authlogic_motp 1.0.0

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+.bundle
+Gemfile.lock
+pkg/*

data/CHANGELOG.rdoc

@@ -0,0 +1,3 @@
+== 1.0.0 released 2011-12-6
+
+* Initial release

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in authlogic_motp.gemspec
+gemspec

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2011 [name of plugin creator]
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Manifest.txt

@@ -0,0 +1,12 @@
+CHANGELOG.rdoc
+MIT-LICENSE
+Manifest.txt
+README.rdoc
+Rakefile
+init.rb
+lib/authlogic_motp.rb
+lib/authlogic_motp/acts_as_authentic.rb
+lib/authlogic_motp/session.rb
+lib/authlogic_motp/version.rb
+rails/init.rb
+test/test_authlogic_motp.rb

data/README.rdoc

@@ -0,0 +1,67 @@
+= Authlogic MOTP
+
+Authlogic MOTP is an extension of the Authlogic library to add Mobile-OTP support.
+
+== Helpful links
+
+*	<b>Mobile-OTP:</b> http://motp.sourceforge.net
+*	<b>Authlogic:</b> http://github.com/binarylogic/authlogic
+
+== Requirements
+
+authlogic_motp requires, of course, that authlogic is installed on your server.
+It also assumes that registration of users (issuing/syncing secrets and PIN codes) will be handled by you.
+
+== Install and use
+
+=== 1. Install the Authlogic MOTP gem
+
+  $ sudo gem install authlogic_motp
+
+Now add the gem dependency in your config:
+
+  Gemfile (Rails 3):
+    gem 'authlogic_motp'
+  
+  config (Rails <3)
+    config.gem "authlogic_motp"
+
+=== 2. Make some simple changes to your database:
+
+  class AddUsersMotpFields < ActiveRecord::Migration
+    def self.up
+      add_column :users, :motp_secret, :string
+      add_column :users, :motp_pin, :string
+      add_column :users, :motp_cache, :string
+
+      change_column :users, :crypted_password, :string, :default => nil, :null => true
+      change_column :users, :password_salt, :string, :default => nil, :null => true
+    end
+
+    def self.down
+      remove_column :users, :motp_secret
+      remove_column :users, :motp_pin
+      remove_column :users, :motp_cache
+
+      [:crypted_password, :password_salt].each do |field|
+        User.all(:conditions => "#{field} is NULL").each { |user| user.update_attribute(field, "") if user.send(field).nil? }
+        change_column :users, field, :string, :default => "", :null => false
+      end
+    end
+  end
+  
+=== 2. Setup your views
+
+authlogic-motp expects the login and password fields in your login form to be named "otp-login" and "otp-password".
+The user should enter their usual login value, and then the OTP generated on their device for the password.
+
+=== 3. Issue credentials
+
+Each user will have to be issued a secret (in general a 16 character long HEX string), which they will use to initialize their account on the OTP device, and also a PIN (in general a 4 digit number) used to generate passwords.  Some client programs allow the secret to be generated on the device.  In this case the user will have to communicate both secret and pin to the administrator for registration.
+
+These should be stored in :motp_secret and :motp_pin respectively.
+  
+
+
+Copyright (c) 2011 Martin Chandler, released under the MIT license
+

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/authlogic_motp.gemspec

@@ -0,0 +1,27 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "authlogic_motp/version"
+
+Gem::Specification.new do |s|
+  s.name        = "authlogic_motp"
+  s.version     = AuthlogicMotp::VERSION
+  s.authors     = ["Martin Chandler"]
+  s.email       = ["browntigerz.lair@gmail.com"]
+  s.homepage    = "http://github.com/browntiger/authlogic_motp"
+  s.summary     = %q{Extension of the Authlogic library to add Mobile-OTP support.}
+  s.description = %q{Extension of the Authlogic library to add Mobile-OTP support.}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.extra_rdoc_files = ["README.rdoc"]
+
+#  s.rubyforge_project = "authlogic_motp"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+#  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  # specify any dependencies here; for example:
+  # s.add_development_dependency "rspec"
+  # s.add_runtime_dependency "rest-client"
+  s.add_runtime_dependency "authlogic"
+end

data/init.rb

@@ -0,0 +1 @@
+require File.dirname(__FILE__) + "/rails/init.rb"

data/lib/authlogic_motp.rb

@@ -0,0 +1,6 @@
+require "authlogic_motp/version"
+require 'authlogic_motp/acts_as_authentic'
+require 'authlogic_motp/session'
+
+ActiveRecord::Base.send(:include, AuthlogicMotp::ActsAsAuthentic)
+Authlogic::Session::Base.send(:include, AuthlogicMotp::Session)

data/lib/authlogic_motp/acts_as_authentic.rb

@@ -0,0 +1,18 @@
+module AuthlogicMotp
+  module ActsAsAuthentic
+    def self.included(klass)
+      klass.class_eval do
+        extend Config
+        add_acts_as_authentic_module(Methods, :prepend)
+      end
+    end
+    
+    module Config
+
+    end
+    
+    module Methods
+
+    end
+  end
+end

data/lib/authlogic_motp/session.rb

@@ -0,0 +1,138 @@
+require 'digest/md5'
+module AuthlogicMotp
+  module Session
+    def self.included(klass)
+      klass.class_eval do
+        extend Config
+        include Methods
+      end
+    end
+    
+    module Config
+      def motp_maxperiod(value = nil)
+        rw_config(:motp_maxperiod_method, value, :motp_maxperiod)
+      end
+      alias_method :motp_maxperiod=, :motp_maxperiod
+    end
+    
+    module Methods
+      def self.included(klass)
+        klass.class_eval do
+          attr_accessor :otp_login
+          attr_accessor :otp_password
+          
+          validate :validate_by_otp, :if => :authenticating_with_otp?
+        end
+      end
+      
+      def credentials
+        if authenticating_with_otp?
+          details = {}
+          details[:otp_login] = send(login_field)
+          details[:otp_password] = '<protected>'
+          details
+        else
+          super
+        end
+      end
+      
+      def credentials=(value)
+        super
+        values = value.is_a?(Array) ? value : [value]
+        hash = values.first.is_a?(Hash) ? values.first.with_indifferent_access : nil
+        if !hash.nil?
+          self.otp_login = hash[:otp_login] if hash.key?(:otp_login)
+          self.otp_password = hash[:otp_password] if hash.key?(:otp_password)
+        end
+      end
+      
+      private
+      def authenticating_with_otp?
+        !otp_login.blank? || !otp_password.blank?
+      end
+      
+      def motp_maxperiod
+        self.class.motp_maxperiod
+      end
+      
+      def find_by_otp_login_method
+        self.class.find_by_login_method
+      end
+      
+      def generalize_credentials_error_messages?
+        self.class.generalize_credentials_error_messages
+      end
+      
+      def add_general_credentials_error
+        error_message =
+        if self.class.generalize_credentials_error_messages.is_a? String
+          self.class.generalize_credentials_error_messages
+        else
+          "Login credentials are not valid"
+        end
+        errors.add(:base, I18n.t('error_messages.general_credentials_error', :default => error_message))
+      end
+      
+      def validate_by_otp
+        errors.add(:login, I18n.t('error_messages.login_blank', :default => 'cannot be blank')) if otp_login.blank?
+        errors.add(:password, I18n.t('error_messages.password_blank', :default => 'cannot be blank')) if otp_password.blank?
+        return if errors.count > 0
+        
+        self.attempted_record = klass.send(find_by_otp_login_method, otp_login)
+        if attempted_record.blank?
+          generalize_credentials_error_messages? ?
+            add_general_credentials_error :
+            errors.add(:login, I18n.t('error_messages.login_not_found', :default => "does not exist"))
+          return
+        else
+          # don't allow otp that have been successfully used recently in the past
+          # even if it is within the legal time frame (otp does mean _one_ time password!)
+          old_otp = attempted_record.otp_cache.split(',') unless attempted_record.otp_cache.blank?
+          old_otp ||= []
+          otp_hash = Digest::MD5.hexdigest(otp_password)
+          if old_otp.include?(otp_hash)
+            generalize_credentials_error_messages? ?
+              add_general_credentials_error :
+              errors.add(:password, I18n.t('error_messages.password_invalid', :default => "is invalid"))
+            return
+          end
+          
+          if CheckMOTP.validate(attempted_record.otp_secret, attempted_record.otp_pin, otp_password, motp_maxperiod)
+            # cache the otp so we can check against it next time
+            old_otp.pop if old_otp.length == 5
+            old_otp << otp_hash
+            attempted_record.update_attribute(:otp_cache, old_otp.join(","))
+          else
+            generalize_credentials_error_messages? ?
+              add_general_credentials_error :
+              errors.add(:password, I18n.t('error_messages.password_invalid', :default => "is invalid"))
+            return
+          end
+        end
+      end
+    end
+  end
+  
+  class CheckMOTP
+    def initialize
+      @tmp_md5 = ''
+    end
+    
+    def self.validate(secret,pin,otp,period=3)
+      maxperiod = period * 60 # in seconds
+      time = Time.now.utc.to_i
+      ((time - maxperiod)..(time + maxperiod)).each do |n|
+        md5 = generate_otp(n,secret,pin)
+        next if md5 == @tmp_md5
+        @tmp_md5 = md5
+        
+        return true if md5.downcase == otp.chomp.downcase
+      end
+      false
+    end
+    
+    def self.generate_otp(time,secret,pin)
+      Digest::MD5.hexdigest(time.to_s.chop << secret << pin.to_s)[0,6]
+    end
+  end
+end

data/lib/authlogic_motp/version.rb

@@ -0,0 +1,3 @@
+module AuthlogicMotp
+  VERSION = "1.0.0"
+end

data/rails/init.rb

@@ -0,0 +1 @@
+require 'authlogic_motp'

metadata

@@ -0,0 +1,72 @@
+--- !ruby/object:Gem::Specification
+name: authlogic_motp
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+  prerelease: 
+platform: ruby
+authors:
+- Martin Chandler
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2011-12-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: authlogic
+  requirement: &12154840 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *12154840
+description: Extension of the Authlogic library to add Mobile-OTP support.
+email:
+- browntigerz.lair@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files:
+- README.rdoc
+files:
+- .gitignore
+- CHANGELOG.rdoc
+- Gemfile
+- MIT-LICENSE
+- Manifest.txt
+- README.rdoc
+- Rakefile
+- authlogic_motp.gemspec
+- init.rb
+- lib/authlogic_motp.rb
+- lib/authlogic_motp/acts_as_authentic.rb
+- lib/authlogic_motp/session.rb
+- lib/authlogic_motp/version.rb
+- rails/init.rb
+homepage: http://github.com/browntiger/authlogic_motp
+licenses: []
+post_install_message: 
+rdoc_options:
+- --charset=UTF-8
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.12
+signing_key: 
+specification_version: 3
+summary: Extension of the Authlogic library to add Mobile-OTP support.
+test_files: []