cookie_crypt 1.1.1 → 1.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: cd6be403f4ffd116ee2af138abec9364b4f81a80
-  data.tar.gz: a135e2aa98c8b52251f5d000b7f6f13120c377e7
+  metadata.gz: 1ab81907032931a103687c8af34b6a15ba88b053
+  data.tar.gz: e1394c2e8fe187f3b1363aa76cc340bc4eae0357
 SHA512:
-  metadata.gz: fd8b49990f3a4e3692ebb9b72fc071071064fee4dd7bd444c170dda7a46f6bacaa28e5b618260394fe79eec44a0a17aab6e06d235ae2754cd65eaf0ada130cc6
-  data.tar.gz: 834e21eb5f589775cb0b050d2e77c00e080a965a0731885d4bea9455b976b21a9674f568c499f881664f68a3ec9b8bce7883cc1c04f79e13543e8174c6ca4266
+  metadata.gz: cbc8b54e05d8a9aeff50f4e89493f169e4d199171f85a9a02accd7f552b2a58e0b2ae8230b894a9d5a8a5a000bf6143b80c1be9e3b75820d23f7e5d3df7eb998
+  data.tar.gz: 8568e107349345aa016964bad0edd7296e82818a8e7ae5ac1ff0c508f0165383d6460d34dcb0f2c4c6134d7beaa4f54d8c0f7c387fc01f60340a14c4eed1da25

data/README.md

@@ -44,7 +44,10 @@ Run the migration with:
 
     bundle exec rake db:migrate
 
-With the 1.1 update, more steps are required. After following the above steps or upgrading from a previous version, run the command:
+With the 1.1 update, more steps are required if you are upgrading from a previous install. If you are installing this gem for
+the first time, you can disregard everything up to "Customization" as the generator will only install exactly what you need.
+
+If you are upgrading from a previous version, run the command:
 
     bundle exec rails g cookie_crypt MODEL
 
@@ -56,6 +59,7 @@ This process will move your data (in a dev environment) from the old system to t
 
 ### Production Updating from 1.0 to 1.1
 
+If you do not care about your users having to redo their questions / answers when their cookie expires, you can skip this process.
 Assuming all files are already on the production box, run
 
     bundle exec rake db:migrate VERSION=(version of the FIRST migration)
@@ -73,7 +77,7 @@ Again to remove the old fields.
 
 ### Customization
 
-By default encrypted cookie two factor authentication is enabled for each user, you can change it with this method in your User model:
+By default encrypted cookie two factor authentication is enabled for each user, you can change it with this method in your User model (if thats what you chose to Cookie Crypt):
 
 ```ruby
   def need_two_factor_authentication?(request)
@@ -83,7 +87,45 @@ By default encrypted cookie two factor authentication is enabled for each user,
 
 This will disable two factor authentication for local users and just put the code in the logs.
 
-It is recommended to take a look at the source for the views, they are not complex but the default ones may not suit your design.
+It is recommended to take a look at the source for the views, they are not overly complex but the default ones may not suit your design.
+
+You can also customize options set in config/initializers/devise.rb. The default options tend to be best practices but may not suit your needs.
+
+Question-auth refers to when a user does not have a cookie or their cookie has expired. If they have a valid cookie and user agent as described above, they will bypass
+the question-auth.
+* cookie_crypt_auth_through
+    * :one_question_cyclical
+        * The default
+        * Each user must answer only one of their questions at the end of a cookie cycle to authenticate.
+        * The questions are chosen cyclically, the user will not answer the same question the next time they have to question-auth through two-factor
+        * This prevents users logging in on a new machine from always being shown the same questions and is more secure
+    * :one_question_random
+        * The user is shown a random question that was not their previous question every time they question-auth through two-factor, otherwise exactly like cyclical
+        * The question asked in the previous question-auth will never be the next question-auth's question.
+    * :two_questions_cyclical
+        * Exactly like one_question_cyclical except two questions must be answered every question-auth
+    * :two_questions_random
+        * Exactly like one_question_random except two questions must be answered every question-auth
+        * Note: the questions will never be the same question or the FIRST question that was asked last question-auth.
+    * :all_questions
+        * This option is not advised, but is available. It is the old functionality the system had.
+        * The user must answer all authentication questions every question-auth session
+* cookie_crypt_minimum_questions
+    * Default is 3
+    * Minimum number of questions and answers the user must enter into the system on their initial attempt
+    * Systems upgrading from 1.0 will prompt the user to add the difference in numbers of questions and answers
+* cycle_question_on_fail_count
+    * Default is 2
+    * Minimum number of failed attempts before the question(s) is(are) cycled to the next question(s)
+* enable_custom_question_counts
+    * Default is false
+    * Allows users to have more than the minimum number of security question / answer pairs. It should be noted that this enables some ajax functionality on the views page.
+* max_cookie_crypt_login_attempts
+    * Default is 3
+    * The maximum number of tries a user has before they are locked out of cookie crypt and unable to fully login.
+* cookie_deletion_time_frame
+    * Default is '30.days.from.now'
+    * Must be a string that evaluates to a date in the future.
 
 ### Rationalle
 
@@ -128,34 +170,4 @@ What cookie crypt doesnt prevent:
 
 Afterword: Spoofing a user agent is not that difficult, any modern browser with dev tools can change its user agent rather easily. The catch is that the values
 need to match with what the user already has which requires additional work on the attacker's part. Also, The system recognizes updates to both the user's OS AND 
-browser.
-
-
-### Whats new with the 1.1 Update
-* Reworked security questions and answers to allow for more customization options
-* cookie_crypt_auth_through
-    * :one_question_cyclical
-        * The default
-        * Each user must answer only one of their questions at the end of a cookie cycle to authenticate.
-        * The questions are chosen cyclically, the user will not answer the same question the next time they have to auth through two-factor
-        * This prevents users logging in on a new machine from always being shown the same questions and is more secure
-    * :one_question_random
-        * The user is shown a random question that was not their previous question every time they auth through two-factor, otherwise exactly like cyclical
-    * :two_questions_cyclical
-        * Exactly like one_question_cyclical except two questions must be answered every auth
-    * :two_questions_random
-        * Exactly like one_question_random except two questions must be answered every auth
-    * :all_questions
-        * This option is not advised, but is available. It is the old functionality the system had.
-        * The user must answer all authentication questions every auth session
-* cookie_crypt_minimum_questions
-    * Default is 3
-    * Minimum number of questions and answers the user must enter into the system on their initial attempt
-    * Systems upgrading from 1.0 will prompt the user to add the difference in numbers of questions and answers
-* cycle_question_on_fail_count
-    * Default is 2
-    * Minimum number of failed attempts before the question(s) is(are) cycled to the next question(s)
-    * Works in conjunction with max_cookie_crypt_login_attempts
-* enable_custom_question_counts
-    * Default is false
-    * Allows users to have more than the minimum number of security question / answer pairs.
+browser. It should also be noted that cookies served over https are also further encrypted, making it much more difficult for an attacker to get the user's auth-cookie.

data/app/controllers/devise/cookie_crypt_controller.rb

@@ -47,11 +47,9 @@ class Devise::CookieCryptController < DeviseController
     elsif (h.keys.count/2) < resource.class.cookie_crypt_minimum_questions # Need to update hash from an old install
 
       ((h.keys.count/2)+1..(params[:security].keys.count/2)+((h.keys.count/2))).each do |n|
-        puts "TESTING::#{n}"
         h["security_question_#{n}"] = sanitize(params[:security]["security_question_#{n}".to_sym])
         h["security_answer_#{n}"] = Digest::SHA512.hexdigest(sanitize(params[:security]["security_answer_#{n}".to_sym]))
       end
-      puts "TESTING2::#{h}"
       resource.security_hash = h.to_s
 
       resource.save
@@ -101,37 +99,46 @@ class Devise::CookieCryptController < DeviseController
         if resource.class.cookie_crypt_auth_through == :one_question_cyclical
           set_cyclicial_cyclemod(h)
         elsif resource.class.cookie_crypt_auth_through == :one_question_random
-          set_random_cyclemod
+          set_random_cyclemod(h)
         elsif resource.class.cookie_crypt_auth_through == :two_questions_cyclical
           set_cyclicial_cyclemod(h)
 
           if session[:cyclemod]+resource.security_cycle+1 <= h.keys.count/2
-            next_question_mod = session[:cyclemod]+1
+            next_question_mod = session[:cyclemod]+resource.security_cycle+1
           else
-            next_question_mod = 0
+            next_question_mod = 1
           end
 
           @questions << h["security_question_#{next_question_mod}"]
         elsif resource.class.cookie_crypt_auth_through == :two_questions_random
           if resource.cookie_crypt_attempts_count == 0
-            session[:cyclemod] = Random.rand(0..(h.keys.count/2))
-            r = Random.rand(0..(h.keys.count/2))
-            while session[:cyclemod] != r && resource.security_cycle != r
-              r = Random.rand(0..(h.keys.count/2))
+            session[:cyclemod] ||= Random.rand(1..(h.keys.count/2))
+            r = Random.rand(1..(h.keys.count/2))
+            while session[:cyclemod] == r || resource.security_cycle == r
+              r = Random.rand(1..(h.keys.count/2))
             end
-            session[:cyclemod2] = r
-          elsif resource.cookie_crypt_attempts_count != 0 && resource.cookie_crypt_attempts_count%resource.class.cycle_question_on_fail_count == 0 
-            r = Random.rand(0..(h.keys.count/2))
-            while session[:cyclemod] != r && resource.security_cycle != r
-              r = Random.rand(0..(h.keys.count/2))
+            session[:cyclemod2] ||= r
+          elsif resource.cookie_crypt_attempts_count != 0 && resource.cookie_crypt_attempts_count%resource.class.cycle_question_on_fail_count == 0
+            #The tick assists pages that are running redirects to other sources while in two-factor mode. Without it, their
+            #cyclemod would desynch from the expected value on the change event (this if case) and they would be unable to auth unless the randoms matched.
+            session[:cookie_tick] ||= 0 
+            session[:cookie_tick] += 1
+
+            if session[:cookie_tick] == 1
+              r = Random.rand(1..(h.keys.count/2))
+              while session[:cyclemod] == r || resource.security_cycle == r
+                r = Random.rand(1..(h.keys.count/2))
+              end
+              session[:cyclemod] = r
+
+              r = Random.rand(1..(h.keys.count/2))
+              while session[:cyclemod] == r || resource.security_cycle == r
+                r = Random.rand(1..(h.keys.count/2))
+              end
+              session[:cyclemod2] = r
             end
-            session[:cyclemod] = r
-
-            r = Random.rand(0..(h.keys.count/2))
-            while session[:cyclemod] != r && resource.security_cycle != r
-              r = Random.rand(0..(h.keys.count/2))
-            end
-            session[:cyclemod2] = r
+          else #reset the tick
+            session[:cookie_tick] = 0
           end
 
           @questions << h["security_question_#{session[:cyclemod2]}"]
@@ -145,6 +152,7 @@ class Devise::CookieCryptController < DeviseController
         unless resource.class.cookie_crypt_auth_through == :all_questions
           if resource.class.cookie_crypt_auth_through == :one_question_cyclical || 
             resource.class.cookie_crypt_auth_through == :two_questions_cyclical
+
             @questions << h["security_question_#{resource.security_cycle+session[:cyclemod]}"]
           else #random cyclemod case
             @questions << h["security_question_#{session[:cyclemod]}"]

data/lib/cookie_crypt/controllers/helpers.rb

@@ -71,6 +71,11 @@ module CookieCrypt
 
       def matching_answers? hash
         answers = []
+        answers_from_form = []
+        params[:security_answers].each_key do |key|
+          answers_from_form << key
+        end
+        
         unless resource.class.cookie_crypt_auth_through == :all_questions
           if resource.class.cookie_crypt_auth_through == :one_question_cyclical || 
             resource.class.cookie_crypt_auth_through == :two_questions_cyclical
@@ -83,7 +88,7 @@ module CookieCrypt
 
         if resource.class.cookie_crypt_auth_through == :two_questions_cyclical
           if session[:cyclemod]+resource.security_cycle+1 <= hash.keys.count/2
-            next_question_mod = session[:cyclemod]+1
+            next_question_mod = session[:cyclemod]+resource.security_cycle+1
           else
             next_question_mod = 0
           end
@@ -99,7 +104,7 @@ module CookieCrypt
 
         authed = false
         a_arr = []
-        answers.sort.each do |key|
+        answers.each do |key|
           if hash[key] == Digest::SHA512.hexdigest(sanitize(params[:security_answers][key]))
             a_arr[answers.index(key)] = true
           else
@@ -123,11 +128,11 @@ module CookieCrypt
 
       def set_random_cyclemod hash
         if resource.cookie_crypt_attempts_count == 0
-          session[:cyclemod] = Random.rand(0..(hash.keys.count/2))
+          session[:cyclemod] = Random.rand(1..(hash.keys.count/2))
         elsif resource.cookie_crypt_attempts_count != 0 && resource.cookie_crypt_attempts_count%resource.class.cycle_question_on_fail_count == 0 
-          r = Random.rand(0..(hash.keys.count/2))
-          while session[:cyclemod] != r && resource.security_cycle != r
-            r = Random.rand(0..(hash.keys.count/2))
+          r = Random.rand(1..(hash.keys.count/2))
+          while session[:cyclemod] == r || resource.security_cycle == r
+            r = Random.rand(1..(hash.keys.count/2))
           end
           session[:cyclemod] = r
 
@@ -135,12 +140,20 @@ module CookieCrypt
       end
 
       def update_resource_cycle hash
-        if resource.security_cycle+1 > hash.keys.count/2
-          resource.security_cycle = 1
-        else
-          resource.security_cycle += 1
-        end
+        if resource.class.cookie_crypt_auth_through == :one_question_cyclical || 
+          resource.class.cookie_crypt_auth_through == :two_questions_cyclical
 
+          if resource.security_cycle+1 > hash.keys.count/2
+            resource.security_cycle = 1
+          else
+            resource.security_cycle += 1
+          end
+        elsif resource.class.cookie_crypt_auth_through == :one_question_random || 
+          resource.class.cookie_crypt_auth_through == :two_questions_random
+
+          resource.security_cycle = session[:cyclemod]
+        end
+        
         resource.save
       end
 

data/lib/cookie_crypt/version.rb

@@ -1,3 +1,3 @@
 module CookieCrypt
-  VERSION = "1.1.1"
+  VERSION = "1.1.2"
 end

data/lib/generators/active_record/cookie_crypt_generator.rb

@@ -5,14 +5,28 @@ module ActiveRecord
     class CookieCryptGenerator < ActiveRecord::Generators::Base
       source_root File.expand_path("../templates", __FILE__)
 
+      #This should only be triggered on a system that has no previous install(s)
+      def copy_cookie_crypt_migration_all
+        if ActiveRecord::Base.class_eval("#{table_name.camelize.singularize}.inspect['security_question_one: string'].blank?") &&
+          ActiveRecord::Base.class_eval("#{table_name.camelize.singularize}.inspect['security_hash: text'].blank?")
+
+          @ignore_other_migrations = true
+          migration_template "migration_complete.rb", "db/migrate/cookie_crypt_complete_install_add_to_#{table_name}"
+        end
+      end
+
       def copy_cookie_crypt_migration_1_0
-        if ActiveRecord::Base.class_eval("#{table_name.camelize.singularize}.inspect['security_question_one: string'].blank?")
+        if ActiveRecord::Base.class_eval("#{table_name.camelize.singularize}.inspect['security_question_one: string'].blank?") &&
+          !@ignore_other_migrations
+
           migration_template "migration.rb", "db/migrate/cookie_crypt_add_to_#{table_name}"
         end
       end
 
       def copy_cookie_crypt_migration_1_1
-        if ActiveRecord::Base.class_eval("#{table_name.camelize.singularize}.inspect['security_hash: text'].blank?")
+        if ActiveRecord::Base.class_eval("#{table_name.camelize.singularize}.inspect['security_hash: text'].blank?") &&
+          !@ignore_other_migrations
+
           migration_template "migration_1_1.rb", "db/migrate/cookie_crypt_1_1_update_to_#{table_name}"
         end
       end

data/lib/generators/active_record/templates/migration_complete.rb

@@ -0,0 +1,11 @@
+class CookieCryptCompleteInstallAddTo<%= table_name.camelize %> < ActiveRecord::Migration
+  def change
+    change_table :<%= table_name %> do |t|
+      <%='t.string   :username, null: false, default: ""' if ActiveRecord::Base.class_eval("#{table_name.camelize.singularize}.inspect['username: string'].blank?") %>
+      t.text     :security_hash, default: "{}"
+      t.integer  :security_cycle, default: 1
+      t.text     :agent_list, default: ""
+      t.integer  :cookie_crypt_attempts_count, default: 0
+    end
+  end
+end

data/lib/generators/cookie_crypt/cookie_crypt_generator.rb

@@ -62,8 +62,6 @@ module CookieCryptable
           copy_file "_extra_fields.html.erb", "app/views/devise/cookie_crypt/_extra_fields.html.erb"
           File.delete("app/views/devise/cookie_crypt/show.html.erb")
           copy_file "show.html.erb", "app/views/devise/cookie_crypt/show.html.erb"
-
-          puts "Please run rake db:migrate then run this generator again to cleanup unused fields."
         end
       end
 
@@ -82,8 +80,6 @@ module CookieCryptable
               obj.security_hash = h.to_s
 
               obj.save
-
-              puts "#{obj.security_hash}"
             end
 
             puts "Completed data cleanup, database is now 1.1 ready."

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cookie_crypt
 version: !ruby/object:Gem::Version
-  version: 1.1.1
+  version: 1.1.2
 platform: ruby
 authors:
 - Dmitrii Golub
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-11-21 00:00:00.000000000 Z
+date: 2013-11-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -103,6 +103,7 @@ files:
 - lib/generators/active_record/templates/migration.rb
 - lib/generators/active_record/templates/migration_1_1.rb
 - lib/generators/active_record/templates/migration_1_1_cleanup.rb
+- lib/generators/active_record/templates/migration_complete.rb
 - lib/generators/cookie_crypt/cookie_crypt_generator.rb
 homepage: https://github.com/loualrid/CookieCrypt
 licenses: