RubyGems - authentication-zero - Versions diffs - 2.9.1 → 2.10.0 - Mend

authentication-zero 2.9.1 → 2.10.0

Files changed (43) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 349df436a5358765a5f4537e5e37e79c566dfe575875f77380fe1a2eeb21096f
-  data.tar.gz: f017571edaa6c887bcdecf4ffa023cc7d86830e0fba4ba3c7ad6dbd8626bf952
+  metadata.gz: c0ad4048d0c9df83173acebd1bbf770f519a7bb2a8b5b45c7e9af3c268904052
+  data.tar.gz: 06a897ebfc48122cfaf151a49b7412ef13b098069eb3bc7a2a4c088bcc711c90
 SHA512:
-  metadata.gz: a70ba5553accd5f23b71ad58b58dd270f78636b28bca944decb062d16a31d83808a9dca86cd2b38f5f83317a6748c32ef25d3944613686ea215c05cdcc647dbe
-  data.tar.gz: 2506decfeaa1e126d0160d11d787577ecff6c8afa6b4a27930a01ac65b9cfca2fa7ccdc82392dc488dafee102ebe4419ce1422450400810efcf7437fe1578454
+  metadata.gz: fd26a42853d553616f366e1ddc57439ce91ba039f2cf25a5d3c80be48a6b0f0e7fee6816ead70587780ebc8a358e74e53543c0b6438eb39d7baf818aacc5191c
+  data.tar.gz: 657bb45b7e9edfd6a036e9df9a2df41a2b2001199e65586d82548d7bd4ade28946be06ec3dbb28ba6fba100e275881c1a02dbb3de29b8546899393829b4cdc97

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,7 @@
+## Authentication Zero 2.10.0 (March 2, 2022) ##
+* Implement two-factor
 ## Authentication Zero 2.9.0 (March 2, 2022) ##
 * Implement trackable

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    authentication-zero (2.9.1)
+    authentication-zero (2.10.0)
 GEM
   remote: https://rubygems.org/

data/README.md CHANGED Viewed

@@ -11,6 +11,7 @@ The purpose of authentication zero is to generate a pre-built authentication sys
 - Checks if a password has been found in any data breach (--pwned)
 - Authentication by cookie
 - Authentication by token (--api)
+- Two factor authentication (--two-factor)
 - Social Login with OmniAuth (--omniauthable)
 - Ask password before sensitive data changes, aka: sudo
 - Reset the user password and send reset instructions
@@ -53,7 +54,7 @@ root "home#index"
 ```
 ```
-$ rails generate controller home index
+rails generate controller home index
 ```
 Add these lines to your `app/views/home/index.html.erb`:
@@ -79,6 +80,10 @@ Add these lines to your `app/views/home/index.html.erb`:
   <%# link_to "Activity Log", authentications_events_path %>
 </div>
+<div>
+  <%# link_to "Two-Factor Authentication", new_two_factor_authentication_totp_path %>
+</div>
 <br>
 <%= button_to "Log out", Current.session, method: :delete %>
@@ -93,7 +98,7 @@ config.action_mailer.default_url_options = { host: 'localhost', port: 3000 }
 ## Usage
 ```
-$ rails generate authentication user
+rails generate authentication user
 ```
 Then run `bundle install` again!

data/lib/authentication_zero/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module AuthenticationZero
-  VERSION = "2.9.1"
+  VERSION = "2.10.0"
 end

data/lib/generators/authentication/authentication_generator.rb CHANGED Viewed

@@ -9,6 +9,7 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
   class_option :ratelimit,    type: :boolean, desc: "Add request rate limiting"
   class_option :omniauthable, type: :boolean, desc: "Add social login support"
   class_option :trackable,    type: :boolean, desc: "Add activity log support"
+  class_option :two_factor,   type: :boolean, desc: "Add two factor authentication"
   source_root File.expand_path("templates", __dir__)
@@ -29,15 +30,20 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
       gem "omniauth", comment: "Use OmniAuth to support multi-provider authentication [https://github.com/omniauth/omniauth]"
       gem "omniauth-rails_csrf_protection", comment: "Provides a mitigation against CVE-2015-9284 [https://github.com/cookpad/omniauth-rails_csrf_protection]"
     end
+    if two_factor?
+      gem "rotp", comment: "Use rotp for generating and validating one time passwords [https://github.com/mdp/rotp]"
+      gem "rqrcode", comment: "Use rqrcode for creating and rendering QR codes into various formats [https://github.com/whomwah/rqrcode]"
+    end
   end
   def create_configuration_files
-     copy_file "config/redis/shared.yml", "config/redis/shared.yml" if options.lockable?
-     copy_file "config/initializers/omniauth.rb", "config/initializers/omniauth.rb" if omniauthable?
+    copy_file "config/redis/shared.yml", "config/redis/shared.yml" if options.lockable?
+    copy_file "config/initializers/omniauth.rb", "config/initializers/omniauth.rb" if omniauthable?
   end
   def add_environment_configurations
-     ratelimit_code = <<~CODE
+    ratelimit_code = <<~CODE
       # Rate limit general requests by IP address in a rate of 1000 requests per hour
       config.middleware.use(Rack::Ratelimit, name: "General", rate: [1000, 1.hour], redis: Redis.new, logger: Rails.logger) { |env| ActionDispatch::Request.new(env).ip }
     CODE
@@ -63,68 +69,19 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
     template "test_unit/fixtures.yml", "test/fixtures/#{fixture_file_name}.yml"
   end
-  def add_application_controller_methods
-    api_code = <<~CODE
-      include ActionController::HttpAuthentication::Token::ControllerMethods
-      before_action :set_current_request_details
-      before_action :authenticate
-      def require_sudo
-        if Current.session.sudo_at < 30.minutes.ago
-          render json: { error: "Enter your password to continue" }, status: :forbidden
-        end
-      end
-      private
-        def authenticate
-          if session = authenticate_with_http_token { |token, _| Session.find_signed(token) }
-            Current.session = session
-          else
-            request_http_token_authentication
-          end
-        end
-        def set_current_request_details
-          Current.user_agent = request.user_agent
-          Current.ip_address = request.ip
-        end
-    CODE
-    html_code = <<~CODE
-      before_action :set_current_request_details
-      before_action :authenticate
-      def require_sudo
-        if Current.session.sudo_at < 30.minutes.ago
-          redirect_to new_sessions_sudo_path(proceed_to_url: request.url)
-        end
-      end
-      private
-        def authenticate
-          if session = Session.find_by_id(cookies.signed[:session_token])
-            Current.session = session
-          else
-            redirect_to sign_in_path
-          end
-        end
-        def set_current_request_details
-          Current.user_agent = request.user_agent
-          Current.ip_address = request.ip
-        end
-    CODE
+  def create_controllers
+    template  "controllers/#{format_folder}/application_controller.rb", "app/controllers/application_controller.rb", force: true
-    inject_code = options.api? ? api_code : html_code
-    inject_into_class "app/controllers/application_controller.rb", "ApplicationController", optimize_indentation(inject_code, 2), verbose: false
-  end
+    if two_factor?
+      directory "controllers/#{format_folder}/two_factor_authentication", "app/controllers/two_factor_authentication"
+      template  "controllers/#{format_folder}/sessions_controller_two_factor.rb", "app/controllers/sessions_controller.rb"
+    else
+      template  "controllers/#{format_folder}/sessions_controller.rb", "app/controllers/sessions_controller.rb"
+    end
-  def create_controllers
     directory "controllers/#{format_folder}/identity", "app/controllers/identity"
     template  "controllers/#{format_folder}/passwords_controller.rb", "app/controllers/passwords_controller.rb"
     template  "controllers/#{format_folder}/registrations_controller.rb", "app/controllers/registrations_controller.rb"
-    template  "controllers/#{format_folder}/sessions_controller.rb", "app/controllers/sessions_controller.rb"
     template  "controllers/#{format_folder}/sessions/sudos_controller.rb", "app/controllers/sessions/sudos_controller.rb"
     template  "controllers/#{format_folder}/sessions/omniauth_controller.rb", "app/controllers/sessions/omniauth_controller.rb" if omniauthable?
     template  "controllers/#{format_folder}/authentications/events_controller.rb", "app/controllers/authentications/events_controller.rb" if options.trackable?
@@ -142,6 +99,7 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
       directory "erb/passwords", "app/views/passwords"
       directory "erb/registrations", "app/views/registrations"
       directory "erb/sessions", "app/views/sessions"
+      directory "erb/two_factor_authentication", "app/views/two_factor_authentication" if two_factor?
       directory "erb/authentications/events", "app/views/authentications/events" if options.trackable?
     end
   end
@@ -153,29 +111,36 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
   def add_routes
     if omniauthable?
       route "post '/auth/:provider/callback', to: 'sessions/omniauth#create'"
-      route "get '/auth/:provider/callback', to: 'sessions/omniauth#create'"
-      route "get '/auth/failure', to: 'sessions/omniauth#failure'"
+      route "get  '/auth/:provider/callback', to: 'sessions/omniauth#create'"
+      route "get  '/auth/failure',            to: 'sessions/omniauth#failure'"
+    end
+    if two_factor?
+      route "resource :totp,      only: [:new, :create]", namespace: :two_factor_authentication
+      route "resource :challenge, only: [:new, :create]", namespace: :two_factor_authentication
     end
     if options.trackable?
       route "resources :events, only: :index", namespace: :authentications
     end
-    route "resource :password_reset, only: [:new, :edit, :create, :update]", namespace: :identity
+    route "resource :password_reset,     only: [:new, :edit, :create, :update]", namespace: :identity
     route "resource :email_verification, only: [:edit, :create]", namespace: :identity
-    route "resource :email, only: [:edit, :update]", namespace: :identity
+    route "resource :email,              only: [:edit, :update]", namespace: :identity
     route "resource :sudo, only: [:new, :create]", namespace: :sessions
+    route "resource  :password, only: [:edit, :update]"
     route "resources :sessions, only: [:index, :show, :destroy]"
-    route "resource :password, only: [:edit, :update]"
     route "post 'sign_up', to: 'registrations#create'"
-    route "get 'sign_up', to: 'registrations#new'" unless options.api?
+    route "get  'sign_up', to: 'registrations#new'" unless options.api?
     route "post 'sign_in', to: 'sessions#create'"
-    route "get 'sign_in', to: 'sessions#new'" unless options.api?
+    route "get  'sign_in', to: 'sessions#new'" unless options.api?
   end
   def create_test_files
     directory "test_unit/controllers/#{format_folder}", "test/controllers"
     directory "test_unit/system", "test/system" unless options.api?
+    template "test_unit/test_helper.rb", "test/test_helper.rb", force: true
+    template "test_unit/application_system_test_case.rb", "test/application_system_test_case.rb", force: true unless options.api?
   end
   private
@@ -186,4 +151,8 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
     def omniauthable?
       options.omniauthable? && !options.api?
     end
+    def two_factor?
+      options.two_factor? && !options.api?
+    end
 end

data/lib/generators/authentication/templates/controllers/api/application_controller.rb.tt ADDED Viewed

@@ -0,0 +1,26 @@
+class ApplicationController < ActionController::API
+  include ActionController::HttpAuthentication::Token::ControllerMethods
+  before_action :set_current_request_details
+  before_action :authenticate
+  def require_sudo
+    if Current.session.sudo_at < 30.minutes.ago
+      render json: { error: "Enter your password to continue" }, status: :forbidden
+    end
+  end
+  private
+    def authenticate
+      if session = authenticate_with_http_token { |token, _| Session.find_signed(token) }
+        Current.session = session
+      else
+        request_http_token_authentication
+      end
+    end
+    def set_current_request_details
+      Current.user_agent = request.user_agent
+      Current.ip_address = request.ip
+    end
+end

data/lib/generators/authentication/templates/controllers/api/identity/password_resets_controller.rb.tt CHANGED Viewed

@@ -1,9 +1,9 @@
 class Identity::PasswordResetsController < ApplicationController
   skip_before_action :authenticate
-<% if options.lockable? -%>
+  <%- if options.lockable? -%>
   before_action :require_locking, only: :create
-<% end -%>
+  <%- end -%>
   before_action :set_<%= singular_table_name %>, only: :update
   def create
@@ -32,11 +32,11 @@ class Identity::PasswordResetsController < ApplicationController
     def <%= "#{singular_table_name}_params" %>
       params.permit(:password, :password_confirmation)
     end
-<% if options.lockable? %>
+    <%- if options.lockable? %>
     def require_locking
       Locking.lock_on("password_reset_lock:#{request.remote_ip}", wait: 1.hour, attempts: 10) do
         render json: { error: "You've exceeded the maximum number of attempts" }, status: :too_many_requests
       end
     end
-<% end -%>
+    <%- end -%>
 end

data/lib/generators/authentication/templates/controllers/html/application_controller.rb.tt ADDED Viewed

@@ -0,0 +1,24 @@
+class ApplicationController < ActionController::Base
+  before_action :set_current_request_details
+  before_action :authenticate
+  def require_sudo
+    if Current.session.sudo_at < 30.minutes.ago
+      redirect_to new_sessions_sudo_path(proceed_to_url: request.url)
+    end
+  end
+  private
+    def authenticate
+      if session = Session.find_by_id(cookies.signed[:session_token])
+        Current.session = session
+      else
+        redirect_to sign_in_path
+      end
+    end
+    def set_current_request_details
+      Current.user_agent = request.user_agent
+      Current.ip_address = request.ip
+    end
+end

data/lib/generators/authentication/templates/controllers/html/identity/password_resets_controller.rb.tt CHANGED Viewed

@@ -1,9 +1,9 @@
 class Identity::PasswordResetsController < ApplicationController
   skip_before_action :authenticate
-<% if options.lockable? -%>
+  <%- if options.lockable? -%>
   before_action :require_locking, only: :create
-<% end -%>
+  <%- end -%>
   before_action :set_<%= singular_table_name %>, only: %i[ edit update ]
   def new
@@ -39,11 +39,11 @@ class Identity::PasswordResetsController < ApplicationController
     def <%= "#{singular_table_name}_params" %>
       params.permit(:password, :password_confirmation)
     end
-<% if options.lockable? %>
+    <%- if options.lockable? %>
     def require_locking
       Locking.lock_on("password_reset_lock:#{request.remote_ip}", wait: 1.hour, attempts: 10) do
         redirect_to new_identity_password_reset_path, alert: "You've exceeded the maximum number of attempts"
       end
     end
-<% end -%>
+    <%- end -%>
 end

data/lib/generators/authentication/templates/controllers/html/sessions/sudos_controller.rb.tt CHANGED Viewed

@@ -5,11 +5,11 @@ class Sessions::SudosController < ApplicationController
   def create
     session = Current.session
-<% if omniauthable? -%>
+    <%- if omniauthable? -%>
     if session.<%= singular_table_name %>.authenticate(params[:password]) || session.<%= singular_table_name %>.provider
-<% else -%>
+    <%- else -%>
     if session.<%= singular_table_name %>.authenticate(params[:password])
-<% end -%>
+    <%- end -%>
       session.update!(sudo_at: Time.current); redirect_to(params[:proceed_to_url])
     else
       redirect_to new_sessions_sudo_path(proceed_to_url: params[:proceed_to_url]), alert: "The password you entered is incorrect"

data/lib/generators/authentication/templates/controllers/html/sessions_controller_two_factor.rb.tt ADDED Viewed

@@ -0,0 +1,41 @@
+class SessionsController < ApplicationController
+  skip_before_action :authenticate, only: %i[ new create ]
+  before_action :set_session, only: :destroy
+  def index
+    @sessions = Current.<%= singular_table_name %>.sessions.order(created_at: :desc)
+  end
+  def new
+    @<%= singular_table_name %> = <%= class_name %>.new
+  end
+  def create
+    <%= singular_table_name %> = <%= class_name %>.find_by(email: params[:email])
+    if <%= singular_table_name %> && <%= singular_table_name %>.authenticate(params[:password])
+      if <%= singular_table_name %>.otp_secret
+        signed_id = <%= singular_table_name %>.signed_id(purpose: :authentication_challenge, expires_in: 20.minutes)
+        redirect_to new_two_factor_authentication_challenge_path(token: signed_id)
+      else
+        @session = <%= singular_table_name %>.sessions.create!
+        cookies.signed.permanent[:session_token] = { value: @session.id, httponly: true }
+        redirect_to root_path, notice: "Signed in successfully"
+      end
+    else
+      redirect_to sign_in_path(email_hint: params[:email]), alert: "That email or password is incorrect"
+    end
+  end
+  def destroy
+    @session.destroy; redirect_to(sessions_path, notice: "That session has been logged out")
+  end
+  private
+    def set_session
+      @session = Current.<%= singular_table_name %>.sessions.find(params[:id])
+    end
+end

data/lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenges_controller.rb.tt ADDED Viewed

@@ -0,0 +1,28 @@
+class TwoFactorAuthentication::ChallengesController < ApplicationController
+  skip_before_action :authenticate
+  before_action :set_<%= singular_table_name %>
+  def new
+  end
+  def create
+    @totp = ROTP::TOTP.new(@<%= singular_table_name %>.otp_secret, issuer: "YourAppName")
+    if @totp.verify(params[:code], drift_behind: 15)
+      session = @<%= singular_table_name %>.sessions.create!
+      cookies.signed.permanent[:session_token] = { value: session.id, httponly: true }
+      redirect_to root_path, notice: "Signed in successfully"
+    else
+      redirect_to new_two_factor_authentication_challenge_path(token: params[:token]), alert: "That code didn't work. Please try again"
+    end
+  end
+  private
+    def set_<%= singular_table_name %>
+      @<%= singular_table_name %> = <%= class_name %>.find_signed!(params[:token], purpose: :authentication_challenge)
+    rescue
+      redirect_to sign_in_path, alert: "That's taking too long. Please re-enter your password and try again"
+    end
+end

data/lib/generators/authentication/templates/controllers/html/two_factor_authentication/totps_controller.rb.tt ADDED Viewed

@@ -0,0 +1,26 @@
+class TwoFactorAuthentication::TotpsController < ApplicationController
+  before_action :require_sudo
+  before_action :set_<%= singular_table_name %>
+  before_action :set_totp
+  def new
+    @qr_code = RQRCode::QRCode.new(@totp.provisioning_uri(@<%= singular_table_name %>.email))
+  end
+  def create
+    if @totp.verify(params[:code], drift_behind: 15)
+      @<%= singular_table_name %>.update! otp_secret: params[:secret]
+      redirect_to root_path, notice: "2FA is enabled on your account"
+    else
+      redirect_to two_factor_authentication_totp_path, alert: "That code didn't work. Please try again"
+    end
+  end
+  def set_<%= singular_table_name %>
+    @<%= singular_table_name %> = Current.<%= singular_table_name %>
+  end
+  def set_totp
+    @totp = ROTP::TOTP.new(params[:secret] || ROTP::Base32.random, issuer: "YourAppName")
+  end
+end

data/lib/generators/authentication/templates/erb/identity/password_resets/edit.html.erb.tt CHANGED Viewed

@@ -13,17 +13,17 @@
     </div>
   <%% end %>
-  <%%= hidden_field_tag :token, params[:token] %>
+  <%%= form.hidden_field :token, value: params[:token] %>
   <div>
     <%%= form.label :password, "New password", style: "display: block" %>
-    <%%= form.password_field :password, autofocus: true, autocomplete: "new-password" %>
+    <%%= form.password_field :password, required: true, autofocus: true, autocomplete: "new-password" %>
     <div>12 characters minimum.</div>
   </div>
   <div>
     <%%= form.label :password_confirmation, "Confirm new password", style: "display: block" %>
-    <%%= form.password_field :password_confirmation, autocomplete: "new-password" %>
+    <%%= form.password_field :password_confirmation, required: true, autocomplete: "new-password" %>
   </div>
   <div>

data/lib/generators/authentication/templates/erb/passwords/edit.html.erb.tt CHANGED Viewed

@@ -16,19 +16,19 @@
   <%% end %>
   <div>
-    <%%= label_tag :current_password, nil, style: "display: block" %>
-    <%%= password_field_tag :current_password, nil, autofocus: true, autocomplete: "current-password" %>
+    <%%= form.label :current_password, style: "display: block" %>
+    <%%= form.password_field :current_password, required: true, autofocus: true, autocomplete: "current-password" %>
   </div>
   <div>
     <%%= form.label :password, "New password", style: "display: block" %>
-    <%%= form.password_field :password, autocomplete: "new-password" %>
+    <%%= form.password_field :password, required: true, autocomplete: "new-password" %>
     <div>12 characters minimum.</div>
   </div>
   <div>
     <%%= form.label :password_confirmation, "Confirm new password", style: "display: block" %>
-    <%%= form.password_field :password_confirmation, autocomplete: "new-password" %>
+    <%%= form.password_field :password_confirmation, required: true, autocomplete: "new-password" %>
   </div>
   <div>

data/lib/generators/authentication/templates/erb/registrations/new.html.erb.tt CHANGED Viewed

@@ -20,13 +20,13 @@
   <div>
     <%%= form.label :password, style: "display: block" %>
-    <%%= form.password_field :password, autocomplete: "new-password" %>
+    <%%= form.password_field :password, required: true, autocomplete: "new-password" %>
     <div>12 characters minimum.</div>
   </div>
   <div>
     <%%= form.label :password_confirmation, style: "display: block" %>
-    <%%= form.password_field :password_confirmation, autocomplete: "new-password" %>
+    <%%= form.password_field :password_confirmation, required: true, autocomplete: "new-password" %>
   </div>
   <div>

data/lib/generators/authentication/templates/erb/sessions/sudos/new.html.erb.tt CHANGED Viewed

@@ -4,10 +4,10 @@
 <%%= form_with(url: sessions_sudo_path) do |form| %>
-  <%%= hidden_field_tag :proceed_to_url, params[:proceed_to_url] %>
+  <%%= form.hidden_field :proceed_to_url, value: params[:proceed_to_url] %>
   <div>
-    <%%= password_field_tag :password, nil, autofocus: true, autocomplete: "current-password" %>
+    <%%= form.password_field :password, required: true, autofocus: true, autocomplete: "current-password" %>
   </div>
   <div>

data/lib/generators/authentication/templates/erb/two_factor_authentication/challenges/new.html.erb.tt ADDED Viewed

@@ -0,0 +1,16 @@
+<p style="color: red"><%%= alert %></p>
+<%%= form_with(url: two_factor_authentication_challenge_path) do |form| %>
+  <%%= form.hidden_field :token, value: params[:token] %>
+  <div>
+    <%%= form.label :code do %>
+      <h1>Next, open the 2FA authenticator app on your phone and type the six digit code below:</h1>
+    <%% end %>
+    <%%= form.text_field :code, autofocus: true, required: true, autocomplete: :off %>
+  </div>
+  <div>
+    <%%= form.submit "Verify" %>
+  </div>
+<%% end %>

data/lib/generators/authentication/templates/erb/two_factor_authentication/totps/new.html.erb.tt ADDED Viewed

@@ -0,0 +1,28 @@
+<p style="color: red"><%%= alert %></p>
+<h1>Upgrade your security with 2FA</h1>
+<h2>Step 1: Get an Authenticator App</h2>
+<p>First, you'll need a 2FA authenticator app on your phone. <strong>If you already have one, skip to step 2.</strong></p>
+<p><strong>If you don't have one, or you aren't sure, we recommend Microsoft Authenticator</strong>. You can download it free on the Apple App Store for iPhone, or Google Play Store for Android. Please grab your phone, search the store, and install it now.</p>
+<h2>Step 2: Scan + Enter the Code</h2>
+<p>Next, open the authenticator app, tap "Scan QR code" or "+", and, when it asks, point your phone's camera at this QR code picture below.</p>
+<figure>
+    <%%= image_tag @qr_code.as_png(resize_exactly_to: 200).to_data_url%>
+    <figcaption>Point your camera here</figcaption>
+</figure>
+<%%= form_with(url: two_factor_authentication_totp_path) do |form| %>
+  <%%= form.hidden_field :secret, value: @totp.secret %>
+  <div>
+    <%%= form.label :code, "After scanning with your camera, the app will generate a six-digit code. Enter it here:", style: "display: block" %>
+    <%%= form.text_field :code, autofocus: true, required: true, autocomplete: :off %>
+  </div>
+  <div>
+    <%%= form.submit "Verify and active" %>
+  </div>
+<%% end %>

data/lib/generators/authentication/templates/migrations/create_table_migration.rb.tt CHANGED Viewed

@@ -5,17 +5,20 @@ class <%= migration_class_name %> < ActiveRecord::Migration[<%= ActiveRecord::Mi
       t.string :password_digest, null: false
       t.boolean :verified, null: false, default: false
-<% if omniauthable? %>
+      <%- if two_factor? %>
+      t.string :otp_secret
+      <%- end -%>
+      <%- if omniauthable? %>
       t.string :provider
       t.string :uid
-<% end -%>
+      <%- end -%>
       t.timestamps
     end
     add_index :<%= table_name %>, :email, unique: true
-<% if omniauthable? -%>
+    <%- if omniauthable? -%>
     add_index :<%= table_name %>, [:provider, :uid], unique: true
-<% end -%>
+    <%- end -%>
   end
 end

data/lib/generators/authentication/templates/models/model.rb.tt CHANGED Viewed

@@ -2,18 +2,18 @@ class <%= class_name %> < ApplicationRecord
   has_secure_password
   has_many :sessions, dependent: :destroy
-<% if options.trackable? -%>
+  <%- if options.trackable? -%>
   has_many :events, dependent: :destroy
-<% end -%>
+  <%- end -%>
   validates :email, presence: true, uniqueness: true
   validates_format_of :email, with: /\A[^@\s]+@[^@\s]+\z/
-  validates_length_of :password, minimum: 12, allow_blank: true
-  validates_format_of :password, with: /(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])/, allow_blank: true, message: "might easily be guessed"
-<% if options.pwned? -%>
+  validates_length_of :password, minimum: 12, allow_nil: true
+  validates_format_of :password, with: /(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])/, allow_nil: true, message: "might easily be guessed"
+  <%- if options.pwned? -%>
   validates :password, not_pwned: { message: "might easily be guessed" }
-<% end -%>
+  <%- end -%>
   before_validation do
     self.email = email.downcase.strip
@@ -30,7 +30,7 @@ class <%= class_name %> < ApplicationRecord
   after_save_commit if: :email_previously_changed? do
     IdentityMailer.with(user: self).email_verify_confirmation.deliver_later
   end
-<% if options.trackable? %>
+  <%- if options.trackable? %>
   after_save_commit if: :email_previously_changed? do
     events.create! action: "email_verification_requested"
   end
@@ -42,5 +42,5 @@ class <%= class_name %> < ApplicationRecord
   after_update if: :verified_previously_changed? do
     events.create! action: "email_verified" if verified?
   end
-<% end -%>
+  <%- end -%>
 end

data/lib/generators/authentication/templates/models/session.rb.tt CHANGED Viewed

@@ -10,7 +10,7 @@ class Session < ApplicationRecord
   after_create_commit do
     SessionMailer.with(session: self).signed_in_notification.deliver_later
   end
-<% if options.trackable? %>
+  <%- if options.trackable? %>
   after_create do
     <%= singular_table_name %>.events.create! action: "signed_in"
   end
@@ -18,5 +18,5 @@ class Session < ApplicationRecord
   after_destroy do
     <%= singular_table_name %>.events.create! action: "signed_out"
   end
-<% end -%>
+  <%- end -%>
 end

data/lib/generators/authentication/templates/test_unit/application_system_test_case.rb.tt ADDED Viewed

@@ -0,0 +1,15 @@
+require "test_helper"
+class ApplicationSystemTestCase < ActionDispatch::SystemTestCase
+  driven_by :selenium, using: :chrome, screen_size: [1400, 1400]
+  def sign_in_as(<%= singular_table_name %>)
+    visit sign_in_url
+    fill_in :email, with: <%= singular_table_name %>.email
+    fill_in :password, with: "Secret1*3*5*"
+    click_on "Sign in"
+    assert_current_path root_url
+    return <%= singular_table_name %>
+  end
+end

data/lib/generators/authentication/templates/test_unit/controllers/api/identity/email_verifications_controller_test.rb.tt CHANGED Viewed

@@ -37,8 +37,4 @@ class Identity::EmailVerificationsControllerTest < ActionDispatch::IntegrationTe
     assert_response :bad_request
     assert_equal "That email verification link is invalid", response.parsed_body["error"]
   end
-  def sign_in_as(<%= singular_table_name %>)
-    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); [<%= singular_table_name %>, response.headers["X-Session-Token"]]
-  end
 end

data/lib/generators/authentication/templates/test_unit/controllers/api/identity/emails_controller_test.rb.tt CHANGED Viewed

@@ -18,8 +18,4 @@ class Identity::EmailsControllerTest < ActionDispatch::IntegrationTest
     assert_response :forbidden
     assert_equal "Enter your password to continue", response.parsed_body["error"]
   end
-  def sign_in_as(<%= singular_table_name %>)
-    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); [<%= singular_table_name %>, response.headers["X-Session-Token"]]
-  end
 end

data/lib/generators/authentication/templates/test_unit/controllers/api/identity/password_resets_controller_test.rb.tt CHANGED Viewed

@@ -6,9 +6,9 @@ class Identity::PasswordResetsControllerTest < ActionDispatch::IntegrationTest
     @sid = @<%= singular_table_name %>.signed_id(purpose: :password_reset, expires_in: 20.minutes)
     @sid_exp = @<%= singular_table_name %>.signed_id(purpose: :password_reset, expires_in: 0.minutes)
   end
-<% if options.lockable? %>
+  <%- if options.lockable? %>
   teardown { Kredis.clear_all }
-<% end -%>
+  <%- end -%>
   test "should send a password reset email" do
     assert_enqueued_email_with IdentityMailer, :password_reset_provision, args: { <%= singular_table_name %>: @<%= singular_table_name %> } do

data/lib/generators/authentication/templates/test_unit/controllers/api/passwords_controller_test.rb.tt CHANGED Viewed

@@ -16,8 +16,4 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
     assert_response :bad_request
     assert_equal "The current password you entered is incorrect", response.parsed_body["error"]
   end
-  def sign_in_as(<%= singular_table_name %>)
-    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); [<%= singular_table_name %>, response.headers["X-Session-Token"]]
-  end
 end

data/lib/generators/authentication/templates/test_unit/controllers/api/sessions/sudos_controller_test.rb.tt CHANGED Viewed

@@ -17,8 +17,4 @@ class Sessions::SudosControllerTest < ActionDispatch::IntegrationTest
     assert_response :bad_request
     assert_equal "The password you entered is incorrect", response.parsed_body["error"]
   end
-  def sign_in_as(<%= singular_table_name %>)
-    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); [<%= singular_table_name %>, response.headers["X-Session-Token"]]
-  end
 end

data/lib/generators/authentication/templates/test_unit/controllers/api/sessions_controller_test.rb.tt CHANGED Viewed

@@ -31,8 +31,4 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
     delete session_url(@<%= singular_table_name %>.sessions.last), headers: { "Authorization" => "Bearer #{@token}" }
     assert_response :no_content
   end
-  def sign_in_as(<%= singular_table_name %>)
-    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); [<%= singular_table_name %>, response.headers["X-Session-Token"]]
-  end
 end

data/lib/generators/authentication/templates/test_unit/controllers/html/identity/email_verifications_controller_test.rb.tt CHANGED Viewed

@@ -37,8 +37,4 @@ class Identity::EmailVerificationsControllerTest < ActionDispatch::IntegrationTe
     assert_redirected_to edit_identity_email_url
     assert_equal "That email verification link is invalid", flash[:alert]
   end
-  def sign_in_as(<%= singular_table_name %>)
-    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); <%= singular_table_name %>
-  end
 end

data/lib/generators/authentication/templates/test_unit/controllers/html/identity/emails_controller_test.rb.tt CHANGED Viewed

@@ -28,8 +28,4 @@ class Identity::EmailsControllerTest < ActionDispatch::IntegrationTest
     patch identity_email_url, params: { email: "new_email@hey.com" }
     assert_redirected_to new_sessions_sudo_url(proceed_to_url: identity_email_url)
   end
-  def sign_in_as(<%= singular_table_name %>)
-    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); <%= singular_table_name %>
-  end
 end

data/lib/generators/authentication/templates/test_unit/controllers/html/identity/password_resets_controller_test.rb.tt CHANGED Viewed

@@ -6,9 +6,9 @@ class Identity::PasswordResetsControllerTest < ActionDispatch::IntegrationTest
     @sid = @<%= singular_table_name %>.signed_id(purpose: :password_reset, expires_in: 20.minutes)
     @sid_exp = @<%= singular_table_name %>.signed_id(purpose: :password_reset, expires_in: 0.minutes)
   end
-<% if options.lockable? %>
+  <%- if options.lockable? %>
   teardown { Kredis.clear_all }
-<% end -%>
+  <%- end -%>
   test "should get new" do
     get new_identity_password_reset_url

data/lib/generators/authentication/templates/test_unit/controllers/html/passwords_controller_test.rb.tt CHANGED Viewed

@@ -21,8 +21,4 @@ class PasswordsControllerTest < ActionDispatch::IntegrationTest
     assert_redirected_to edit_password_url
     assert_equal "The current password you entered is incorrect", flash[:alert]
   end
-  def sign_in_as(<%= singular_table_name %>)
-    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); <%= singular_table_name %>
-  end
 end

data/lib/generators/authentication/templates/test_unit/controllers/html/sessions/sudos_controller_test.rb.tt CHANGED Viewed

@@ -19,8 +19,4 @@ class Sessions::SudosControllerTest < ActionDispatch::IntegrationTest
     post sessions_sudo_url, params: { password: "SecretWrong1*3", proceed_to_url: edit_password_url }
     assert_redirected_to new_sessions_sudo_url(proceed_to_url: edit_password_url)
   end
-  def sign_in_as(<%= singular_table_name %>)
-    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); [<%= singular_table_name %>, response.headers["X-Session-Token"]]
-  end
 end

data/lib/generators/authentication/templates/test_unit/controllers/html/sessions_controller_test.rb.tt CHANGED Viewed

@@ -45,8 +45,4 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest
     follow_redirect!
     assert_redirected_to sign_in_url
   end
-  def sign_in_as(<%= singular_table_name %>)
-    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); <%= singular_table_name %>
-  end
 end

data/lib/generators/authentication/templates/test_unit/system/identity/emails_test.rb.tt CHANGED Viewed

@@ -22,14 +22,4 @@ class Identity::EmailsTest < ApplicationSystemTestCase
     assert_text "We sent a verification email to your email address"
   end
-  def sign_in_as(<%= singular_table_name %>)
-    visit sign_in_url
-    fill_in :email, with: <%= singular_table_name %>.email
-    fill_in :password, with: "Secret1*3*5*"
-    click_on "Sign in"
-    assert_current_path root_url
-    return <%= singular_table_name %>
-  end
 end

data/lib/generators/authentication/templates/test_unit/system/identity/password_resets_test.rb.tt CHANGED Viewed

@@ -5,9 +5,9 @@ class Identity::PasswordResetsTest < ApplicationSystemTestCase
     @<%= singular_table_name %> = <%= table_name %>(:lazaro_nixon)
     @sid = @<%= singular_table_name %>.signed_id(purpose: :password_reset, expires_in: 20.minutes)
   end
-<% if options.lockable? %>
+  <%- if options.lockable? %>
   teardown { Kredis.clear_all }
-<% end -%>
+  <%- end -%>
   test "sending a password reset email" do
     visit sign_in_url

data/lib/generators/authentication/templates/test_unit/system/passwords_test.rb.tt CHANGED Viewed

@@ -15,14 +15,4 @@ class PasswordsTest < ApplicationSystemTestCase
     assert_text "Your password has been changed"
   end
-  def sign_in_as(<%= singular_table_name %>)
-    visit sign_in_url
-    fill_in :email, with: <%= singular_table_name %>.email
-    fill_in :password, with: "Secret1*3*5*"
-    click_on "Sign in"
-    assert_current_path root_url
-    return <%= singular_table_name %>
-  end
 end

data/lib/generators/authentication/templates/test_unit/system/sessions/sudos_test.rb.tt CHANGED Viewed

@@ -12,14 +12,4 @@ class Sessions::SudosTest < ApplicationSystemTestCase
     assert_selector "h1", text: "Change your password"
   end
-  def sign_in_as(<%= singular_table_name %>)
-    visit sign_in_url
-    fill_in :email, with: <%= singular_table_name %>.email
-    fill_in :password, with: "Secret1*3*5*"
-    click_on "Sign in"
-    assert_current_path root_url
-    return <%= singular_table_name %>
-  end
 end

data/lib/generators/authentication/templates/test_unit/system/sessions_test.rb.tt CHANGED Viewed

@@ -21,13 +21,10 @@ class SessionsTest < ApplicationSystemTestCase
     assert_text "Signed in successfully"
   end
-  def sign_in_as(<%= singular_table_name %>)
-    visit sign_in_url
-    fill_in :email, with: <%= singular_table_name %>.email
-    fill_in :password, with: "Secret1*3*5*"
-    click_on "Sign in"
+  test "signing out" do
+    sign_in_as @<%= singular_table_name %>
-    assert_current_path root_url
-    return <%= singular_table_name %>
+    click_on "Log out"
+    assert_text "That session has been logged out"
   end
 end

data/lib/generators/authentication/templates/test_unit/test_helper.rb.tt ADDED Viewed

@@ -0,0 +1,22 @@
+ENV["RAILS_ENV"] ||= "test"
+require_relative "../config/environment"
+require "rails/test_help"
+class ActiveSupport::TestCase
+  # Run tests in parallel with specified workers
+  parallelize(workers: :number_of_processors)
+  # Setup all fixtures in test/fixtures/*.yml for all tests in alphabetical order.
+  fixtures :all
+  # Add more helper methods to be used by all tests here...
+  <%- if options.api? -%>
+  def sign_in_as(<%= singular_table_name %>)
+    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); [<%= singular_table_name %>, response.headers["X-Session-Token"]]
+  end
+  <%- else -%>
+  def sign_in_as(<%= singular_table_name %>)
+    post(sign_in_url, params: { email: <%= singular_table_name %>.email, password: "Secret1*3*5*" }); <%= singular_table_name %>
+  end
+  <%- end -%>
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authentication-zero
 version: !ruby/object:Gem::Version
-  version: 2.9.1
+  version: 2.10.0
 platform: ruby
 authors:
 - Nixon
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-03-07 00:00:00.000000000 Z
+date: 2022-03-14 00:00:00.000000000 Z
 dependencies: []
 description:
 email:
@@ -35,6 +35,7 @@ files:
 - lib/generators/authentication/authentication_generator.rb
 - lib/generators/authentication/templates/config/initializers/omniauth.rb
 - lib/generators/authentication/templates/config/redis/shared.yml
+- lib/generators/authentication/templates/controllers/api/application_controller.rb.tt
 - lib/generators/authentication/templates/controllers/api/authentications/events_controller.rb.tt
 - lib/generators/authentication/templates/controllers/api/identity/email_verifications_controller.rb.tt
 - lib/generators/authentication/templates/controllers/api/identity/emails_controller.rb.tt
@@ -43,6 +44,7 @@ files:
 - lib/generators/authentication/templates/controllers/api/registrations_controller.rb.tt
 - lib/generators/authentication/templates/controllers/api/sessions/sudos_controller.rb.tt
 - lib/generators/authentication/templates/controllers/api/sessions_controller.rb.tt
+- lib/generators/authentication/templates/controllers/html/application_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/authentications/events_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/identity/email_verifications_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/identity/emails_controller.rb.tt
@@ -52,6 +54,9 @@ files:
 - lib/generators/authentication/templates/controllers/html/sessions/omniauth_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/sessions/sudos_controller.rb.tt
 - lib/generators/authentication/templates/controllers/html/sessions_controller.rb.tt
+- lib/generators/authentication/templates/controllers/html/sessions_controller_two_factor.rb.tt
+- lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenges_controller.rb.tt
+- lib/generators/authentication/templates/controllers/html/two_factor_authentication/totps_controller.rb.tt
 - lib/generators/authentication/templates/erb/authentications/events/index.html.erb
 - lib/generators/authentication/templates/erb/identity/emails/edit.html.erb.tt
 - lib/generators/authentication/templates/erb/identity/password_resets/edit.html.erb.tt
@@ -67,6 +72,8 @@ files:
 - lib/generators/authentication/templates/erb/sessions/index.html.erb.tt
 - lib/generators/authentication/templates/erb/sessions/new.html.erb.tt
 - lib/generators/authentication/templates/erb/sessions/sudos/new.html.erb.tt
+- lib/generators/authentication/templates/erb/two_factor_authentication/challenges/new.html.erb.tt
+- lib/generators/authentication/templates/erb/two_factor_authentication/totps/new.html.erb.tt
 - lib/generators/authentication/templates/mailers/identity_mailer.rb.tt
 - lib/generators/authentication/templates/mailers/session_mailer.rb.tt
 - lib/generators/authentication/templates/migrations/create_events_migration.rb.tt
@@ -77,6 +84,7 @@ files:
 - lib/generators/authentication/templates/models/locking.rb.tt
 - lib/generators/authentication/templates/models/model.rb.tt
 - lib/generators/authentication/templates/models/session.rb.tt
+- lib/generators/authentication/templates/test_unit/application_system_test_case.rb.tt
 - lib/generators/authentication/templates/test_unit/controllers/api/identity/email_verifications_controller_test.rb.tt
 - lib/generators/authentication/templates/test_unit/controllers/api/identity/emails_controller_test.rb.tt
 - lib/generators/authentication/templates/test_unit/controllers/api/identity/password_resets_controller_test.rb.tt
@@ -98,6 +106,7 @@ files:
 - lib/generators/authentication/templates/test_unit/system/registrations_test.rb.tt
 - lib/generators/authentication/templates/test_unit/system/sessions/sudos_test.rb.tt
 - lib/generators/authentication/templates/test_unit/system/sessions_test.rb.tt
+- lib/generators/authentication/templates/test_unit/test_helper.rb.tt
 homepage: https://github.com/lazaronixon/authentication-zero
 licenses:
 - MIT