cookie_crypt 1.0.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 03a95f39e7dfef045da3c962fd52a2df5ace9e11
-  data.tar.gz: af04600f35989fb07666ec55558406210f16612f
+  metadata.gz: 79b8a44522cb81c5ce3f8f162a2b5e85f2f9066b
+  data.tar.gz: d23f608c9c30e1fa0c4bcbcdcfef8341bd219425
 SHA512:
-  metadata.gz: 645fa5fe1fe957cd9d4157a0ecf1978ddf0cba504a720029a332239aa9b70b454058f7a64693978d4b12a419e6e167631fb83cee8bdceb5f6ec6cc87c25626cc
-  data.tar.gz: 938a738da2b1f352aeb1309fb6b1bb0036814dd48aa93c8999a98743aee687ac897d8b6288ef0a88a82b4d5d757cfb8573848e6e1da6fbee520de827227eb699
+  metadata.gz: 8b0f355e9348f6422fcf4e38699d61d5a68d99bcc75d1df2f7655745e42c6bbdcd05df941451d72064a0f8ce00473e7dafea8348a578c5e5ecc468f30c9fd590
+  data.tar.gz: e0c5418dc790bc69108996cce3435338e78e719c8f51e128042d02f133601a6c61f41e17423c627f1c99cdf41c8ea20039c674b717fa9269e73874a909b453c8

data/README.md

@@ -5,9 +5,9 @@
 ## Features
 
 * User customizable security questions and answers
-* Configurable max login attempts
+* Configurable max login attempts & cookie expiration time
+* Configurable authentication styles
 * Per user level of control (Allow certain ips to bypass two-factor)
-* Customizable views
 
 ## Configuration
 
@@ -31,32 +31,47 @@ In order to add encrypted cookie two factor authorization to a model, run the co
 Where MODEL is your model name (e.g. User or Admin). This generator will add `:cookie_cryptable` to your model
 and create a migration in `db/migrate/`, which will add the required columns to your table.
 
-NOTE: This will create a field called "username" on the table it is creating if that field does not already exist.
-      The fields are security_question_one, security_question_two, security_answer_one, security_answer_two,
-      agent_list, and cookie_crypt_attempts_count
+### NOTE!
 
-Finally, run the migration with:
+This will create a field called "username" on the table it is creating if that field does not already exist.
+The fields are security_hash, security_cycle, agent_list, and cookie_crypt_attempts_count.
+
+Having rails generate the files will also create views in the app/views/devise/cookie_crypt directory so you can
+style your two-factor pages. If you like the default look of the views, feel free to delete these files and the gem
+will serve the default ones.
+
+Run the migration with:
 
     bundle exec rake db:migrate
 
+With the 1.1 update, more steps are required. After following the above steps or upgrading from a previous version, run the command:
 
-### Manual installation
+    bundle exec rails g cookie_crypt MODEL
 
-To manually enable encrypted cookie two factor authentication for the User model, you should add cookie_crypt to your devise line, like:
+On your model again to generate the 1.1 cleanup and migration files. After doing this run
 
-```ruby
-  devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable, :cookie_cryptable
-```
+    bundle exec rake db:migrate
 
-Config setup
+This process will move your data (in a dev environment) from the old system to the new system.
 
-```ruby
-  config.max_login_attempts = 3
-  config.cookie_deletion_time_frame = '30.days.from_now'
-```
+### Production Updating from 1.0 to 1.1
+
+Assuming all files are already on the production box, run
+
+    bundle exec rake db:migrate:up
 
-### Customisation
+To go forward only to the next migration, then run
+
+    bundle exec rails g cookie_crypt MODEL
+
+On your model to export the security question and answer data to security_hash (nothing else will be added though it may notify you of conflicts).
+Do not overwrite the conflicting migration file. Then run
+
+    bundle exec rake db:migrate:up
+
+Again to remove the old fields.
+
+### Customization
 
 By default encrypted cookie two factor authentication is enabled for each user, you can change it with this method in your User model:
 
@@ -66,7 +81,9 @@ By default encrypted cookie two factor authentication is enabled for each user,
   end
 ```
 
-This will disable two factor authentication for local users and just puts the code in the logs.
+This will disable two factor authentication for local users and just put the code in the logs.
+
+It is recommended to take a look at the source for the views, they are not complex but the default ones may not suit your design.
 
 ### Rationalle
 
@@ -79,23 +96,23 @@ After inputting this information they are authenticated and redirected to the ro
 It is important to note that the security answers are not saved as plaintext in the database. They are encrypted and that output is matched against
 whatever the user inputs for their answers in the future.
 
-When the user attempts to login again, they will be displayed their two security questions and asked to answer them with their two security answers.
+When the user attempts to login again, they will be shown their two security questions and asked to answer them with their two security answers.
 If successful, an auth cookie is generated on the user's machine based on the user's username and encrypted password. The cookie is username - application
-specific. No two cookies should ever be the same if the username field is unique. After receiving their auth cookie, the user's user agent is logged and
-they are sent to the root of the system as fully authenticated. If the user was unsuccessful in authenticating 3 (or more) times, they will be locked out
-until their cookie_crypt_attempts_count is reset to 0.
+specific. No two cookies from different users should ever be the same if the username field is unique. After receiving their auth cookie, the user's user 
+agent is logged and they are sent to the root of the system as fully authenticated. If the user was unsuccessful in authenticating 3 (or more) times, they
+will be locked out until their cookie_crypt_attempts_count is reset to 0.
 
-### Two factor Defense
+### Two Factor Defense
 
 So a user now has an auth cookie and the server knows it gave an auth cookie to this user that possessed this user agent, what now? If that same user with
 that same agent tries to login again, they will authenticate through cookie crypt auth without any work on their part. The server simply matches the value 
 of their cookie with what it expects it should be. If they match AND the user agent the user is using is in the list of agents allocated to that user,
-everything is square and they are authenticated. Using the UserAgent gem, incremental updates in a user's user agent will not be treated as differing agents.
+everything is square and they are authenticated. Using the [UserAgent](https://github.com/josh/useragent) gem, incremental updates in a user's user agent will not be treated as differing agents.
 The system will log the attempt as successful and update the user's agent_list with the updated agent value.
 
 But what if they're logging in through a different machine / browser? Then they input their security answers and are given a cookie for that agent.
 
-But what if an attacker knows the user's username and password? The attacker must also know the user's security question answers to auth as the user.
+But what if an attacker knows the user's username and password? The attacker must also know the user's security answers to auth as the user.
 
 But what if an attacker knows the user's username and password AND has a copy of the user's cookie in their browser? Cookie crypt detects this case and
 locks out the attacker by referencing the agent_list. A user that has a cookie but not a validated agent is obviously an attacker. This case also creates a
@@ -104,10 +121,41 @@ decent enough amount of data for fingerprinting. More could be done in this rega
 of this gem and would make it more difficult for the gem to be only a minor inconvienence to the users. 
 
 What cookie crypt doesnt prevent:
-  An attacker that knows a user's username and password thats logging in from the user's machine / browser
-  An attacker that knows a user's username and password thats also spoofing the user's agent and also has the user's same auth-cookie
-  An attacker that knows a user's username, password, security questions and answers to said questions
+
+* An attacker that knows a user's username and password thats logging in from the user's machine / browser.
+* An attacker that knows a user's username and password thats also spoofing the user's agent and also has the user's same auth-cookie.
+* An attacker that knows a user's username, password, security questions and answers to said questions.
 
 Afterword: Spoofing a user agent is not that difficult, any modern browser with dev tools can change its user agent rather easily. The catch is that the values
 need to match with what the user already has which requires additional work on the attacker's part. Also, The system recognizes updates to both the user's OS AND 
 browser.
+
+
+### Whats new with the 1.1 Update
+* Reworked security questions and answers to allow for more customization options
+* cookie_crypt_auth_through
+** :one_question_cyclical
+*** The default
+*** Each user must answer only one of their questions at the end of a cookie cycle to authenticate.
+*** The questions are chosen cyclically, the user will not answer the same question the next time they have to auth through two-factor
+*** This prevents users logging in on a new machine from always being shown the same questions and is more secure
+** :one_question_random
+*** The user is shown a random question that was not their previous question every time they auth through two-factor, otherwise exactly like cyclical
+** :two_questions_cyclical
+*** Exactly like one_question_cyclical except two questions must be answered every auth
+** :two_questions_random
+*** Exactly like one_question_random except two questions must be answered every auth
+** :all_questions
+*** This option is not advised, but is available. It is the old functionality the system had.
+*** The user must answer all authentication questions every auth session
+* cookie_crypt_minimum_questions
+** Default is 3
+** Minimum number of questions and answers the user must enter into the system on their initial attempt
+** Systems upgrading from 1.0 will prompt the user to add the difference in numbers of questions and answers
+* cycle_question_on_fail_count
+** Default is 2
+** Minimum number of failed attempts before the question(s) is(are) cycled to the next question(s)
+** Works in conjunction with max_cookie_crypt_login_attempts
+* enable_custom_question_counts
+** Default is false
+** Allows users to have more than the minimum number of security question / answer pairs.

data/app/controllers/devise/cookie_crypt_controller.rb

@@ -4,6 +4,7 @@ require "logger"
 class Devise::CookieCryptController < DeviseController
   prepend_before_filter :authenticate_scope!
   before_filter :prepare_and_validate, :handle_cookie_crypt
+  before_filter :set_questions, :if => :show_request
 
   def show
     if has_matching_encrypted_cookie?
@@ -30,19 +31,36 @@ class Devise::CookieCryptController < DeviseController
   end
 
   def update
-    if resource.security_question_one.blank? # initial case (first login)
+    h = Hash.class_eval(resource.security_hash)
+    if h.empty? # initial case (first login)
+
+      (1..(params[:security].keys.count/2)).each do |n|
+        h["security_question_#{n}"] = sanitize(params[:security]["security_question_#{n}".to_sym])
+        h["security_answer_#{n}"] = Digest::SHA512.hexdigest(sanitize(params[:security]["security_answer_#{n}".to_sym]))
+      end
+
+      resource.security_hash = h.to_s
+
+      resource.save
+
+      authentication_success
+    elsif (h.keys.count/2) < resource.class.cookie_crypt_minimum_questions # Need to update hash from an old install
+
+      ((h.keys.count/2)+1..(params[:security].keys.count/2)+((h.keys.count/2))).each do |n|
+        h["security_question_#{n}"] = sanitize(params[:security]["security_question_#{n}".to_sym])
+        h["security_answer_#{n}"] = Digest::SHA512.hexdigest(sanitize(params[:security]["security_answer_#{n}".to_sym]))
+      end
+
+      resource.security_hash = h.to_s
 
-      resource.security_question_one = sanitize(params[:security_question_one])
-      resource.security_question_two = sanitize(params[:security_question_two])
-      resource.security_answer_one   = Digest::SHA512.hexdigest(sanitize(params[:security_answer_one]))
-      resource.security_answer_two   = Digest::SHA512.hexdigest(sanitize(params[:security_answer_two]))
       resource.save
 
       authentication_success
     else
       
-      if matching_answers?
+      if matching_answers?(h)
         generate_cookie
+        update_resource_cycle(h)
         log_agent_to_resource
         authentication_success
       else
@@ -50,6 +68,7 @@ class Devise::CookieCryptController < DeviseController
         resource.save
         set_flash_message :error, :attempt_failed
         if resource.max_cookie_crypt_login_attempts?
+          update_resource_cycle(h)
           sign_out(resource)
           render template: 'devise/cookie_crypt/max_login_attempts_reached' and return
         else
@@ -65,38 +84,6 @@ class Devise::CookieCryptController < DeviseController
       self.resource = send("current_#{resource_name}")
     end
 
-    def encrypted_username_and_pass
-      Digest::SHA512.hexdigest("#{resource.username}_#{resource.encrypted_password}")
-    end
-
-    def generate_cookie
-      cookies["#{resource.username}_#{Rails.application.class.to_s.split("::").first}".to_sym] = {
-        value: "#{encrypted_username_and_pass}",
-        expires: Date.class_eval("#{resource.class.cookie_deletion_time_frame}")
-      }
-    end
-
-    def has_matching_encrypted_cookie?
-      cookies["#{resource.username}_#{Rails.application.class.to_s.split("::").first}"] == encrypted_username_and_pass
-    end
-
-    def log_hack_attempt
-      logger = Logger.new("#{Rails.root.join('log','hack_attempts.log')}")
-      logger.warn "Attempt to bypass two factor authentication and devise detected from ip #{request.remote_ip} using #{resource_name}: #{resource.inspect}!"
-    end
-
-    def log_agent_to_resource
-      unless using_an_agent_that_is_already_being_used?
-        resource.agent_list = "#{resource.agent_list}#{'|' unless resource.agent_list.blank?}#{request.user_agent}"
-        resource.save
-      end
-    end
-
-    def matching_answers?
-      resource.security_answer_one == Digest::SHA512.hexdigest(sanitize(params[:security_answer_one])) &&
-        resource.security_answer_two == Digest::SHA512.hexdigest(sanitize(params[:security_answer_two]))
-    end
-
     def prepare_and_validate
       redirect_to :root and return if resource.nil?
       @limit = resource.class.max_cookie_crypt_login_attempts
@@ -106,37 +93,66 @@ class Devise::CookieCryptController < DeviseController
       end
     end
 
-    def authentication_success
-      flash[:notice] = 'Signed in through two-factor authentication successfully.'
-      warden.session(resource_name)[:need_cookie_crypt_auth] = false
-      sign_in resource_name, resource, :bypass => true
-      resource.update_attribute(:cookie_crypt_attempts_count, 0)
-      redirect_to stored_location_for(resource_name) || :root
-    end
+    def set_questions # Options are: :one_question_cyclical, :one_question_random, :two_questions_cyclical, :two_questions_random, :all_questions
+      h = Hash.class_eval(resource.security_hash)
+      @questions = []
+      unless h.empty?
+        if resource.class.cookie_crypt_auth_through == :one_question_cyclical
+          set_cyclicial_cyclemod(h)
+        elsif resource.class.cookie_crypt_auth_through == :one_question_random
+          set_random_cyclemod
+        elsif resource.class.cookie_crypt_auth_through == :two_questions_cyclical
+          set_cyclicial_cyclemod(h)
+
+          if session[:cyclemod]+resource.security_cycle+1 <= h.keys.count/2
+            next_question_mod = session[:cyclemod]+1
+          else
+            next_question_mod = 0
+          end
 
-    def using_an_agent_that_is_already_being_used?
-      unless resource.agent_list.blank?
-        request_agent = UserAgent.parse("#{request.user_agent}")
-        resource.agent_list.split('|').each do |agent_string|
-          if agent_string.include?("#{request_agent.application}")
-            agent = UserAgent.parse("#{agent_string}")
-            if agent.application == request_agent.application && agent.browser == request_agent.browser
-              if request_agent >= agent #version number is higher for example
-                #update user agent string and return true
-                resource.agent_list = resource.agent_list.gsub("#{agent.browser}/#{agent.version}","#{request_agent.browser}/#{request_agent.version}")
-                resource.save
-                return true
-              elsif request_agent.version == agent.version
-                return true
-              end
+          @questions << h["security_question_#{next_question_mod}"]
+        elsif resource.class.cookie_crypt_auth_through == :two_questions_random
+          if resource.cookie_crypt_attempts_count == 0
+            session[:cyclemod] = Random.rand(0..(h.keys.count/2))
+            r = Random.rand(0..(h.keys.count/2))
+            while session[:cyclemod] != r && resource.security_cycle != r
+              r = Random.rand(0..(h.keys.count/2))
+            end
+            session[:cyclemod2] = r
+          elsif resource.cookie_crypt_attempts_count != 0 && resource.cookie_crypt_attempts_count%resource.class.cycle_question_on_fail_count == 0 
+            r = Random.rand(0..(h.keys.count/2))
+            while session[:cyclemod] != r && resource.security_cycle != r
+              r = Random.rand(0..(h.keys.count/2))
             end
+            session[:cyclemod] = r
+
+            r = Random.rand(0..(h.keys.count/2))
+            while session[:cyclemod] != r && resource.security_cycle != r
+              r = Random.rand(0..(h.keys.count/2))
+            end
+            session[:cyclemod2] = r
+          end
+
+          @questions << h["security_question_#{session[:cyclemod2]}"]
+        else #:all_questions case
+          h.keys.delete_if{|x| x.include?("answer")}.each do |key|
+            @questions << h[key]
+          end
+        end
+
+
+        unless resource.class.cookie_crypt_auth_through == :all_questions
+          if resource.class.cookie_crypt_auth_through == :one_question_cyclical || 
+            resource.class.cookie_crypt_auth_through == :two_questions_cyclical
+            @questions << h["security_question_#{resource.security_cycle+session[:cyclemod]}"]
+          else #random cyclemod case
+            @questions << h["security_question_#{session[:cyclemod]}"]
           end
         end
       end
-      false
     end
 
-    def unrecognized_agent?
-      resource.agent_list.include?("#{request.user_agent}")
+    def show_request
+      action_name == "show"
     end
 end

data/app/views/devise/cookie_crypt/_extra_fields.html.erb

@@ -0,0 +1,14 @@
+<div id="security_binder_<%= session[:cookie_crypt_questions_count]%>">
+  <h3>Please input a security question</h3>
+
+  <%=text_field_tag "security_question_#{session[:cookie_crypt_questions_count]}", nil, size: 50, name: "security[security_question_#{session[:cookie_crypt_questions_count]}]" %>
+  <br></br>
+
+  <h3>Please input a security answer</h3>
+
+  <%=text_field_tag "security_answer_#{session[:cookie_crypt_questions_count]}", nil, size: 50, name: "security[security_answer_#{session[:cookie_crypt_questions_count]}]" %>
+  <br></br>
+
+  <%= link_to "Remove this question / answer pair?", "#{request.fullpath}?remove=#{session[:cookie_crypt_questions_count]}", remote: true %>
+  <br></br>
+</div>

data/app/views/devise/cookie_crypt/show.html.erb

@@ -2,46 +2,84 @@
 <h2>Two Factor Login Page</h2>
 
 <%=form_tag([resource_name, :cookie_crypt], method: :put) do %>
-  <% if @user.security_question_one.blank? %>
+  <% security_hash = Hash.class_eval(@user.security_hash) %>
+  <% if security_hash.empty? %>
     <h2>You have not yet setup two-factor questions and answers. Please follow the instructions below.</h2>
 
     <h2>Note: It is a generally a good idea to have your questions be about people/events/objects that do not change over time.</h2>
 
-    <h3>Please input your first security question</h3>
+    <% (1..@user.class.cookie_crypt_minimum_questions).each do |n| %>
+      <h3>Please input a security question</h3>
 
-    <%=text_field_tag :security_question_one, nil, size: 50 %>
-    <br></br>
+      <%=text_field_tag "security_question_#{n}", nil, size: 50, name: "security[security_question_#{n}]" %>
+      <br></br>
 
-    <h3>Please input your first question's answer</h3>
+      <h3>Please input a security answer</h3>
 
-    <%=text_field_tag :security_answer_one, nil, size: 50 %>
-    <br></br>
+      <%=text_field_tag "security_answer_#{n}", nil, size: 50, name: "security[security_answer_#{n}]" %>
+      <br></br>
+
+    <% end %>
+    
+    <% if @user.class.enable_custom_question_counts %>
+      <div id="cookie_crypt_additions_binder"></div>
+      <%= link_to "Add more security questions and answers?", "#{request.fullpath}", remote: true %>
+      <br></br>
+    <% end %>
 
-    <h3>Please input your second security question </h3>
+    <h2>Please note that you will not be given a security token to login by skipping two factor until you login next time.</h2>
 
-    <%=text_field_tag :security_question_two, nil, size: 50 %>
-    <br></br>
+  <% elsif (security_hash.keys.count/2) < @user.class.cookie_crypt_minimum_questions %>
+    <h2>There has been a change with the system that requires you to input more security questions and answers. Please follow the instructions below.</h2>
 
-    <h3>Please input your second question's answer</h3>
+    <h3 class="centered">Your current questions are
 
-    <%=text_field_tag :security_answer_two, nil, size: 50 %>
+    <% h = Hash.class_eval(@user.security_hash) %>
+    <% h.keys.delete_if{|x| x.include?("answer")}.each do |key| %>
+
+      <h3><%="#{h[key]}"%></h2>
+
+    <% end %>
     <br></br>
-    
-    <h2>Please note that you will not be given a security token to login by skipping two factor until you login next time.</h2>
 
-  <% else %>
+    <% (1..@user.class.cookie_crypt_minimum_questions).each do |n| %>
 
-    <h2><%="#{@user.security_question_one}"%></h2>
+      <% next if security_hash["security_question_#{n}"] %>
 
-    <%=text_field_tag :security_answer_one, nil, size: 50 %>
+      <h3>Please input a security question</h3>
 
-    <br></br>
+      <%=text_field_tag "security_question_#{n}", nil, size: 50, name: "security[security_question_#{n}]" %>
+      <br></br>
+
+      <h3>Please input a security answer</h3>
+
+      <%=text_field_tag "security_answer_#{n}", nil, size: 50, name: "security[security_answer_#{n}]" %>
+      <br></br>
 
-    <h2><%="#{@user.security_question_two}" %></h2>
+    <% end %>
 
-    <%=text_field_tag :security_answer_two, nil, size: 50 %>
+    <% if @user.class.enable_custom_question_counts %>
+      <div id="cookie_crypt_additions_binder"></div>
+      <%= link_to "Add more security questions and answers?", "#{request.fullpath}", remote: true %>
+      <br></br>
+    <% end %>
 
+    <h2>You will be authenticated for this session but not for your next login. You will need to enter your security answers next time.</h2>
     <br></br>
+  <% else %>
+
+    <% h = Hash.class_eval(@user.security_hash) %>
+
+    <% @questions.each do |q| %>
+
+      <h2><%="#{q}"%></h2>
+
+      <%=text_field_tag h.key(q).gsub('question','answer'), nil, size: 50, name: "security_answers[#{h.key(q).gsub('question','answer')}]" %>
+
+      <br></br>
+
+    <% end %>
+
   <% end %>
 
   <%= submit_tag "Submit" %>

data/app/views/devise/cookie_crypt/show.js.erb

@@ -0,0 +1,8 @@
+<% if params[:remove] %>
+  $('#security_binder_<%= params[:remove] %>').remove();
+<% else %>
+  <% session[:cookie_crypt_questions_count] ||= @user.class.cookie_crypt_minimum_questions %>
+  <% session[:cookie_crypt_questions_count] += 1 %>
+
+  $('#cookie_crypt_additions_binder').append('<%= escape_javascript(render partial: "extra_fields")%>');
+<% end %>

data/cookie_crypt.gemspec

@@ -12,8 +12,8 @@ Gem::Specification.new do |s|
   s.description = <<-EOF
     ### Features ###
     * User customizable security questions and answers
-    * Configurable max login attempts
-    * per user level control if he really need two factor authentication
+    * Configurable max login attempts & cookie expiration time
+    * Per user level of control (Allow certain ips to bypass two-factor)
   EOF
 
   s.rubyforge_project = "cookie_crypt"
@@ -29,4 +29,19 @@ Gem::Specification.new do |s|
 
   s.add_development_dependency 'bundler'
   s.license = 'MIT'
+  s.post_install_message = <<END_DESC
+
+  ********************************************
+
+  A major revision was made with the 1.1 update for CookieCrypt.
+
+  You will need to run 'bundle exec rails g cookie_crypt MODEL' again
+
+  to start the upgrade process from 1.0 to 1.1.
+
+  For more information check the homepage at 'https://github.com/loualrid/CookieCrypt'
+
+  ********************************************
+
+END_DESC
 end

data/lib/cookie_crypt.rb

@@ -4,9 +4,13 @@ require 'digest'
 require 'active_support/concern'
 
 module Devise
-  mattr_accessor :max_cookie_crypt_login_attempts, :cookie_deletion_time_frame
+  mattr_accessor :max_cookie_crypt_login_attempts, :cookie_deletion_time_frame, :cookie_crypt_auth_through, :cookie_crypt_minimum_questions, :cycle_question_on_fail_count, :enable_custom_question_counts
   @@max_cookie_crypt_login_attempts = 3
-  @@cookie_deletion_time_frame = 30.days.from_now
+  @@cookie_deletion_time_frame = '30.days.from_now'
+  @@cookie_crypt_auth_through = :one_question_cyclical
+  @@cookie_crypt_minimum_questions = 3
+  @@cycle_question_on_fail_count = 2
+  @@enable_custom_question_counts = false
 end
 
 module CookieCrypt

data/lib/cookie_crypt/controllers/helpers.rb

@@ -9,6 +9,31 @@ module CookieCrypt
 
       private
 
+      def authentication_success
+        flash[:notice] = 'Signed in through two-factor authentication successfully.'
+        warden.session(resource_name)[:need_cookie_crypt_auth] = false
+        sign_in resource_name, resource, :bypass => true
+        resource.update_attribute(:cookie_crypt_attempts_count, 0)
+        redirect_to stored_location_for(resource_name) || :root
+      end
+
+      def cookie_crypt_auth_path_for(resource_or_scope = nil)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        change_path = "#{scope}_cookie_crypt_path"
+        send(change_path)
+      end
+
+      def encrypted_username_and_pass
+        Digest::SHA512.hexdigest("#{resource.username}_#{resource.encrypted_password}")
+      end
+
+      def generate_cookie
+        cookies["#{resource.username}_#{Rails.application.class.to_s.split("::").first}".to_sym] = {
+          value: "#{encrypted_username_and_pass}",
+          expires: Date.class_eval("#{resource.class.cookie_deletion_time_frame}")
+        }
+      end
+
       def handle_cookie_crypt
         unless devise_controller?
           Devise.mappings.keys.flatten.any? do |scope|
@@ -28,12 +53,121 @@ module CookieCrypt
         end
       end
 
-      def cookie_crypt_auth_path_for(resource_or_scope = nil)
-        scope = Devise::Mapping.find_scope!(resource_or_scope)
-        change_path = "#{scope}_cookie_crypt_path"
-        send(change_path)
+      def has_matching_encrypted_cookie?
+        cookies["#{resource.username}_#{Rails.application.class.to_s.split("::").first}"] == encrypted_username_and_pass
+      end
+
+      def log_hack_attempt
+        logger = Logger.new("#{Rails.root.join('log','hack_attempts.log')}")
+        logger.warn "Attempt to bypass two factor authentication and devise detected from ip #{request.remote_ip} using #{resource_name}: #{resource.inspect}!"
+      end
+
+      def log_agent_to_resource
+        unless using_an_agent_that_is_already_being_used?
+          resource.agent_list = "#{resource.agent_list}#{'|' unless resource.agent_list.blank?}#{request.user_agent}"
+          resource.save
+        end
+      end
+
+      def matching_answers? hash
+        answers = []
+        unless resource.class.cookie_crypt_auth_through == :all_questions
+          if resource.class.cookie_crypt_auth_through == :one_question_cyclical || 
+            resource.class.cookie_crypt_auth_through == :two_questions_cyclical
+            answers << h["security_answer_#{resource.security_cycle+session[:cyclemod]}"]
+          else #random cyclemod case
+            answers << h["security_answer_#{session[:cyclemod]}"]
+          end
+        end
+
+        if resource.class.cookie_crypt_auth_through == :two_questions_cyclical
+          if session[:cyclemod]+resource.security_cycle+1 <= hash.keys.count/2
+            next_question_mod = session[:cyclemod]+1
+          else
+            next_question_mod = 0
+          end
+
+          answers << "security_answer_#{next_question_mod}"
+        elsif resource.class.cookie_crypt_auth_through == :two_questions_random
+          answers << "security_answer_#{session[:cyclemod2]}"
+        elsif resource.class.cookie_crypt_auth_through == :all_questions
+          hash.keys.delete_if{|x| x.include?("question")}.each do |key|
+            answers << key
+          end
+        end
+
+        authed = false
+        a_arr = []
+        answers.sort.each do |key|
+          if hash[key] == Digest::SHA512.hexdigest(sanitize(params[:security_answers][key]))
+            a_arr[answers.index(key)] = true
+          else
+            a_arr[answers.index(key)] = false
+          end
+        end
+
+        authed = true unless q_arr.include?(false)
+        authed
       end
 
+      def set_cyclicial_cyclemod hash
+        if resource.cookie_crypt_attempts_count == 0
+          session[:cyclemod] = 0
+        elsif resource.cookie_crypt_attempts_count != 0 && resource.cookie_crypt_attempts_count%resource.class.cycle_question_on_fail_count == 0 
+          session[:cyclemod] += 1
+        end
+
+        session[:cyclemod] = 0 if session[:cyclemod]+resource.security_cycle > hash.keys.count/2
+      end
+
+      def set_random_cyclemod hash
+        if resource.cookie_crypt_attempts_count == 0
+          session[:cyclemod] = Random.rand(0..(hash.keys.count/2))
+        elsif resource.cookie_crypt_attempts_count != 0 && resource.cookie_crypt_attempts_count%resource.class.cycle_question_on_fail_count == 0 
+          r = Random.rand(0..(hash.keys.count/2))
+          while session[:cyclemod] != r && resource.security_cycle != r
+            r = Random.rand(0..(hash.keys.count/2))
+          end
+          session[:cyclemod] = r
+
+        end
+      end
+
+      def update_resource_cycle hash
+        if resource.security_cycle+1 > hash.keys.count/2
+          resource.security_cycle = 1
+        else
+          resource.security_cycle += 1
+        end
+
+        resource.save
+      end
+
+      def using_an_agent_that_is_already_being_used?
+        unless resource.agent_list.blank?
+          request_agent = UserAgent.parse("#{request.user_agent}")
+          resource.agent_list.split('|').each do |agent_string|
+            if agent_string.include?("#{request_agent.application}")
+              agent = UserAgent.parse("#{agent_string}")
+              if agent.application == request_agent.application && agent.browser == request_agent.browser
+                if request_agent >= agent #version number is higher for example
+                  #update user agent string and return true
+                  resource.agent_list = resource.agent_list.gsub("#{agent.browser}/#{agent.version}","#{request_agent.browser}/#{request_agent.version}")
+                  resource.save
+                  return true
+                elsif request_agent.version == agent.version
+                  return true
+                end
+              end
+            end
+          end
+        end
+        false
+      end
+
+      def unrecognized_agent?
+        resource.agent_list.include?("#{request.user_agent}")
+      end
     end
   end
 end

data/lib/cookie_crypt/models/cookie_cryptable.rb

@@ -5,7 +5,7 @@ module Devise
       extend ActiveSupport::Concern
 
       module ClassMethods
-        ::Devise::Models.config(self, :max_cookie_crypt_login_attempts, :cookie_deletion_time_frame)
+        ::Devise::Models.config(self, :max_cookie_crypt_login_attempts, :cookie_deletion_time_frame, :cookie_crypt_auth_through, :cookie_crypt_minimum_questions, :cycle_question_on_fail_count, :enable_custom_question_counts)
       end
 
       def need_cookie_crypt_auth?(request)

data/lib/cookie_crypt/version.rb

@@ -1,3 +1,3 @@
 module CookieCrypt
-  VERSION = "1.0.0"
+  VERSION = "1.1.0"
 end

data/lib/generators/active_record/cookie_crypt_generator.rb

@@ -5,10 +5,23 @@ module ActiveRecord
     class CookieCryptGenerator < ActiveRecord::Generators::Base
       source_root File.expand_path("../templates", __FILE__)
 
-      def copy_cookie_crypt_migration
-        migration_template "migration.rb", "db/migrate/cookie_crypt_add_to_#{table_name}"
+      def copy_cookie_crypt_migration_1_0
+        if ActiveRecord::Base.class_eval("#{table_name.camelize.singularize}.inspect['security_question_one: string'].blank?")
+          migration_template "migration.rb", "db/migrate/cookie_crypt_add_to_#{table_name}"
+        end
       end
 
+      def copy_cookie_crypt_migration_1_1
+        if ActiveRecord::Base.class_eval("#{table_name.camelize.singularize}.inspect['security_hash: text'].blank?")
+          migration_template "migration_1_1.rb", "db/migrate/cookie_crypt_1_1_update_to_#{table_name}"
+        end
+      end
+
+      def copy_cookie_crypt_migration_1_1_cleanup
+        if $generate_1_1_cleanup_migration
+          migration_template "migration_1_1_cleanup.rb", "db/migrate/cookie_crypt_1_1_cleanup_to_#{table_name}"
+        end
+      end
     end
   end
 end

data/lib/generators/active_record/templates/migration_1_1.rb

@@ -0,0 +1,8 @@
+class CookieCrypt11UpdateTo<%= table_name.camelize %> < ActiveRecord::Migration
+  def change
+    change_table :<%= table_name %> do |t|
+      t.text    :security_hash, default: '{}'
+      t.integer :security_cycle, default: 1
+    end
+  end
+end

data/lib/generators/active_record/templates/migration_1_1_cleanup.rb

@@ -0,0 +1,8 @@
+class CookieCrypt11CleanupTo<%= table_name.camelize %> < ActiveRecord::Migration
+  def change
+    remove_column :<%= table_name %>, :security_question_one
+    remove_column :<%= table_name %>, :security_question_two
+    remove_column :<%= table_name %>, :security_answer_one
+    remove_column :<%= table_name %>, :security_answer_two
+  end
+end

data/lib/generators/cookie_crypt/cookie_crypt_generator.rb

@@ -2,30 +2,98 @@ module CookieCryptable
   module Generators
     class CookieCryptGenerator < Rails::Generators::NamedBase
       namespace "cookie_crypt"
-      desc "Adds :cookie_cryptable directive in the given model.
-       It also generates an active record migration."
-
-      def inject_cookie_crypt_content
-        paths = [File.join("app", "models", "#{file_path}.rb"),File.join("config", "initializers", "devise.rb")]
-        inject_into_file(paths[0], "cookie_cryptable, :", :after => "devise :") if File.exists?(paths[0])
-        if File.exists?(paths[1])
-          inject_into_file(paths[1], "\n  # ==> Cookie Crypt Configuration Parameters\n  config.max_cookie_crypt_login_attempts = 3
-            \n  # For cookie_deletion_time_frame field, make sure your timeframe parses into an actual date and is a string
-            \n  config.cookie_deletion_time_frame = '30.days.from_now'", after: "Devise.setup do |config|")
+      desc "Automates setup process, will also update between versions."
+
+      #BEGIN 1.0 generator
+      def inject_1_0_cookie_crypt_content
+        if ActiveRecord::Base.class_eval("#{table_name.camelize.singularize}.inspect['security_question_one: string'].blank?")
+          puts "Beginning 1.0 content injection..."
+          paths = [File.join("app", "models", "#{file_path}.rb"),File.join("config", "initializers", "devise.rb")]
+          inject_into_file(paths[0], "cookie_cryptable, :", :after => "devise :") if File.exists?(paths[0])
+          if File.exists?(paths[1])
+            inject_into_file(paths[1], "\n  # ==> Cookie Crypt Configuration Parameters\n  config.max_cookie_crypt_login_attempts = 3
+              \n  # For cookie_deletion_time_frame field, make sure your timeframe parses into an actual date and is a string
+              \n  config.cookie_deletion_time_frame = '30.days.from_now'", after: "Devise.setup do |config|")
+          end
         end
       end
 
       source_root File.expand_path('../../../../app/views/devise/cookie_crypt', __FILE__)
 
-      def generate_files
+      def generate_1_0_files
         Dir.mkdir("app/views/devise") unless Dir.exists?("app/views/devise")
         unless Dir.exists?("app/views/devise/cookie_crypt")
+          puts "Beginning 1.0 views creation..."
           Dir.mkdir("app/views/devise/cookie_crypt") 
           copy_file "max_login_attempts_reached.html.erb", "app/views/devise/cookie_crypt/max_login_attempts_reached.html.erb"
           copy_file "show.html.erb", "app/views/devise/cookie_crypt/show.html.erb"
         end
       end
       
+      source_root File.expand_path(__FILE__)
+
+      #BEGIN 1.1 generator
+      def inject_1_1_cookie_crypt_content
+        if ActiveRecord::Base.class_eval("#{table_name.camelize.singularize}.inspect['security_hash: text'].blank?")
+          puts "Beginning 1.1 content injection..."
+          paths = [File.join("app", "models", "#{file_path}.rb"),File.join("config", "initializers", "devise.rb")]
+          if File.exists?(paths[1])
+            inject_into_file(paths[1], "\n  # cookie_crypt_auth_through manages the various styles of authenticating through two factor when the need arises.
+              \n  # Valid options are: :one_question_cyclical, :one_question_random, :two_questions_cyclical, :two_questions_random, :all_questions
+              \n  config.cookie_crypt_auth_through = :one_question_cyclical
+              \n  # cookie_crypt_minimum_questions determines how many questions and answers the user must create the first time they are auth'ing through CC
+              \n  # This option must be greater than or equal to 2.
+              \n  config.cookie_crypt_minimum_questions = 3
+              \n  # cycle_question_on_fail_count determines how many tries the user gets per question(s) before the system changes the questions shown
+              \n  # It is recommended to set this to at least 2, but 1 is allowed. This value is ignored if the system is set to :all_questions
+              \n  config.cycle_question_on_fail_count = 2
+              \n  # enable_custom_question_counts allows users to have *more* than the minimum number of questions. This works via ajax and javascript.
+              \n  config.enable_custom_question_counts = false", after: "  # ==> Cookie Crypt Configuration Parameters")
+          end
+        end
+      end
+
+      source_root File.expand_path('../../../../app/views/devise/cookie_crypt', __FILE__)
+
+      def generate_1_1_files
+        unless File.exist?("app/views/devise/cookie_crypt/show.js.erb")
+          puts "Beginning 1.1 views creation..."
+          copy_file "show.js.erb", "app/views/devise/cookie_crypt/show.js.erb"
+          copy_file "_extra_fields.html.erb", "app/views/devise/cookie_crypt/_extra_fields.html.erb"
+          File.delete("app/views/devise/cookie_crypt/show.html.erb")
+          copy_file "show.html.erb", "app/views/devise/cookie_crypt/show.html.erb"
+
+          puts "Please run rake db:migrate then run this generator again to cleanup unused fields."
+        end
+      end
+
+      def generate_1_1_update
+        unless ActiveRecord::Base.class_eval("#{table_name.camelize.singularize}.inspect['security_hash: text'].blank?")
+          unless ActiveRecord::Base.class_eval("#{table_name.camelize.singularize}.inspect['security_question_one: string'].blank?")
+            puts "Beginning data cleanup, moving 1.0 database data to 1.1 database style..."
+            objs = ActiveRecord::Base.class_eval("#{table_name.camelize.singularize}.all")
+            objs.each do |obj|
+              next if obj.security_question_one.blank?
+              h = {}
+              h["security_question_1"] = obj.security_question_one
+              h["security_answer_1"]   = obj.security_answer_one
+              h["security_question_2"] = obj.security_question_two
+              h["security_answer_2"] = obj.security_answer_two
+              obj.security_hash = h.to_s
+
+              obj.save
+
+              puts "#{obj.security_hash}"
+            end
+
+            puts "Completed data cleanup, database is now 1.1 ready."
+            puts "Generating cleanup migration that will remove now unneeded security_question_one, security_answer_one, security_question_two, security_answer_two fields."
+
+            $generate_1_1_cleanup_migration = true
+          end
+        end
+      end
+
       hook_for :orm
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cookie_crypt
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Dmitrii Golub
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-10-22 00:00:00.000000000 Z
+date: 2013-11-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -70,8 +70,8 @@ dependencies:
 description: |2
       ### Features ###
       * User customizable security questions and answers
-      * Configurable max login attempts
-      * per user level control if he really need two factor authentication
+      * Configurable max login attempts & cookie expiration time
+      * Per user level of control (Allow certain ips to bypass two-factor)
 email:
 - loualrid@gmail.com
 executables: []
@@ -84,8 +84,10 @@ files:
 - README.md
 - Rakefile
 - app/controllers/devise/cookie_crypt_controller.rb
+- app/views/devise/cookie_crypt/_extra_fields.html.erb
 - app/views/devise/cookie_crypt/max_login_attempts_reached.html.erb
 - app/views/devise/cookie_crypt/show.html.erb
+- app/views/devise/cookie_crypt/show.js.erb
 - config/locales/en.yml
 - cookie_crypt.gemspec
 - lib/cookie_crypt.rb
@@ -99,12 +101,27 @@ files:
 - lib/cookie_crypt/version.rb
 - lib/generators/active_record/cookie_crypt_generator.rb
 - lib/generators/active_record/templates/migration.rb
+- lib/generators/active_record/templates/migration_1_1.rb
+- lib/generators/active_record/templates/migration_1_1_cleanup.rb
 - lib/generators/cookie_crypt/cookie_crypt_generator.rb
 homepage: https://github.com/loualrid/CookieCrypt
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message: |2+
+
+    ********************************************
+
+    A major revision was made with the 1.1 update for CookieCrypt.
+
+    You will need to run 'bundle exec rails g cookie_crypt MODEL' again
+
+    to start the upgrade process from 1.0 to 1.1.
+
+    For more information check the homepage at 'https://github.com/loualrid/CookieCrypt'
+
+    ********************************************
+
 rdoc_options: []
 require_paths:
 - lib