devise-2fa 0.1.0

data/.travis.yml

@@ -0,0 +1,28 @@
+language: ruby
+sudo: false
+cache: bundler
+rvm:
+  - 2.1
+  - 2.2
+  - 2.3
+  - rbx-2
+  - rbx
+  - jruby-9.0.5.0
+script: bundle exec rake test
+env:
+  matrix:
+    - DEVISE_ORM=active_record
+    - DEVISE_ORM=mongoid
+gemfile:
+  - Gemfile
+install: "travis_retry bundle install"
+services:
+  - mongodb
+matrix:
+  include:
+    - rvm: 2.3.0
+      gemfile: gemfiles/Gemfile.rails-master
+      env: DEVISE_ORM=active_record
+    - rvm: 2.3.0
+      gemfile: gemfiles/Gemfile.rails-master
+      env: DEVISE_ORM=mongoid

data/Gemfile

@@ -0,0 +1,25 @@
+source 'https://rubygems.org'
+
+gemspec
+
+gem 'rdoc'
+
+group :test do
+  platforms :jruby do
+    gem 'activerecord-jdbcsqlite3-adapter', '>= 1.3.0.beta1'
+  end
+
+  platforms :ruby do
+    gem 'sqlite3', '~> 1.3.4'
+  end
+
+  gem 'devise', '~> 4.0'
+  gem 'activerecord', '~> 4.2.6'
+  gem 'mongo'
+
+  gem 'capybara'
+  gem 'shoulda'
+  gem 'selenium-webdriver'
+
+  gem 'minitest-reporters', '>= 0.5.0'
+end

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,130 @@
+# Devise::TwoFactor
+[![Build Status](https://travis-ci.org/williamatodd/devise-2fa.png?branch=master)](https://travis-ci.org/williamatodd/devise-2fa)
+
+Devise TwoFactor implements two-factor authentication for Devise, using an rfc6238 compatible Time-Based One-Time Password Algorithm.
+* Uses [rotp library](https://github.com/mdp/rotp) for the generation and verification of codes.
+* Uses [RQRCode](https://github.com/whomwah/rqrcode) to generate QR Code PNGs.
+* Uses [SymmetricEncryption](https://github.com/rocketjob/symmetric-encryption) to generate QR Code PNGs.
+
+It currently has the following features:
+
+* Url based provisioning of token devices, compatible with multiple applications.
+* Browsers can be designated as 'trusted' for a limited time.
+* Two-factor authentication can be **optional** at user discretion or **mandatory** (users must enroll OTP after signing-in next time, before they can navigate the site).
+* Optionally, users can obtain a list of HOTP recovery tokens to be used for emergency log-in in case the token device is lost or unavailable.
+
+Compatible token devices are:
+
+* [1Password](https://1password.com/)
+* [Google Authenticator](https://code.google.com/p/google-authenticator/)
+* [FreeOTP](https://fedorahosted.org/freeotp/)
+
+## Quick overview of Two Factors Authentication, using OTPs.
+
+* A shared secret is generated on the server, and stored both on the token device (eg: the phone) and the server itself.
+* The secret is used to generate short numerical tokens that are either time or sequence based.
+* Tokens can be generated on a phone without internet connectivity.
+* The token provides an additional layer of security against password theft.
+* OTP's should always be used as a second factor of authentication(if your phone is lost, you account is still secured with a password)
+
+Although there's an adjustable drift window, it is important that both the server and the token device (phone) have their clocks set (eg: using NTP).
+
+
+## Installation
+
+Setup the symmetric-encryption gem by following the steps on the (configuration page)[http://rocketjob.github.io/symmetric-encryption/configuration.html]
+
+Add this line to your application's Gemfile:
+
+    gem 'devise'
+    gem 'devise-2fa'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install devise-2fa
+
+
+### Devise Installation
+
+To setup Devise, you need to do the following (but refer to https://github.com/plataformatec/devise for more information)
+
+Install Devise:
+
+    rails g devise:install
+
+Setup the User or Admin model
+
+    rails g devise MODEL
+
+Configure your app for authorization, edit your Controller and add this before_action:
+
+    before_action :authenticate_user!
+
+Make sure your "root" route is configured in config/routes.rb
+
+### Automatic Installation
+
+Run the following generator to add the necessary configuration options to Devise's config file:
+
+    rails g devise_two_factor:install
+
+After you've created your Devise user models (which is usually done with a "rails g devise MODEL"), set up your Devise TwoFactor additions:
+
+    rails g devise_two_factor MODEL
+
+Don't forget to migrate:
+
+    rake db:migrate
+
+### Custom Views
+
+If you want to customize your views (which you likely will want to), you can use the generator:
+
+    rails g devise_two_factor:views
+
+### I18n
+
+The install generator also installs an english copy of a Devise TwoFactor i18n file. This can be modified (or used to create other language versions) and is located at: _config/locales/devise.two_factor.en.yml_
+
+
+## Usage
+
+With this extension enabled, the following is expected behavior:
+
+* Users may go to _/MODEL/token_ and enable their OTP state, they might be asked to provide their password again (and OTP token, if it's enabled)
+* Once enabled they're shown an alphanumeric code (for manual provisioning) and a QR code, for automatic provisioning of their authentication device (for instance, Google Authenticator)
+* If config.otp_mandatory or model_instance.otp_mandatory, users will be required to enable, and provision, next time they successfully sign-in.
+
+
+### Configuration Options
+
+The install generator adds some options to the end of your Devise config file (config/initializers/devise.rb)
+
+* `config.otp_mandatory` - OTP is mandatory, users are going to be asked to enroll the next time they sign in, before they can successfully complete the session establishment.
+* `config.otp_authentication_timeout` - how long the user has to authenticate with their token. (defaults to `3.minutes`)
+* `config.otp_drift_window` - a window which provides allowance for drift between a user's token device clock (and therefore their OTP tokens) and the authentication server's clock. Expressed in minutes centered at the current time. (default: `3`)
+* `config.otp_credentials_refresh` - Users that have logged in longer than this time ago, are going to be asked their password (and an OTP challenge, if enabled) before they can see or change their otp informations. (defaults to `15.minutes`)
+* `config.otp_recovery_tokens` - Whether the users are given a list of one-time recovery tokens, for emergency access (default: `10`, set to `false` to disable)
+* `config.otp_trust_persistence` - The user is allowed to set his browser as "trusted", no more OTP challenges will be asked for that browser, for a limited time. (default: `1.month`, set to false to disable setting the browser as trusted)
+* `config.otp_issuer` - The name of the token issuer, to be added to the provisioning url. Display will vary based on token application. (defaults to the Rails application class)
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request
+
+## Thanks
+
+This extension is a hodgepodge of
+[devise-otp](https://github.com/wmlele/devise-otp) which was forked from [devise_google_authenticator](https://github.com/AsteriskLabs/devise_google_authenticator), in conjunction with outstanding pull requests from both libraries.  The changes contained within are a bit too aggressive for existing users, therefore this extension will forge it's own path.
+
+## License
+
+MIT Licensed

data/Rakefile

@@ -0,0 +1,41 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Foobar'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/*_test.rb'
+  test.verbose = true
+end
+
+desc 'Run Devise tests for all ORMs.'
+task :tests do
+  Dir[File.join(File.dirname(__FILE__), 'test', 'orm', '*.rb')].each do |file|
+    orm = File.basename(file).split('.').first
+    system "rake test DEVISE_ORM=#{orm}"
+  end
+end
+
+desc 'Default: run tests for all ORMs.'
+task default: :tests

data/app/controllers/devise/credentials_controller.rb

@@ -0,0 +1,100 @@
+class Devise::CredentialsController < DeviseController
+  helper_method :new_session_path if respond_to? :helper_method
+
+  prepend_before_action :authenticate_scope!, only: [:get_refresh, :set_refresh]
+  prepend_before_action :require_no_authentication, only: [:show, :update]
+
+  #
+  # show a request for the OTP token
+  #
+  def show
+    @challenge = params[:challenge]
+    @recovery =  (params[:recovery] == 'true') && recovery_enabled?
+
+    if @challenge.nil?
+      redirect_to :root
+    else
+      self.resource = resource_class.find_valid_otp_challenge(@challenge)
+      if resource.nil?
+        redirect_to :root
+      elsif @recovery
+        @recovery_count = resource.otp_recovery_counter
+        render :show
+      else
+        render :show
+      end
+    end
+  end
+
+  #
+  # signs the resource in, if the OTP token is valid and the user has a valid challenge
+  #
+  def update
+    resource = resource_class.find_valid_otp_challenge(params[resource_name][:challenge])
+    recovery = (params[resource_name][:recovery] == 'true') && recovery_enabled?
+    token = params[resource_name][:token]
+
+    if token.blank?
+      otp_set_flash_message(:alert, :token_blank)
+      redirect_to credential_path_for(resource_name, challenge: params[resource_name][:challenge],
+                                                     recovery: recovery)
+    elsif resource.nil?
+      otp_set_flash_message(:alert, :otp_session_invalid)
+      redirect_to new_session_path(resource_name)
+    else
+      if resource.otp_challenge_valid? && resource.validate_otp_token(params[resource_name][:token], recovery)
+        set_flash_message(:success, :signed_in) if is_navigational_format?
+        sign_in(resource_name, resource)
+
+        otp_refresh_credentials_for(resource)
+        respond_with resource, location: after_sign_in_path_for(resource)
+      else
+        otp_set_flash_message :alert, :token_invalid
+        redirect_to new_session_path(resource_name)
+      end
+    end
+  end
+
+  #
+  # displays the request for a credentials refresh
+  #
+  def get_refresh
+    ensure_resource!
+    render :refresh
+  end
+
+  #
+  # lets the user through is the refresh is valid
+  #
+  def set_refresh
+    ensure_resource!
+    # I am sure there's a much better way
+    if resource.valid_password?(params[resource_name][:refresh_password])
+      if resource.otp_enabled?
+        if resource.validate_otp_token(params[resource_name][:token])
+          done_valid_refresh
+        else
+          failed_refresh
+        end
+      else
+        done_valid_refresh
+      end
+    else
+      failed_refresh
+    end
+  end
+
+  private
+
+  def done_valid_refresh
+    otp_refresh_credentials_for(resource)
+    otp_set_flash_message :success, :valid_refresh if is_navigational_format?
+
+    respond_with resource, location: otp_fetch_refresh_return_url
+  end
+
+  def failed_refresh
+    otp_set_flash_message :alert, :invalid_refresh
+    render :refresh
+  end
+end

data/app/controllers/devise/tokens_controller.rb

@@ -0,0 +1,99 @@
+class Devise::TokensController < DeviseController
+  include Devise::Controllers::Helpers
+
+  prepend_before_action :ensure_credentials_refresh
+  prepend_before_action :authenticate_scope!
+
+  protect_from_forgery except: [:clear_persistence, :delete_persistence]
+
+  #
+  # Displays the status of OTP authentication
+  #
+  def show
+    if resource.nil?
+      redirect_to stored_location_for(scope) || :root
+    else
+      render :show
+    end
+  end
+
+  #
+  # Updates the status of OTP authentication
+  #
+  def update
+    enabled = (params[resource_name][:otp_enabled] == '1')
+    if enabled ? resource.enable_otp! : resource.disable_otp!
+      otp_set_flash_message :success, :successfully_updated
+    end
+    render :show
+  end
+
+  #
+  # Resets OTP authentication, generates new credentials, sets it to off
+  #
+  def destroy
+    if resource.reset_otp_credentials!
+      otp_set_flash_message :success, :successfully_reset_creds
+    end
+    render :show
+  end
+
+  #
+  # makes the current browser persistent
+  #
+  def get_persistence
+    if otp_set_trusted_device_for(resource)
+      otp_set_flash_message :success, :successfully_set_persistence
+    end
+    redirect_to action: :show
+  end
+
+  #
+  # clears persistence for the current browser
+  #
+  def clear_persistence
+    if otp_clear_trusted_device_for(resource)
+      otp_set_flash_message :success, :successfully_cleared_persistence
+    end
+
+    redirect_to action: :show
+  end
+
+  #
+  # rehash the persistence secret, thus, making all the persistence cookies invalid
+  #
+  def delete_persistence
+    if otp_reset_persistence_for(resource)
+      otp_set_flash_message :notice, :successfully_reset_persistence
+    end
+
+    redirect_to action: :show
+  end
+
+  #
+  #
+  #
+  def recovery
+    respond_to do |format|
+      format.html
+      format.js
+      format.text do
+        send_data render_to_string(template: 'devise/tokens/recovery_codes.text.erb'), filename: 'recovery-codes.txt'
+      end
+    end
+  end
+
+  private
+
+  def ensure_credentials_refresh
+    ensure_resource!
+    if needs_credentials_refresh?(resource)
+      otp_set_flash_message :notice, :need_to_refresh_credentials
+      redirect_to refresh_credential_path_for(resource)
+    end
+  end
+
+  def scope
+    resource_name.to_sym
+  end
+end