authentication-zero 2.9.2 → 2.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1eb8eb320cf8198e9afebf59fd2365b2683e3b52840d8d455876a11b208e243c
-  data.tar.gz: 3bc190759683e6e647a597bdb57e09e69243901a3390c401e09eac72ada96726
+  metadata.gz: 702b78645aff0919daf1e518101731363068e6aef74fac0591f3257b5bf6b7a3
+  data.tar.gz: d07d22eb48277537484ef5f5c1cd4fd78f65e65d739fb7031384e3a594248e3a
 SHA512:
-  metadata.gz: 0c2996c6cf6779c22442f7155025bb99a470f26a0dc23218aea96f413fd5ae85a1ffdebd796922b77a09f60a833c4a0bb72bc9e964f5c0695066cf4074c3f4e9
-  data.tar.gz: 8cbf3eb8525e08fc10a5c00a88e1a82d928a107c969e7b6f4e65789d0db1d79b3a19369331f914b5baf439230a6b0e246287f6875f1f4ab7d57c4f470e96c0a0
+  metadata.gz: 99224479fcc817abaeed4492a5a48d071e98e3e32fcea32ec56e77007031b186feb0978405e5ec5f90750cf434bc86a554df73dea88245aa6185f18a16d7d2e3
+  data.tar.gz: 344af675d6c106d41c3a34dc2fdd04d93ca6028c83bc5acda497791a70a220a7854455cb336345d00d9371b529b7581d64617f4c244b1c15182bf5a869ada997

data/.rubocop.yml

@@ -0,0 +1,15 @@
+inherit_from: https://raw.githubusercontent.com/rails/rails/master/.rubocop.yml
+
+Performance:
+  Exclude:
+    - 'test/**/*'
+
+Style/FrozenStringLiteralComment:
+  Enabled: false
+
+Style/StringLiterals:
+  Enabled: true
+  EnforcedStyle: double_quotes
+  Include:
+    - 'app/**/*'
+    - 'test/**/*'

data/CHANGELOG.md

@@ -1,3 +1,13 @@
+## Authentication Zero 2.11.0 (March 27, 2022) ##
+
+* Remove sudo from default generator
+* Remove sudo_at from database
+* Implement sudoable using redis
+
+## Authentication Zero 2.10.0 (March 2, 2022) ##
+
+* Implement two-factor
+
 ## Authentication Zero 2.9.0 (March 2, 2022) ##
 
 * Implement trackable

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    authentication-zero (2.9.2)
+    authentication-zero (2.11.0)
 
 GEM
   remote: https://rubygems.org/

data/README.md

@@ -11,8 +11,9 @@ The purpose of authentication zero is to generate a pre-built authentication sys
 - Checks if a password has been found in any data breach (--pwned)
 - Authentication by cookie
 - Authentication by token (--api)
+- Two factor authentication (--two-factor)
 - Social Login with OmniAuth (--omniauthable)
-- Ask password before sensitive data changes, aka: sudo
+- Ask password before sensitive data changes, aka: sudo (--sudoable)
 - Reset the user password and send reset instructions
 - Reset the user password only from verified emails
 - Lock sending reset password email after many attempts (--lockable)
@@ -53,7 +54,7 @@ root "home#index"
 ```
 
 ```
-$ rails generate controller home index
+rails generate controller home index
 ```
 
 Add these lines to your `app/views/home/index.html.erb`:
@@ -79,6 +80,10 @@ Add these lines to your `app/views/home/index.html.erb`:
   <%# link_to "Activity Log", authentications_events_path %>
 </div>
 
+<div>
+  <%# link_to "Two-Factor Authentication", new_two_factor_authentication_totp_path %>
+</div>
+
 <br>
 
 <%= button_to "Log out", Current.session, method: :delete %>
@@ -93,7 +98,7 @@ config.action_mailer.default_url_options = { host: 'localhost', port: 3000 }
 ## Usage
 
 ```
-$ rails generate authentication user
+rails generate authentication user
 ```
 
 Then run `bundle install` again!

data/authentication-zero-api.md

@@ -78,7 +78,6 @@ This endpoint will return `201 Created` with the current JSON representation of
     "user_id": 1,
     "user_agent": "insomnia/2022.1.0",
     "ip_address": "127.0.0.1",
-    "sudo_at": "2022-03-04T17:20:33.632Z",
     "created_at": "2022-03-04T17:20:33.632Z",
     "updated_at": "2022-03-04T17:20:33.632Z"
   },
@@ -87,7 +86,6 @@ This endpoint will return `201 Created` with the current JSON representation of
     "user_id": 1,
     "user_agent": "insomnia/2022.1.0",
     "ip_address": "127.0.0.1",
-    "sudo_at": "2022-03-04T17:14:03.386Z",
     "created_at": "2022-03-04T17:14:03.386Z",
     "updated_at": "2022-03-04T17:14:03.386Z"
   }
@@ -106,7 +104,6 @@ This endpoint will return `201 Created` with the current JSON representation of
   "user_id": 1,
   "user_agent": "insomnia/2022.1.0",
   "ip_address": "127.0.0.1",
-  "sudo_at": "2022-03-04T17:14:03.386Z",
   "created_at": "2022-03-04T17:14:03.386Z",
   "updated_at": "2022-03-04T17:14:03.386Z"
 }

data/lib/authentication_zero/version.rb

@@ -1,3 +1,3 @@
 module AuthenticationZero
-  VERSION = "2.9.2"
+  VERSION = "2.11.0"
 end

data/lib/generators/authentication/authentication_generator.rb

@@ -5,17 +5,19 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
 
   class_option :api,          type: :boolean, desc: "Generates API authentication"
   class_option :pwned,        type: :boolean, desc: "Add pwned password validation"
+  class_option :sudoable,     type: :boolean, desc: "Add password request before sensitive data changes"
   class_option :lockable,     type: :boolean, desc: "Add password reset locking"
   class_option :ratelimit,    type: :boolean, desc: "Add request rate limiting"
   class_option :omniauthable, type: :boolean, desc: "Add social login support"
   class_option :trackable,    type: :boolean, desc: "Add activity log support"
+  class_option :two_factor,   type: :boolean, desc: "Add two factor authentication"
 
   source_root File.expand_path("templates", __dir__)
 
   def add_gems
     uncomment_lines "Gemfile", /"bcrypt"/
-    uncomment_lines "Gemfile", /"redis"/  if options.lockable?
-    uncomment_lines "Gemfile", /"kredis"/ if options.lockable?
+    uncomment_lines "Gemfile", /"redis"/  if redis?
+    uncomment_lines "Gemfile", /"kredis"/ if redis?
 
     if options.pwned?
       gem "pwned", comment: "Use Pwned to check if a password has been found in any of the huge data breaches [https://github.com/philnash/pwned]"
@@ -29,15 +31,20 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
       gem "omniauth", comment: "Use OmniAuth to support multi-provider authentication [https://github.com/omniauth/omniauth]"
       gem "omniauth-rails_csrf_protection", comment: "Provides a mitigation against CVE-2015-9284 [https://github.com/cookpad/omniauth-rails_csrf_protection]"
     end
+
+    if two_factor?
+      gem "rotp", comment: "Use rotp for generating and validating one time passwords [https://github.com/mdp/rotp]"
+      gem "rqrcode", comment: "Use rqrcode for creating and rendering QR codes into various formats [https://github.com/whomwah/rqrcode]"
+    end
   end
 
   def create_configuration_files
-     copy_file "config/redis/shared.yml", "config/redis/shared.yml" if options.lockable?
-     copy_file "config/initializers/omniauth.rb", "config/initializers/omniauth.rb" if omniauthable?
+    copy_file "config/redis/shared.yml", "config/redis/shared.yml" if redis?
+    copy_file "config/initializers/omniauth.rb", "config/initializers/omniauth.rb" if omniauthable?
   end
 
   def add_environment_configurations
-     ratelimit_code = <<~CODE
+    ratelimit_code = <<~CODE
       # Rate limit general requests by IP address in a rate of 1000 requests per hour
       config.middleware.use(Rack::Ratelimit, name: "General", rate: [1000, 1.hour], redis: Redis.new, logger: Rails.logger) { |env| ActionDispatch::Request.new(env).ip }
     CODE
@@ -63,69 +70,15 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
     template "test_unit/fixtures.yml", "test/fixtures/#{fixture_file_name}.yml"
   end
 
-  def add_application_controller_methods
-    api_code = <<~CODE
-      include ActionController::HttpAuthentication::Token::ControllerMethods
-
-      before_action :set_current_request_details
-      before_action :authenticate
-
-      def require_sudo
-        if Current.session.sudo_at < 30.minutes.ago
-          render json: { error: "Enter your password to continue" }, status: :forbidden
-        end
-      end
-
-      private
-        def authenticate
-          if session = authenticate_with_http_token { |token, _| Session.find_signed(token) }
-            Current.session = session
-          else
-            request_http_token_authentication
-          end
-        end
-
-        def set_current_request_details
-          Current.user_agent = request.user_agent
-          Current.ip_address = request.ip
-        end
-    CODE
-
-    html_code = <<~CODE
-      before_action :set_current_request_details
-      before_action :authenticate
-
-      def require_sudo
-        if Current.session.sudo_at < 30.minutes.ago
-          redirect_to new_sessions_sudo_path(proceed_to_url: request.url)
-        end
-      end
-
-      private
-        def authenticate
-          if session = Session.find_by_id(cookies.signed[:session_token])
-            Current.session = session
-          else
-            redirect_to sign_in_path
-          end
-        end
-
-        def set_current_request_details
-          Current.user_agent = request.user_agent
-          Current.ip_address = request.ip
-        end
-    CODE
-
-    inject_code = options.api? ? api_code : html_code
-    inject_into_class "app/controllers/application_controller.rb", "ApplicationController", optimize_indentation(inject_code, 2), verbose: false
-  end
-
   def create_controllers
+    template  "controllers/#{format_folder}/application_controller.rb", "app/controllers/application_controller.rb", force: true
+
     directory "controllers/#{format_folder}/identity", "app/controllers/identity"
+    directory "controllers/#{format_folder}/two_factor_authentication", "app/controllers/two_factor_authentication" if two_factor?
+    template  "controllers/#{format_folder}/sessions_controller.rb", "app/controllers/sessions_controller.rb"
     template  "controllers/#{format_folder}/passwords_controller.rb", "app/controllers/passwords_controller.rb"
     template  "controllers/#{format_folder}/registrations_controller.rb", "app/controllers/registrations_controller.rb"
-    template  "controllers/#{format_folder}/sessions_controller.rb", "app/controllers/sessions_controller.rb"
-    template  "controllers/#{format_folder}/sessions/sudos_controller.rb", "app/controllers/sessions/sudos_controller.rb"
+    template  "controllers/#{format_folder}/sessions/sudos_controller.rb", "app/controllers/sessions/sudos_controller.rb" if options.sudoable?
     template  "controllers/#{format_folder}/sessions/omniauth_controller.rb", "app/controllers/sessions/omniauth_controller.rb" if omniauthable?
     template  "controllers/#{format_folder}/authentications/events_controller.rb", "app/controllers/authentications/events_controller.rb" if options.trackable?
   end
@@ -141,7 +94,13 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
       directory "erb/identity", "app/views/identity"
       directory "erb/passwords", "app/views/passwords"
       directory "erb/registrations", "app/views/registrations"
-      directory "erb/sessions", "app/views/sessions"
+
+      template  "erb/sessions/index.html.erb", "app/views/sessions/index.html.erb"
+      template  "erb/sessions/new.html.erb", "app/views/sessions/new.html.erb"
+
+      directory "erb/sessions/sudos", "app/views/sessions/sudos" if options.sudoable?
+
+      directory "erb/two_factor_authentication", "app/views/two_factor_authentication" if two_factor?
       directory "erb/authentications/events", "app/views/authentications/events" if options.trackable?
     end
   end
@@ -153,29 +112,36 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
   def add_routes
     if omniauthable?
       route "post '/auth/:provider/callback', to: 'sessions/omniauth#create'"
-      route "get '/auth/:provider/callback', to: 'sessions/omniauth#create'"
-      route "get '/auth/failure', to: 'sessions/omniauth#failure'"
+      route "get  '/auth/:provider/callback', to: 'sessions/omniauth#create'"
+      route "get  '/auth/failure',            to: 'sessions/omniauth#failure'"
+    end
+
+    if two_factor?
+      route "resource :totp,      only: [:new, :create]", namespace: :two_factor_authentication
+      route "resource :challenge, only: [:new, :create]", namespace: :two_factor_authentication
     end
 
     if options.trackable?
       route "resources :events, only: :index", namespace: :authentications
     end
 
-    route "resource :password_reset, only: [:new, :edit, :create, :update]", namespace: :identity
+    route "resource :password_reset,     only: [:new, :edit, :create, :update]", namespace: :identity
     route "resource :email_verification, only: [:edit, :create]", namespace: :identity
-    route "resource :email, only: [:edit, :update]", namespace: :identity
-    route "resource :sudo, only: [:new, :create]", namespace: :sessions
+    route "resource :email,              only: [:edit, :update]", namespace: :identity
+    route "resource :sudo, only: [:new, :create]", namespace: :sessions if options.sudoable?
+    route "resource  :password, only: [:edit, :update]"
     route "resources :sessions, only: [:index, :show, :destroy]"
-    route "resource :password, only: [:edit, :update]"
     route "post 'sign_up', to: 'registrations#create'"
-    route "get 'sign_up', to: 'registrations#new'" unless options.api?
+    route "get  'sign_up', to: 'registrations#new'" unless options.api?
     route "post 'sign_in', to: 'sessions#create'"
-    route "get 'sign_in', to: 'sessions#new'" unless options.api?
+    route "get  'sign_in', to: 'sessions#new'" unless options.api?
   end
 
   def create_test_files
     directory "test_unit/controllers/#{format_folder}", "test/controllers"
     directory "test_unit/system", "test/system" unless options.api?
+    template "test_unit/test_helper.rb", "test/test_helper.rb", force: true
+    template "test_unit/application_system_test_case.rb", "test/application_system_test_case.rb", force: true unless options.api?
   end
 
   private
@@ -186,4 +152,12 @@ class AuthenticationGenerator < Rails::Generators::NamedBase
     def omniauthable?
       options.omniauthable? && !options.api?
     end
+
+    def two_factor?
+      options.two_factor? && !options.api?
+    end
+
+    def redis?
+      options.lockable? || options.sudoable?
+    end
 end

data/lib/generators/authentication/templates/controllers/api/application_controller.rb.tt

@@ -0,0 +1,27 @@
+class ApplicationController < ActionController::API
+  include ActionController::HttpAuthentication::Token::ControllerMethods
+
+  before_action :set_current_request_details
+  before_action :authenticate
+  <%- if options.sudoable? %>
+  def require_sudo
+    unless Current.session.sudo?
+      render json: { error: "Enter your password to continue" }, status: :forbidden
+    end
+  end
+  <%- end -%>
+
+  private
+    def authenticate
+      if session = authenticate_with_http_token { |token, _| Session.find_signed(token) }
+        Current.session = session
+      else
+        request_http_token_authentication
+      end
+    end
+
+    def set_current_request_details
+      Current.user_agent = request.user_agent
+      Current.ip_address = request.ip
+    end
+end

data/lib/generators/authentication/templates/controllers/api/identity/emails_controller.rb.tt

@@ -1,9 +1,10 @@
 class Identity::EmailsController < ApplicationController
-  before_action :require_sudo
   before_action :set_<%= singular_table_name %>
 
   def update
-    if @<%= singular_table_name %>.update(<%= "#{singular_table_name}_params" %>)
+    if !@<%= singular_table_name %>.authenticate(params[:current_password])
+      render json: { error: "The password you entered is incorrect" }, status: :bad_request
+    elsif @<%= singular_table_name %>.update(<%= "#{singular_table_name}_params" %>)
       render json: @<%= singular_table_name %>
     else
       render json: @<%= singular_table_name %>.errors, status: :unprocessable_entity

data/lib/generators/authentication/templates/controllers/api/identity/password_resets_controller.rb.tt

@@ -1,9 +1,9 @@
 class Identity::PasswordResetsController < ApplicationController
   skip_before_action :authenticate
 
-<% if options.lockable? -%>
+  <%- if options.lockable? -%>
   before_action :require_locking, only: :create
-<% end -%>
+  <%- end -%>
   before_action :set_<%= singular_table_name %>, only: :update
 
   def create
@@ -32,11 +32,11 @@ class Identity::PasswordResetsController < ApplicationController
     def <%= "#{singular_table_name}_params" %>
       params.permit(:password, :password_confirmation)
     end
-<% if options.lockable? %>
+    <%- if options.lockable? %>
     def require_locking
       Locking.lock_on("password_reset_lock:#{request.remote_ip}", wait: 1.hour, attempts: 10) do
         render json: { error: "You've exceeded the maximum number of attempts" }, status: :too_many_requests
       end
     end
-<% end -%>
+    <%- end -%>
 end

data/lib/generators/authentication/templates/controllers/api/sessions/sudos_controller.rb.tt

@@ -3,7 +3,7 @@ class Sessions::SudosController < ApplicationController
     session = Current.session
 
     if session.<%= singular_table_name %>.authenticate(params[:password])
-      session.update! sudo_at: Time.current
+      session.sudo.mark expires_in: 30.minutes
     else
       render json: { error: "The password you entered is incorrect" }, status: :bad_request
     end

data/lib/generators/authentication/templates/controllers/html/application_controller.rb.tt

@@ -0,0 +1,25 @@
+class ApplicationController < ActionController::Base
+  before_action :set_current_request_details
+  before_action :authenticate
+  <%- if options.sudoable? %>
+  def require_sudo
+    unless Current.session.sudo?
+      redirect_to new_sessions_sudo_path(proceed_to_url: request.url)
+    end
+  end
+  <%- end -%>
+
+  private
+    def authenticate
+      if session = Session.find_by_id(cookies.signed[:session_token])
+        Current.session = session
+      else
+        redirect_to sign_in_path
+      end
+    end
+
+    def set_current_request_details
+      Current.user_agent = request.user_agent
+      Current.ip_address = request.ip
+    end
+end

data/lib/generators/authentication/templates/controllers/html/identity/emails_controller.rb.tt

@@ -1,12 +1,13 @@
 class Identity::EmailsController < ApplicationController
-  before_action :require_sudo
   before_action :set_<%= singular_table_name %>
 
   def edit
   end
 
   def update
-    if @<%= singular_table_name %>.update(<%= "#{singular_table_name}_params" %>)
+    if !@<%= singular_table_name %>.authenticate(params[:current_password])
+      redirect_to edit_identity_email_path, alert: "The password you entered is incorrect"
+    elsif @<%= singular_table_name %>.update(<%= "#{singular_table_name}_params" %>)
       redirect_to root_path, notice: "Your email has been changed"
     else
       render :edit, status: :unprocessable_entity

data/lib/generators/authentication/templates/controllers/html/identity/password_resets_controller.rb.tt

@@ -1,9 +1,9 @@
 class Identity::PasswordResetsController < ApplicationController
   skip_before_action :authenticate
 
-<% if options.lockable? -%>
+  <%- if options.lockable? -%>
   before_action :require_locking, only: :create
-<% end -%>
+  <%- end -%>
   before_action :set_<%= singular_table_name %>, only: %i[ edit update ]
 
   def new
@@ -39,11 +39,11 @@ class Identity::PasswordResetsController < ApplicationController
     def <%= "#{singular_table_name}_params" %>
       params.permit(:password, :password_confirmation)
     end
-<% if options.lockable? %>
+    <%- if options.lockable? %>
     def require_locking
       Locking.lock_on("password_reset_lock:#{request.remote_ip}", wait: 1.hour, attempts: 10) do
         redirect_to new_identity_password_reset_path, alert: "You've exceeded the maximum number of attempts"
       end
     end
-<% end -%>
+    <%- end -%>
 end

data/lib/generators/authentication/templates/controllers/html/sessions/sudos_controller.rb.tt

@@ -5,12 +5,12 @@ class Sessions::SudosController < ApplicationController
   def create
     session = Current.session
 
-<% if omniauthable? -%>
+    <%- if omniauthable? -%>
     if session.<%= singular_table_name %>.authenticate(params[:password]) || session.<%= singular_table_name %>.provider
-<% else -%>
+    <%- else -%>
     if session.<%= singular_table_name %>.authenticate(params[:password])
-<% end -%>
-      session.update!(sudo_at: Time.current); redirect_to(params[:proceed_to_url])
+    <%- end -%>
+      session.sudo.mark(expires_in: 30.minutes); redirect_to(params[:proceed_to_url])
     else
       redirect_to new_sessions_sudo_path(proceed_to_url: params[:proceed_to_url]), alert: "The password you entered is incorrect"
     end

data/lib/generators/authentication/templates/controllers/html/sessions_controller.rb.tt

@@ -15,10 +15,23 @@ class SessionsController < ApplicationController
     <%= singular_table_name %> = <%= class_name %>.find_by(email: params[:email])
 
     if <%= singular_table_name %> && <%= singular_table_name %>.authenticate(params[:password])
+      <%- if two_factor? -%>
+      if <%= singular_table_name %>.otp_secret
+        signed_id = <%= singular_table_name %>.signed_id(purpose: :authentication_challenge, expires_in: 20.minutes)
+
+        redirect_to new_two_factor_authentication_challenge_path(token: signed_id)
+      else
+        @session = <%= singular_table_name %>.sessions.create!
+        cookies.signed.permanent[:session_token] = { value: @session.id, httponly: true }
+
+        redirect_to root_path, notice: "Signed in successfully"
+      end
+      <%- else -%>
       @session = <%= singular_table_name %>.sessions.create!
       cookies.signed.permanent[:session_token] = { value: @session.id, httponly: true }
 
       redirect_to root_path, notice: "Signed in successfully"
+      <%- end -%>
     else
       redirect_to sign_in_path(email_hint: params[:email]), alert: "That email or password is incorrect"
     end

data/lib/generators/authentication/templates/controllers/html/two_factor_authentication/challenges_controller.rb.tt

@@ -0,0 +1,28 @@
+class TwoFactorAuthentication::ChallengesController < ApplicationController
+  skip_before_action :authenticate
+
+  before_action :set_<%= singular_table_name %>
+
+  def new
+  end
+
+  def create
+    @totp = ROTP::TOTP.new(@<%= singular_table_name %>.otp_secret, issuer: "YourAppName")
+
+    if @totp.verify(params[:code], drift_behind: 15)
+      session = @<%= singular_table_name %>.sessions.create!
+      cookies.signed.permanent[:session_token] = { value: session.id, httponly: true }
+
+      redirect_to root_path, notice: "Signed in successfully"
+    else
+      redirect_to new_two_factor_authentication_challenge_path(token: params[:token]), alert: "That code didn't work. Please try again"
+    end
+  end
+
+  private
+    def set_<%= singular_table_name %>
+      @<%= singular_table_name %> = <%= class_name %>.find_signed!(params[:token], purpose: :authentication_challenge)
+    rescue
+      redirect_to sign_in_path, alert: "That's taking too long. Please re-enter your password and try again"
+    end
+end

data/lib/generators/authentication/templates/controllers/html/two_factor_authentication/totps_controller.rb.tt

@@ -0,0 +1,27 @@
+class TwoFactorAuthentication::TotpsController < ApplicationController
+  before_action :set_<%= singular_table_name %>
+  before_action :set_totp
+
+  def new
+    @qr_code = RQRCode::QRCode.new(@totp.provisioning_uri(@<%= singular_table_name %>.email))
+  end
+
+  def create
+    if !@<%= singular_table_name %>.authenticate(params[:current_password])
+      redirect_to two_factor_authentication_totp_path, alert: "The password you entered is incorrect"
+    elsif @totp.verify(params[:code], drift_behind: 15)
+      @<%= singular_table_name %>.update! otp_secret: params[:secret]
+      redirect_to root_path, notice: "2FA is enabled on your account"
+    else
+      redirect_to two_factor_authentication_totp_path, alert: "That code didn't work. Please try again"
+    end
+  end
+
+  def set_<%= singular_table_name %>
+    @<%= singular_table_name %> = Current.<%= singular_table_name %>
+  end
+
+  def set_totp
+    @totp = ROTP::TOTP.new(params[:secret] || ROTP::Base32.random, issuer: "YourAppName")
+  end
+end

data/lib/generators/authentication/templates/erb/identity/emails/edit.html.erb.tt

@@ -21,6 +21,11 @@
     </div>
   <%% end %>
 
+  <div>
+    <%%= form.label :current_password, style: "display: block" %>
+    <%%= form.password_field :current_password, required: true, autofocus: true, autocomplete: "current-password" %>
+  </div>
+
   <div>
     <%%= form.label :email, "New email", style: "display: block" %>
     <%%= form.email_field :email %>

data/lib/generators/authentication/templates/erb/identity/password_resets/edit.html.erb.tt

@@ -13,7 +13,7 @@
     </div>
   <%% end %>
 
-  <%%= hidden_field_tag :token, params[:token] %>
+  <%%= form.hidden_field :token, value: params[:token] %>
 
   <div>
     <%%= form.label :password, "New password", style: "display: block" %>

data/lib/generators/authentication/templates/erb/passwords/edit.html.erb.tt

@@ -16,8 +16,8 @@
   <%% end %>
 
   <div>
-    <%%= label_tag :current_password, nil, style: "display: block" %>
-    <%%= password_field_tag :current_password, nil, required: true, autofocus: true, autocomplete: "current-password" %>
+    <%%= form.label :current_password, style: "display: block" %>
+    <%%= form.password_field :current_password, required: true, autofocus: true, autocomplete: "current-password" %>
   </div>
 
   <div>

data/lib/generators/authentication/templates/erb/sessions/sudos/new.html.erb.tt

@@ -4,10 +4,10 @@
 
 <%%= form_with(url: sessions_sudo_path) do |form| %>
 
-  <%%= hidden_field_tag :proceed_to_url, params[:proceed_to_url] %>
+  <%%= form.hidden_field :proceed_to_url, value: params[:proceed_to_url] %>
 
   <div>
-    <%%= password_field_tag :password, nil, required: true, autofocus: true, autocomplete: "current-password" %>
+    <%%= form.password_field :password, required: true, autofocus: true, autocomplete: "current-password" %>
   </div>
 
   <div>

data/lib/generators/authentication/templates/erb/two_factor_authentication/challenges/new.html.erb.tt

@@ -0,0 +1,16 @@
+<p style="color: red"><%%= alert %></p>
+
+<%%= form_with(url: two_factor_authentication_challenge_path) do |form| %>
+  <%%= form.hidden_field :token, value: params[:token] %>
+
+  <div>
+    <%%= form.label :code do %>
+      <h1>Next, open the 2FA authenticator app on your phone and type the six digit code below:</h1>
+    <%% end %>
+    <%%= form.text_field :code, autofocus: true, required: true, autocomplete: :off %>
+  </div>
+
+  <div>
+    <%%= form.submit "Verify" %>
+  </div>
+<%% end %>