1 → 2.10.0 - Mend

authentication-zero 2.9.1 → 2.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 349df436a5358765a5f4537e5e37e79c566dfe575875f77380fe1a2eeb21096f
-  data.tar.gz: f017571edaa6c887bcdecf4ffa023cc7d86830e0fba4ba3c7ad6dbd8626bf952
+  metadata.gz: c0ad4048d0c9df83173acebd1bbf770f519a7bb2a8b5b45c7e9af3c268904052
+  data.tar.gz: 06a897ebfc48122cfaf151a49b7412ef13b098069eb3bc7a2a4c088bcc711c90
 SHA512:
-  metadata.gz: a70ba5553accd5f23b71ad58b58dd270f78636b28bca944decb062d16a31d83808a9dca86cd2b38f5f83317a6748c32ef25d3944613686ea215c05cdcc647dbe
-  data.tar.gz: 2506decfeaa1e126d0160d11d787577ecff6c8afa6b4a27930a01ac65b9cfca2fa7ccdc82392dc488dafee102ebe4419ce1422450400810efcf7437fe1578454
+  metadata.gz: fd26a42853d553616f366e1ddc57439ce91ba039f2cf25a5d3c80be48a6b0f0e7fee6816ead70587780ebc8a358e74e53543c0b6438eb39d7baf818aacc5191c
+  data.tar.gz: 657bb45b7e9edfd6a036e9df9a2df41a2b2001199e65586d82548d7bd4ade28946be06ec3dbb28ba6fba100e275881c1a02dbb3de29b8546899393829b4cdc97

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,7 @@
+## Authentication Zero 2.10.0 (March 2, 2022) ##
+* Implement two-factor
 ## Authentication Zero 2.9.0 (March 2, 2022) ##
 * Implement trackable

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    authentication-zero (2.9.1)
+    authentication-zero (2.10.0)
 GEM
   remote: https://rubygems.org/

data/README.md CHANGED Viewed

@@ -11,6 +11,7 @@ The purpose of authentication zero is to generate a pre-built authentication sys
 - Checks if a password has been found in any data breach (--pwned)
 - Authentication by cookie
 - Authentication by token (--api)
+- Two factor authentication (--two-factor)
 - Social Login with OmniAuth (--omniauthable)
 - Ask password before sensitive data changes, aka: sudo
 - Reset the user password and send reset instructions
@@ -53,7 +54,7 @@ root "home#index"
 ```
 ```
-$ rails generate controller home index
+rails generate controller home index
 ```
 Add these lines to your `app/views/home/index.html.erb`:
@@ -79,6 +80,10 @@ Add these lines to your `app/views/home/index.html.erb`:
   <%# link_to "Activity Log", authentications_events_path %>
 </div>
+<div>
+  <%# link_to "Two-Factor Authentication", new_two_factor_authentication_totp_path %>
+</div>
 <br>
 <%= button_to "Log out", Current.session, method: :delete %>
@@ -93,7 +98,7 @@ config.action_mailer.default_url_options = { host: 'localhost', port: 3000 }
 ## Usage
 ```
-$ rails generate authentication user
+rails generate authentication user
 ```
 Then run `bundle install` again!

data/lib/authentication_zero/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module AuthenticationZero
-  VERSION = "2.9.1"
+  VERSION = "2.10.0"
 end

data/lib/generators/authentication/authentication_generator.rb CHANGED Viewed

@@ -9,6 +9,7 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
   class_option :ratelimit,    type: :boolean, desc: "Add request rate limiting"
   class_option :omniauthable, type: :boolean, desc: "Add social login support"
   class_option :trackable,    type: :boolean, desc: "Add activity log support"
+  class_option :two_factor,   type: :boolean, desc: "Add two factor authentication"
   source_root File.expand_path("templates", __dir__)
@@ -29,15 +30,20 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
       gem "omniauth", comment: "Use OmniAuth to support multi-provider authentication [https://github.com/omniauth/omniauth]"
       gem "omniauth-rails_csrf_protection", comment: "Provides a mitigation against CVE-2015-9284 [https://github.com/cookpad/omniauth-rails_csrf_protection]"
     end
+    if two_factor?
+      gem "rotp", comment: "Use rotp for generating and validating one time passwords [https://github.com/mdp/rotp]"
+      gem "rqrcode", comment: "Use rqrcode for creating and rendering QR codes into various formats [https://github.com/whomwah/rqrcode]"
+    end
   end
   def create_configuration_files
-     copy_file "config/redis/shared.yml", "config/redis/shared.yml" if options.lockable?
-     copy_file "config/initializers/omniauth.rb", "config/initializers/omniauth.rb" if omniauthable?
+    copy_file "config/redis/shared.yml", "config/redis/shared.yml" if options.lockable?
+    copy_file "config/initializers/omniauth.rb", "config/initializers/omniauth.rb" if omniauthable?
   end
   def add_environment_configurations
-     ratelimit_code = <<~CODE
+    ratelimit_code = <<~CODE
       # Rate limit general requests by IP address in a rate of 1000 requests per hour
       config.middleware.use(Rack::Ratelimit, name: "General", rate: [1000, 1.hour], redis: Redis.new, logger: Rails.logger) { |env| ActionDispatch::Request.new(env).ip }
     CODE
@@ -63,68 +69,19 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
     template "test_unit/fixtures.yml", "test/fixtures/#{fixture_file_name}.yml"
   end
-  def add_application_controller_methods
-    api_code = <<~CODE
-      include ActionController::HttpAuthentication::Token::ControllerMethods
-      before_action :set_current_request_details
-      before_action :authenticate
-      def require_sudo
-        if Current.session.sudo_at < 30.minutes.ago
-          render json: { error: "Enter your password to continue" }, status: :forbidden
-        end
-      end
-      private
-        def authenticate
-          if session = authenticate_with_http_token { |token, _| Session.find_signed(token) }
-            Current.session = session
-          else
-            request_http_token_authentication
-          end
-        end
-        def set_current_request_details
-          Current.user_agent = request.user_agent
-          Current.ip_address = request.ip
-        end
-    CODE
-    html_code = <<~CODE
-      before_action :set_current_request_details
-      before_action :authenticate
-      def require_sudo
-        if Current.session.sudo_at < 30.minutes.ago
-          redirect_to new_sessions_sudo_path(proceed_to_url: request.url)
-        end
-      end
-      private
-        def authenticate
-          if session = Session.find_by_id(cookies.signed[:session_token])
-            Current.session = session
-          else
-            redirect_to sign_in_path
-          end
-        end
-        def set_current_request_details
-          Current.user_agent = request.user_agent
-          Current.ip_address = request.ip
-        end
-    CODE
+  def create_controllers
+    template  "controllers/#{format_folder}/application_controller.rb", "app/controllers/application_controller.rb", force: true
-    inject_code = options.api? ? api_code : html_code
-    inject_into_class "app/controllers/application_controller.rb", "ApplicationController", optimize_indentation(inject_code, 2), verbose: false
-  end
+    if two_factor?
+      directory "controllers/#{format_folder}/two_factor_authentication", "app/controllers/two_factor_authentication"
+      template  "controllers/#{format_folder}/sessions_controller_two_factor.rb", "app/controllers/sessions_controller.rb"
+    else
+      template  "controllers/#{format_folder}/sessions_controller.rb", "app/controllers/sessions_controller.rb"
+    end
-  def create_controllers
     directory "controllers/#{format_folder}/identity", "app/controllers/identity"
     template  "controllers/#{format_folder}/passwords_controller.rb", "app/controllers/passwords_controller.rb"
     template  "controllers/#{format_folder}/registrations_controller.rb", "app/controllers/registrations_controller.rb"
-    template  "controllers/#{format_folder}/sessions_controller.rb", "app/controllers/sessions_controller.rb"
     template  "controllers/#{format_folder}/sessions/sudos_controller.rb", "app/controllers/sessions/sudos_controller.rb"
     template  "controllers/#{format_folder}/sessions/omniauth_controller.rb", "app/controllers/sessions/omniauth_controller.rb" if omniauthable?
     template  "controllers/#{format_folder}/authentications/events_controller.rb", "app/controllers/authentications/events_controller.rb" if options.trackable?
@@ -142,6 +99,7 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
       directory "erb/passwords", "app/views/passwords"
       directory "erb/registrations", "app/views/registrations"
       directory "erb/sessions", "app/views/sessions"
+      directory "erb/two_factor_authentication", "app/views/two_factor_authentication" if two_factor?
       directory "erb/authentications/events", "app/views/authentications/events" if options.trackable?
     end
   end
@@ -153,29 +111,36 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
   def add_routes
     if omniauthable?
       route "post '/auth/:provider/callback', to: 'sessions/omniauth#create'"
-      route "get '/auth/:provider/callback', to: 'sessions/omniauth#create'"
-      route "get '/auth/failure', to: 'sessions/omniauth#failure'"
+      route "get  '/auth/:provider/callback', to: 'sessions/omniauth#create'"
+      route "get  '/auth/failure',            to: 'sessions/omniauth#failure'"
+    end
+    if two_factor?
+      route "resource :totp,      only: [:new, :create]", namespace: :two_factor_authentication
+      route "resource :challenge, only: [:new, :create]", namespace: :two_factor_authentication
     end
     if options.trackable?
       route "resources :events, only: :index", namespace: :authentications
     end
-    route "resource :password_reset, only: [:new, :edit, :create, :update]", namespace: :identity
+    route "resource :password_reset,     only: [:new, :edit, :create, :update]", namespace: :identity
     route "resource :email_verification, only: [:edit, :create]", namespace: :identity
-    route "resource :email, only: [:edit, :update]", namespace: :identity
+    route "resource :email,              only: [:edit, :update]", namespace: :identity
     route "resource :sudo, only: [:new, :create]", namespace: :sessions
+    route "resource  :password, only: [:edit, :update]"
     route "resources :sessions, only: [:index, :show, :destroy]"
-    route "resource :password, only: [:edit, :update]"
     route "post 'sign_up', to: 'registrations#create'"
-    route "get 'sign_up', to: 'registrations#new'" unless options.api?
+    route "get  'sign_up', to: 'registrations#new'" unless options.api?
     route "post 'sign_in', to: 'sessions#create'"
-    route "get 'sign_in', to: 'sessions#new'" unless options.api?
+    route "get  'sign_in', to: 'sessions#new'" unless options.api?
   end
   def create_test_files
     directory "test_unit/controllers/#{format_folder}", "test/controllers"
     directory "test_unit/system", "test/system" unless options.api?
+    template "test_unit/test_helper.rb", "test/test_helper.rb", force: true
+    template "test_unit/application_system_test_case.rb", "test/application_system_test_case.rb", force: true unless options.api?
   end
   private
@@ -186,4 +151,8 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
     def omniauthable?
       options.omniauthable? && !options.api?
     end
+    def two_factor?
+      options.two_factor? && !options.api?
+    end
 end

data/lib/generators/authentication/templates/controllers/api/application_controller.rb.tt ADDED Viewed

@@ -0,0 +1,26 @@
+class ApplicationController < ActionController::API
+  include ActionController::HttpAuthentication::Token::ControllerMethods
+  before_action :set_current_request_details
+  before_action :authenticate
+  def require_sudo
+    if Current.session.sudo_at < 30.minutes.ago
+      render json: { error: "Enter your password to continue" }, status: :forbidden
+    end
+  end
+  private
+    def authenticate
+      if session = authenticate_with_http_token { |token, _| Session.find_signed(token) }
+        Current.session = session
+      else
+        request_http_token_authentication
+      end
+    end
+    def set_current_request_details
+      Current.user_agent = request.user_agent
+      Current.ip_address = request.ip
+    end
+end

data/lib/generators/authentication/templates/controllers/api/identity/password_resets_controller.rb.tt CHANGED Viewed

@@ -1,9 +1,9 @@
 class Identity::PasswordResetsController < ApplicationController
   skip_before_action :authenticate
-<% if options.lockable? -%>
+  <%- if options.lockable? -%>
   before_action :require_locking, only: :create
-<% end -%>
+  <%- end -%>
   before_action :set_<%= singular_table_name %>, only: :update
   def create
@@ -32,11 +32,11 @@ class Identity::PasswordResetsController < ApplicationController
     def <%= "#{singular_table_name}_params" %>
       params.permit(:password, :password_confirmation)
     end
-<% if options.lockable? %>
+    <%- if options.lockable? %>
     def require_locking
       Locking.lock_on("password_reset_lock:#{request.remote_ip}", wait: 1.hour, attempts: 10) do
         render json: { error: "You've exceeded the maximum number of attempts" }, status: :too_many_requests
       end
     end
-<% end -%>
+    <%- end -%>
 end

data/lib/generators/authentication/templates/controllers/html/application_controller.rb.tt ADDED Viewed

@@ -0,0 +1,24 @@
+class ApplicationController < ActionController::Base
+  before_action :set_current_request_details
+  before_action :authenticate
+  def require_sudo
+    if Current.session.sudo_at < 30.minutes.ago
+      redirect_to new_sessions_sudo_path(proceed_to_url: request.url)
+    end
+  end
+  private
+    def authenticate
+      if session = Session.find_by_id(cookies.signed[:session_token])
+        Current.session = session
+      else
+        redirect_to sign_in_path
+      end
+    end
+    def set_current_request_details
+      Current.user_agent = request.user_agent
+      Current.ip_address = request.ip
+    end
+end

data/lib/generators/authentication/templates/controllers/html/identity/password_resets_controller.rb.tt CHANGED Viewed

@@ -1,9 +1,9 @@
 class Identity::PasswordResetsController < ApplicationController
   skip_before_action :authenticate
-<% if options.lockable? -%>
+  <%- if options.lockable? -%>
   before_action :require_locking, only: :create
-<% end -%>
+  <%- end -%>
   before_action :set_<%= singular_table_name %>, only: %i[ edit update ]
   def new
@@ -39,11 +39,11 @@ class Identity::PasswordResetsController < ApplicationController
     def <%= "#{singular_table_name}_params" %>
       params.permit(:password, :password_confirmation)
     end
-<% if options.lockable? %>
+    <%- if options.lockable? %>
     def require_locking
       Locking.lock_on("password_reset_lock:#{request.remote_ip}", wait: 1.hour, attempts: 10) do
         redirect_to new_identity_password_reset_path, alert: "You've exceeded the maximum number of attempts"
       end
     end
-<% end -%>
+    <%- end -%>
 end

data/lib/generators/authentication/templates/controllers/html/sessions/sudos_controller.rb.tt CHANGED Viewed

@@ -5,11 +5,11 @@ class Sessions::SudosController < ApplicationController
   def create
     session = Current.session
-<% if omniauthable? -%>
+    <%- if omniauthable? -%>
     if session.<%= singular_table_name %>.authenticate(params[:password]) || session.<%= singular_table_name %>.provider
-<% else -%>
+    <%- else -%>
     if session.<%= singular_table_name %>.authenticate(params[:password])
-<% end -%>
+    <%- end -%>
       session.update!(sudo_at: Time.current); redirect_to(params[:proceed_to_url])
     else
       redirect_to new_sessions_sudo_path(proceed_to_url: params[:proceed_to_url]), alert: "The password you entered is incorrect"

data/lib/generators/authentication/templates/controllers/html/sessions_controller_two_factor.rb.tt ADDED Viewed

@@ -0,0 +1,41 @@
+class SessionsController < ApplicationController
+  skip_before_action :authenticate, only: %i[ new create ]
+  before_action :set_session, only: :destroy
+  def index
+    @sessions = Current.<%= singular_table_name %>.sessions.order(created_at: :desc)
+  end
+  def new
+    @<%= singular_table_name %> = <%= class_name %>.new
+  end
+  def create
+    <%= singular_table_name %> = <%= class_name %>.find_by(email: params[:email])
+    if <%= singular_table_name %> && <%= singular_table_name %>.authenticate(params[:password])
+      if <%= singular_table_name %>.otp_secret
+        signed_id = <%= singular_table_name %>.signed_id(purpose: :authentication_challenge, expires_in: 20.minutes)
+        redirect_to new_two_factor_authentication_challenge_path(token: signed_id)
+      else
+        @session = <%= singular_table_name %>.sessions.create!
+        cookies.signed.permanent[:session_token] = { value: @session.id, httponly: true }
+        redirect_to root_path, notice: "Signed in successfully"
+      end
+    else
+      redirect_to sign_in_path(email_hint: params[:email]), alert: "That email or password is incorrect"
+    end
+  end
+  def destroy
+    @session.destroy; redirect_to(sessions_path, notice: "That session has been logged out")
+  end
+  private
+    def set_session
+      @session = Current.<%= singular_table_name %>.sessions.find(params[:id])
+    end
+end

data/lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenges_controller.rb.tt ADDED Viewed

@@ -0,0 +1,28 @@
+class TwoFactorAuthentication::ChallengesController < ApplicationController
+  skip_before_action :authenticate
+  before_action :set_<%= singular_table_name %>
+  def new
+  end
+  def create
+    @totp = ROTP::TOTP.new(@<%= singular_table_name %>.otp_secret, issuer: "YourAppName")
+    if @totp.verify(params[:code], drift_behind: 15)
+      session = @<%= singular_table_name %>.sessions.create!
+      cookies.signed.permanent[:session_token] = { value: session.id, httponly: true }
+      redirect_to root_path, notice: "Signed in successfully"
+    else
+      redirect_to new_two_factor_authentication_challenge_path(token: params[:token]), alert: "That code didn't work. Please try again"
+    end
+  end
+  private
+    def set_<%= singular_table_name %>
+      @<%= singular_table_name %> = <%= class_name %>.find_signed!(params[:token], purpose: :authentication_challenge)
+    rescue
+      redirect_to sign_in_path, alert: "That's taking too long. Please re-enter your password and try again"
+    end
+end

data/lib/generators/authentication/templates/controllers/html/two_factor_authentication/totps_controller.rb.tt ADDED Viewed

@@ -0,0 +1,26 @@
+class TwoFactorAuthentication::TotpsController < ApplicationController
+  before_action :require_sudo
+  before_action :set_<%= singular_table_name %>
+  before_action :set_totp
+  def new
+    @qr_code = RQRCode::QRCode.new(@totp.provisioning_uri(@<%= singular_table_name %>.email))
+  end
+  def create
+    if @totp.verify(params[:code], drift_behind: 15)
+      @<%= singular_table_name %>.update! otp_secret: params[:secret]
+      redirect_to root_path, notice: "2FA is enabled on your account"
+    else
+      redirect_to two_factor_authentication_totp_path, alert: "That code didn't work. Please try again"
+    end
+  end
+  def set_<%= singular_table_name %>
+    @<%= singular_table_name %> = Current.<%= singular_table_name %>
+  end
+  def set_totp
+    @totp = ROTP::TOTP.new(params[:secret] || ROTP::Base32.random, issuer: "YourAppName")
+  end
+end

data/lib/generators/authentication/templates/erb/identity/password_resets/edit.html.erb.tt CHANGED Viewed

@@ -13,17 +13,17 @@
     </div>
   <%% end %>
-  <%%= hidden_field_tag :token, params[:token] %>
+  <%%= form.hidden_field :token, value: params[:token] %>
   <div>
     <%%= form.label :password, "New password", style: "display: block" %>
-    <%%= form.password_field :password, autofocus: true, autocomplete: "new-password" %>
+    <%%= form.password_field :password, required: true, autofocus: true, autocomplete: "new-password" %>
     <div>12 characters minimum.</div>
   </div>
   <div>
     <%%= form.label :password_confirmation, "Confirm new password", style: "display: block" %>
-    <%%= form.password_field :password_confirmation, autocomplete: "new-password" %>
+    <%%= form.password_field :password_confirmation, required: true, autocomplete: "new-password" %>
   </div>
   <div>

data/lib/generators/authentication/templates/erb/passwords/edit.html.erb.tt CHANGED Viewed

@@ -16,19 +16,19 @@
   <%% end %>
   <div>
-    <%%= label_tag :current_password, nil, style: "display: block" %>
-    <%%= password_field_tag :current_password, nil, autofocus: true, autocomplete: "current-password" %>
+    <%%= form.label :current_password, style: "display: block" %>
+    <%%= form.password_field :current_password, required: true, autofocus: true, autocomplete: "current-password" %>
   </div>
   <div>
     <%%= form.label :password, "New password", style: "display: block" %>
-    <%%= form.password_field :password, autocomplete: "new-password" %>
+    <%%= form.password_field :password, required: true, autocomplete: "new-password" %>
     <div>12 characters minimum.</div>
   </div>
   <div>
     <%%= form.label :password_confirmation, "Confirm new password", style: "display: block" %>
-    <%%= form.password_field :password_confirmation, autocomplete: "new-password" %>
+    <%%= form.password_field :password_confirmation, required: true, autocomplete: "new-password" %>
   </div>
   <div>

data/lib/generators/authentication/templates/erb/registrations/new.html.erb.tt CHANGED Viewed

@@ -20,13 +20,13 @@
   <div>
     <%%= form.label :password, style: "display: block" %>
-    <%%= form.password_field :password, autocomplete: "new-password" %>
+    <%%= form.password_field :password, required: true, autocomplete: "new-password" %>
     <div>12 characters minimum.</div>
   </div>
   <div>
     <%%= form.label :password_confirmation, style: "display: block" %>
-    <%%= form.password_field :password_confirmation, autocomplete: "new-password" %>
+    <%%= form.password_field :password_confirmation, required: true, autocomplete: "new-password" %>
   </div>
   <div>

data/lib/generators/authentication/templates/erb/sessions/sudos/new.html.erb.tt CHANGED Viewed

@@ -4,10 +4,10 @@
 <%%= form_with(url: sessions_sudo_path) do |form| %>
-  <%%= hidden_field_tag :proceed_to_url, params[:proceed_to_url] %>
+  <%%= form.hidden_field :proceed_to_url, value: params[:proceed_to_url] %>
   <div>
-    <%%= password_field_tag :password, nil, autofocus: true, autocomplete: "current-password" %>
+    <%%= form.password_field :password, required: true, autofocus: true, autocomplete: "current-password" %>
   </div>
   <div>

data/lib/generators/authentication/templates/erb/two_factor_authentication/challenges/new.html.erb.tt ADDED Viewed

@@ -0,0 +1,16 @@
+<p style="color: red"><%%= alert %></p>
+<%%= form_with(url: two_factor_authentication_challenge_path) do |form| %>
+  <%%= form.hidden_field :token, value: params[:token] %>
+  <div>
+    <%%= form.label :code do %>
+      <h1>Next, open the 2FA authenticator app on your phone and type the six digit code below:</h1>
+    <%% end %>
+    <%%= form.text_field :code, autofocus: true, required: true, autocomplete: :off %>
+  </div>
+  <div>
+    <%%= form.submit "Verify" %>
+  </div>
+<%% end %>

data/lib/generators/authentication/templates/erb/two_factor_authentication/totps/new.html.erb.tt ADDED Viewed

@@ -0,0 +1,28 @@
+<p style="color: red"><%%= alert %></p>
+<h1>Upgrade your security with 2FA</h1>
+<h2>Step 1: Get an Authenticator App</h2>
+<p>First, you'll need a 2FA authenticator app on your phone. <strong>If you already have one, skip to step 2.</strong></p>
+<p><strong>If you don't have one, or you aren't sure, we recommend Microsoft Authenticator</strong>. You can download it free on the Apple App Store for iPhone, or Google Play Store for Android. Please grab your phone, search the store, and install it now.</p>
+<h2>Step 2: Scan + Enter the Code</h2>
+<p>Next, open the authenticator app, tap "Scan QR code" or "+", and, when it asks, point your phone's camera at this QR code picture below.</p>
+<figure>
+    <%%= image_tag @qr_code.as_png(resize_exactly_to: 200).to_data_url%>
+    <figcaption>Point your camera here</figcaption>
+</figure>
+<%%= form_with(url: two_factor_authentication_totp_path) do |form| %>
+  <%%= form.hidden_field :secret, value: @totp.secret %>
+  <div>
+    <%%= form.label :code, "After scanning with your camera, the app will generate a six-digit code. Enter it here:", style: "display: block" %>
+    <%%= form.text_field :code, autofocus: true, required: true, autocomplete: :off %>
+  </div>
+  <div>
+    <%%= form.submit "Verify and active" %>
+  </div>
+<%% end %>

data/lib/generators/authentication/templates/migrations/create_table_migration.rb.tt CHANGED Viewed

@@ -5,17 +5,20 @@ class <%= migration_class_name %> < ActiveRecord::Migration[<%= ActiveRecord::Mi
       t.string :password_digest, null: false
       t.boolean :verified, null: false, default: false
-<% if omniauthable? %>
+      <%- if two_factor? %>
+      t.string :otp_secret
+      <%- end -%>
+      <%- if omniauthable? %>
       t.string :provider
       t.string :uid
-<% end -%>
+      <%- end -%>
       t.timestamps
     end
     add_index :<%= table_name %>, :email, unique: true
-<% if omniauthable? -%>
+    <%- if omniauthable? -%>
     add_index :<%= table_name %>, [:provider, :uid], unique: true
-<% end -%>
+    <%- end -%>
   end
 end

data/lib/generators/authentication/templates/models/model.rb.tt CHANGED Viewed

@@ -2,18 +2,18 @@ class <%= class_name %> < ApplicationRecord
   has_secure_password
   has_many :sessions, dependent: :destroy
-<% if options.trackable? -%>
+  <%- if options.trackable? -%>
   has_many :events, dependent: :destroy
-<% end -%>
+  <%- end -%>
   validates :email, presence: true, uniqueness: true
   validates_format_of :email, with: /\A[^@\s]+@[^@\s]+\z/
-  validates_length_of :password, minimum: 12, allow_blank: true
-  validates_format_of :password, with: /(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])/, allow_blank: true, message: "might easily be guessed"
-<% if options.pwned? -%>
+  validates_length_of :password, minimum: 12, allow_nil: true
+  validates_format_of :password, with: /(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])/, allow_nil: true, message: "might easily be guessed"
+  <%- if options.pwned? -%>
   validates :password, not_pwned: { message: "might easily be guessed" }
-<% end -%>
+  <%- end -%>
   before_validation do
     self.email = email.downcase.strip
@@ -30,7 +30,7 @@ class <%= class_name %> < ApplicationRecord
   after_save_commit if: :email_previously_changed? do
     IdentityMailer.with(user: self).email_verify_confirmation.deliver_later
   end
-<% if options.trackable? %>
+  <%- if options.trackable? %>
   after_save_commit if: :email_previously_changed? do
     events.create! action: "email_verification_requested"
   end
@@ -42,5 +42,5 @@ class <%= class_name %> < ApplicationRecord
   after_update if: :verified_previously_changed? do
     events.create! action: "email_verified" if verified?
   end
-<% end -%>
+  <%- end -%>
 end

data/lib/generators/authentication/templates/models/session.rb.tt CHANGED Viewed

@@ -10,7 +10,7 @@ class Session < ApplicationRecord
   after_create_commit do
     SessionMailer.with(session: self).signed_in_notification.deliver_later
   end
-<% if options.trackable? %>
+  <%- if options.trackable? %>
   after_create do
     <%= singular_table_name %>.events.create! action: "signed_in"
   end
@@ -18,5 +18,5 @@ class Session < ApplicationRecord
   after_destroy do
     <%= singular_table_name %>.events.create! action: "signed_out"
   end
-<% end -%>
+  <%- end -%>
 end

data/lib/generators/authentication/templates/test_unit/application_system_test_case.rb.tt ADDED Viewed

@@ -0,0 +1,15 @@
+require "test_helper"
+class ApplicationSystemTestCase < ActionDispatch::SystemTestCase
+  driven_by :selenium, using: :chrome, screen_size: [1400, 1400]
+  def sign_in_as(<%= singular_table_name %>)
+    visit sign_in_url
+    fill_in :email, with: <%= singular_table_name %>.email
+    fill_in :password, with: "Secret1*3*5*"
+    click_on "Sign in"
+    assert_current_path root_url
+    return <%= singular_table_name %>
+  end
+end

data/lib/generators/authentication/templates/test_unit/controllers/api/identity/email_verifications_controller_test.rb.tt CHANGED Viewed

@@ -37,8 +37,4 @@ class Identity::EmailVerificationsControllerTest < ActionDispatch::IntegrationTe
     assert_response :bad_request
     assert_equal "That email verification link is invalid", response.parsed_body["error"]
   end
-  def sign_in_as(<%= singular_table_name %>)
-    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); [<%= singular_table_name %>, response.headers["X-Session-Token"]]
-  end
 end

data/lib/generators/authentication/templates/test_unit/controllers/api/identity/emails_controller_test.rb.tt CHANGED Viewed

@@ -18,8 +18,4 @@ class Identity::EmailsControllerTest < ActionDispatch::IntegrationTest
     assert_response :forbidden
     assert_equal "Enter your password to continue", response.parsed_body["error"]
   end
-  def sign_in_as(<%= singular_table_name %>)
-    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); [<%= singular_table_name %>, response.headers["X-Session-Token"]]
-  end
 end

data/lib/generators/authentication/templates/test_unit/controllers/api/identity/password_resets_controller_test.rb.tt CHANGED Viewed

@@ -6,9 +6,9 @@ class Identity::PasswordResetsControllerTest < ActionDispatch::IntegrationTest
     @sid = @<%= singular_table_name %>.signed_id(purpose: :password_reset, expires_in: 20.minutes)
     @sid_exp = @<%= singular_table_name %>.signed_id(purpose: :password_reset, expires_in: 0.minutes)
   end
-<% if options.lockable? %>
+  <%- if options.lockable? %>
   teardown { Kredis.clear_all }
-<% end -%>
+  <%- end -%>
   test "should send a password reset email" do
     assert_enqueued_email_with IdentityMailer, :password_reset_provision, args: { <%= singular_table_name %>: @<%= singular_table_name %> } do

data/lib/generators/authentication/templates/test_unit/controllers/api/passwords_controller_test.rb.tt CHANGED Viewed

@@ -16,8 +16,4 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
     assert_response :bad_request
     assert_equal "The current password you entered is incorrect", response.parsed_body["error"]
   end
-  def sign_in_as(<%= singular_table_name %>)
-    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); [<%= singular_table_name %>, response.headers["X-Session-Token"]]
-  end
 end

data/lib/generators/authentication/templates/test_unit/controllers/api/sessions/sudos_controller_test.rb.tt CHANGED Viewed

@@ -17,8 +17,4 @@ class Sessions::SudosControllerTest < ActionDispatch::IntegrationTest
     assert_response :bad_request
     assert_equal "The password you entered is incorrect", response.parsed_body["error"]
   end
-  def sign_in_as(<%= singular_table_name %>)
-    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); [<%= singular_table_name %>, response.headers["X-Session-Token"]]
-  end
 end

data/lib/generators/authentication/templates/test_unit/controllers/api/sessions_controller_test.rb.tt CHANGED Viewed

@@ -31,8 +31,4 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
     delete session_url(@<%= singular_table_name %>.sessions.last), headers: { "Authorization" => "Bearer #{@token}" }
     assert_response :no_content
   end
-  def sign_in_as(<%= singular_table_name %>)
-    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); [<%= singular_table_name %>, response.headers["X-Session-Token"]]
-  end
 end

data/lib/generators/authentication/templates/test_unit/controllers/html/identity/email_verifications_controller_test.rb.tt CHANGED Viewed

@@ -37,8 +37,4 @@ class Identity::EmailVerificationsControllerTest < ActionDispatch::IntegrationTe
     assert_redirected_to edit_identity_email_url
     assert_equal "That email verification link is invalid", flash[:alert]
   end
-  def sign_in_as(<%= singular_table_name %>)
-    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); <%= singular_table_name %>
-  end
 end

data/lib/generators/authentication/templates/test_unit/controllers/html/identity/emails_controller_test.rb.tt CHANGED Viewed

@@ -28,8 +28,4 @@ class Identity::EmailsControllerTest < ActionDispatch::IntegrationTest
     patch identity_email_url, params: { email: "new_email@hey.com" }
     assert_redirected_to new_sessions_sudo_url(proceed_to_url: identity_email_url)
   end
-  def sign_in_as(<%= singular_table_name %>)
-    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); <%= singular_table_name %>
-  end
 end

data/lib/generators/authentication/templates/test_unit/controllers/html/identity/password_resets_controller_test.rb.tt CHANGED Viewed

@@ -6,9 +6,9 @@ class Identity::PasswordResetsControllerTest < ActionDispatch::IntegrationTest
     @sid = @<%= singular_table_name %>.signed_id(purpose: :password_reset, expires_in: 20.minutes)
     @sid_exp = @<%= singular_table_name %>.signed_id(purpose: :password_reset, expires_in: 0.minutes)
   end
-<% if options.lockable? %>
+  <%- if options.lockable? %>
   teardown { Kredis.clear_all }
-<% end -%>
+  <%- end -%>
   test "should get new" do
     get new_identity_password_reset_url

data/lib/generators/authentication/templates/test_unit/controllers/html/passwords_controller_test.rb.tt CHANGED Viewed

@@ -21,8 +21,4 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
     assert_redirected_to edit_password_url
     assert_equal "The current password you entered is incorrect", flash[:alert]
   end
-  def sign_in_as(<%= singular_table_name %>)
-    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); <%= singular_table_name %>
-  end
 end

data/lib/generators/authentication/templates/test_unit/controllers/html/sessions/sudos_controller_test.rb.tt CHANGED Viewed

@@ -19,8 +19,4 @@ class Sessions::SudosControllerTest < ActionDispatch::IntegrationTest
     post sessions_sudo_url, params: { password: "SecretWrong1*3", proceed_to_url: edit_password_url }
     assert_redirected_to new_sessions_sudo_url(proceed_to_url: edit_password_url)
   end
-  def sign_in_as(<%= singular_table_name %>)
-    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); [<%= singular_table_name %>, response.headers["X-Session-Token"]]
-  end
 end

data/lib/generators/authentication/templates/test_unit/controllers/html/sessions_controller_test.rb.tt CHANGED Viewed

@@ -45,8 +45,4 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
     follow_redirect!
     assert_redirected_to sign_in_url
   end
-  def sign_in_as(<%= singular_table_name %>)
-    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); <%= singular_table_name %>
-  end
 end

data/lib/generators/authentication/templates/test_unit/system/identity/emails_test.rb.tt CHANGED Viewed

@@ -22,14 +22,4 @@ class Identity::EmailsTest < ApplicationSystemTestCase
     assert_text "We sent a verification email to your email address"
   end
-  def sign_in_as(<%= singular_table_name %>)
-    visit sign_in_url
-    fill_in :email, with: <%= singular_table_name %>.email
-    fill_in :password, with: "Secret1*3*5*"
-    click_on "Sign in"
-    assert_current_path root_url
-    return <%= singular_table_name %>
-  end
 end

data/lib/generators/authentication/templates/test_unit/system/identity/password_resets_test.rb.tt CHANGED Viewed

@@ -5,9 +5,9 @@ class Identity::PasswordResetsTest < ApplicationSystemTestCase
     @<%= singular_table_name %> = <%= table_name %>(:lazaro_nixon)
     @sid = @<%= singular_table_name %>.signed_id(purpose: :password_reset, expires_in: 20.minutes)
   end
-<% if options.lockable? %>
+  <%- if options.lockable? %>
   teardown { Kredis.clear_all }
-<% end -%>
+  <%- end -%>
   test "sending a password reset email" do
     visit sign_in_url

data/lib/generators/authentication/templates/test_unit/system/passwords_test.rb.tt CHANGED Viewed

@@ -15,14 +15,4 @@ class PasswordsTest < ApplicationSystemTestCase
     assert_text "Your password has been changed"
   end
-  def sign_in_as(<%= singular_table_name %>)
-    visit sign_in_url
-    fill_in :email, with: <%= singular_table_name %>.email
-    fill_in :password, with: "Secret1*3*5*"
-    click_on "Sign in"
-    assert_current_path root_url
-    return <%= singular_table_name %>
-  end
 end

data/lib/generators/authentication/templates/test_unit/system/sessions/sudos_test.rb.tt CHANGED Viewed

@@ -12,14 +12,4 @@ class Sessions::SudosTest < ApplicationSystemTestCase
     assert_selector "h1", text: "Change your password"
   end
-  def sign_in_as(<%= singular_table_name %>)
-    visit sign_in_url
-    fill_in :email, with: <%= singular_table_name %>.email
-    fill_in :password, with: "Secret1*3*5*"
-    click_on "Sign in"
-    assert_current_path root_url
-    return <%= singular_table_name %>
-  end
 end

data/lib/generators/authentication/templates/test_unit/system/sessions_test.rb.tt CHANGED Viewed

@@ -21,13 +21,10 @@ class SessionsTest < ApplicationSystemTestCase
     assert_text "Signed in successfully"
   end
-  def sign_in_as(<%= singular_table_name %>)
-    visit sign_in_url
-    fill_in :email, with: <%= singular_table_name %>.email
-    fill_in :password, with: "Secret1*3*5*"
-    click_on "Sign in"
+  test "signing out" do
+    sign_in_as @<%= singular_table_name %>
-    assert_current_path root_url
-    return <%= singular_table_name %>
+    click_on "Log out"
+    assert_text "That session has been logged out"
   end
 end

data/lib/generators/authentication/templates/test_unit/test_helper.rb.tt ADDED Viewed

@@ -0,0 +1,22 @@
+ENV["RAILS_ENV"] ||= "test"
+require_relative "../config/environment"
+require "rails/test_help"
+class ActiveSupport::TestCase
+  # Run tests in parallel with specified workers
+  parallelize(workers: :number_of_processors)
+  # Setup all fixtures in test/fixtures/*.yml for all tests in alphabetical order.
+  fixtures :all
+  # Add more helper methods to be used by all tests here...
+  <%- if options.api? -%>
+  def sign_in_as(<%= singular_table_name %>)
+    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); [<%= singular_table_name %>, response.headers["X-Session-Token"]]
+  end
+  <%- else -%>
+  def sign_in_as(<%= singular_table_name %>)
+    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); <%= singular_table_name %>
+  end
+  <%- end -%>
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authentication-zero
 version: !ruby/object:Gem::Version
-  version: 2.9.1
+  version: 2.10.0
 platform: ruby
 authors:
 - Nixon
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-03-07 00:00:00.000000000 Z
+date: 2022-03-14 00:00:00.000000000 Z
 dependencies: []
 description:
 email:
@@ -35,6 +35,7 @@ files:
 - lib/generators/authentication/authentication_generator.rb
 - lib/generators/authentication/templates/config/initializers/omniauth.rb
 - lib/generators/authentication/templates/config/redis/shared.yml
+- lib/generators/authentication/templates/controllers/api/application_controller.rb.tt
 - lib/generators/authentication/templates/controllers/api/authentications/events_controller.rb.tt
 - lib/generators/authentication/templates/controllers/api/identity/email_verifications_controller.rb.tt
 - lib/generators/authentication/templates/controllers/api/identity/emails_controller.rb.tt
@@ -43,6 +44,7 @@ files:
 - lib/generators/authentication/templates/controllers/api/registrations_controller.rb.tt
 - lib/generators/authentication/templates/controllers/api/sessions/sudos_controller.rb.tt
 - lib/generators/authentication/templates/controllers/api/sessions_controller.rb.tt
+- lib/generators/authentication/templates/controllers/html/application_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/authentications/events_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/identity/email_verifications_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/identity/emails_controller.rb.tt
@@ -52,6 +54,9 @@ files:
 - lib/generators/authentication/templates/controllers/html/sessions/omniauth_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/sessions/sudos_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/sessions_controller.rb.tt
+- lib/generators/authentication/templates/controllers/html/sessions_controller_two_factor.rb.tt
+- lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenges_controller.rb.tt
+- lib/generators/authentication/templates/controllers/html/two_factor_authentication/totps_controller.rb.tt
 - lib/generators/authentication/templates/erb/authentications/events/index.html.erb
 - lib/generators/authentication/templates/erb/identity/emails/edit.html.erb.tt
 - lib/generators/authentication/templates/erb/identity/password_resets/edit.html.erb.tt
@@ -67,6 +72,8 @@ files:
 - lib/generators/authentication/templates/erb/sessions/index.html.erb.tt
 - lib/generators/authentication/templates/erb/sessions/new.html.erb.tt
 - lib/generators/authentication/templates/erb/sessions/sudos/new.html.erb.tt
+- lib/generators/authentication/templates/erb/two_factor_authentication/challenges/new.html.erb.tt
+- lib/generators/authentication/templates/erb/two_factor_authentication/totps/new.html.erb.tt
 - lib/generators/authentication/templates/mailers/identity_mailer.rb.tt
 - lib/generators/authentication/templates/mailers/session_mailer.rb.tt
 - lib/generators/authentication/templates/migrations/create_events_migration.rb.tt
@@ -77,6 +84,7 @@ files:
 - lib/generators/authentication/templates/models/locking.rb.tt
 - lib/generators/authentication/templates/models/model.rb.tt
 - lib/generators/authentication/templates/models/session.rb.tt
+- lib/generators/authentication/templates/test_unit/application_system_test_case.rb.tt
 - lib/generators/authentication/templates/test_unit/controllers/api/identity/email_verifications_controller_test.rb.tt
 - lib/generators/authentication/templates/test_unit/controllers/api/identity/emails_controller_test.rb.tt
 - lib/generators/authentication/templates/test_unit/controllers/api/identity/password_resets_controller_test.rb.tt
@@ -98,6 +106,7 @@ files:
 - lib/generators/authentication/templates/test_unit/system/registrations_test.rb.tt
 - lib/generators/authentication/templates/test_unit/system/sessions/sudos_test.rb.tt
 - lib/generators/authentication/templates/test_unit/system/sessions_test.rb.tt
+- lib/generators/authentication/templates/test_unit/test_helper.rb.tt
 homepage: https://github.com/lazaronixon/authentication-zero
 licenses:
 - MIT