devise-2fa 0.1.0

data/app/views/devise/credentials/refresh.html.erb

@@ -0,0 +1,20 @@
+<h2><%= I18n.t('title', {scope: 'devise.two_factor.credentials_refresh'}) %></h2>
+<p><%= I18n.t('explain', {scope: 'devise.two_factor.credentials_refresh'}) %></p>
+
+<%= form_for(resource, as: resource_name, url: [:refresh, resource_name, :credential], html: { method: :put }) do |f| %>
+
+  <%= devise_error_messages! %>
+
+    <div><%= f.label :email %><br />
+    <%= f.text_field :email, disabled: :true%></div>
+
+    <div><%= f.label :password %><br />
+	<%= f.password_field :refresh_password, autocomplete: :off, autofocus: true %></div>
+
+  <%- if resource.otp_enabled? %>
+    <div><%= f.label :token, I18n.t(:token, {scope: 'devise.two_factor.credentials_refresh'}) %></p><br />
+    <%= f.password_field :token, autocomplete: :off%></div>
+  <% end %>
+
+	<div><%= f.submit I18n.t(:go_on, {scope: 'devise.two_factor.credentials_refresh'}) %></div>
+<% end %>

data/app/views/devise/credentials/show.html.erb

@@ -0,0 +1,23 @@
+<h2><%= I18n.t('title', {scope: 'devise.two_factor.submit_token'}) %></h2>
+<p><%= I18n.t('explain', {scope: 'devise.two_factor.submit_token'}) %></p>
+
+<%= form_for(resource, as: resource_name, url: [resource_name, :credential], html: { method: :put }) do |f| %>
+
+	<%= f.hidden_field :challenge, {value: @challenge} %>
+	<%= f.hidden_field :recovery, {value: @recovery} %>
+
+  <%- if @recovery %>
+    <p><%= f.label :token, I18n.t('recovery_prompt', {scope: 'devise.two_factor.submit_token'}) %><br />
+        <%= f.text_field :otp_recovery_counter, autocomplete: :off, disabled: true, size: 4 %>
+        <% else %>
+            <p><%= f.label :token, I18n.t('prompt', {scope: 'devise.two_factor.submit_token'}) %><br />
+        <% end %>
+
+        <%= f.text_field :token, autocomplete: :off, autofocus: true, size: 6, value: '' %>
+    </p>
+
+	<p><%= f.submit I18n.t('submit', {scope: 'devise.two_factor.submit_token'}) %></p>
+    <%- if !@recovery && recovery_enabled? %>
+      <p><%= link_to I18n.t('recovery_link', {scope: 'devise.two_factor.submit_token'}), credential_path_for(resource_name, challenge: @challenge, recovery: true) %></p>
+    <% end %>
+ <% end %>

data/app/views/devise/tokens/_token_secret.html.erb

@@ -0,0 +1,19 @@
+<h3><%= I18n.t('title', {scope: 'devise.two_factor.token_secret'}) %></h3>
+<p><%= I18n.t('explain', {scope: 'devise.two_factor.token_secret'}) %></p>
+
+<%= otp_authenticator_token_image(resource) %>
+
+<p><strong><%= I18n.t('manual_provisioning', {scope: 'devise.two_factor.token_secret'}) %>:</strong>
+  <code><%= resource.otp_auth_secret %></code></p>
+
+<p><%= link_to I18n.t('reset_otp', {scope: 'devise.two_factor.token_secret'}), @resource, method: :delete %></p>
+<p><%= I18n.t('reset_explain', {scope: 'devise.two_factor.token_secret'}) %>
+   <strong><%= I18n.t('reset_explain_warn', {scope: 'devise.two_factor.token_secret'}) %></strong></p>
+
+<%- if recovery_enabled? %>
+  <h3><%= I18n.t('title', {scope: 'devise.two_factor.tokens.recovery'}) %></h3>
+  <p><%= I18n.t('explain', {scope: 'devise.two_factor.tokens.recovery'}) %></p>
+  <p><%= link_to I18n.t('codes_list', {scope: 'devise.two_factor.tokens.recovery'}), recovery_token_for(resource_name) %></p>
+  <p><%= link_to I18n.t('download_codes', {scope: 'devise.two_factor.tokens.recovery'}), recovery_token_for(resource_name, format: :text) %></p>
+
+<% end %>

data/app/views/devise/tokens/_trusted_devices.html.erb

@@ -0,0 +1,10 @@
+<h3><%= I18n.t('title', {scope: 'devise.two_factor.trusted_devices'}) %></h3>
+<p><%= I18n.t('explain', {scope: 'devise.two_factor.trusted_devices'}) %></p>
+<%- if is_otp_trusted_device_for? resource %>
+  <p><em><%= I18n.t('device_trusted', {scope: 'devise.two_factor.trusted_devices'}) %></em></p>
+  <p><%= link_to I18n.t('trust_remove', {scope: 'devise.two_factor.trusted_devices'}), persistence_token_path_for(resource_name), method: :post %></p>
+<% else %>
+  <p><%= I18n.t('device_not_trusted', {scope: 'devise.two_factor.trusted_devices'}) %></p>
+  <p><%= link_to I18n.t('trust_add', {scope: 'devise.two_factor.trusted_devices'}), persistence_token_path_for(resource_name) %></p>
+<% end %>
+<p><%= link_to I18n.t('trust_clear', {scope: 'devise.two_factor.trusted_devices'}), persistence_token_path_for(resource_name), method: :delete %></p>

data/app/views/devise/tokens/recovery.html.erb

@@ -0,0 +1,21 @@
+<h2><%= I18n.t('title', {scope: 'devise.two_factor.tokens.recovery'}) %></h2>
+<p><%= I18n.t('explain', {scope: 'devise.two_factor.tokens.recovery'}) %></p>
+
+<table>
+  <caption>
+    <thead>
+        <tr>
+          <th><%= I18n.t('sequence', {scope: 'devise.two_factor.tokens.recovery'}) %></th>
+          <th><%= I18n.t('code', {scope: 'devise.two_factor.tokens.recovery'}) %></th>
+        </tr>
+    </thead>
+    <tbody>
+    <%- resource.next_otp_recovery_tokens.each do |seq, code| %>
+        <tr>
+          <td><%= seq %></td>
+          <td><%= code %></td>
+        </tr>
+    <% end %>
+    </tbody>
+  </caption>
+</table>

data/app/views/devise/tokens/recovery_codes.text.erb

@@ -0,0 +1,3 @@
+<% resource.next_otp_recovery_tokens.each do |seq, code| %>
+<%= code %>
+<% end %>

data/app/views/devise/tokens/show.html.erb

@@ -0,0 +1,19 @@
+<h2><%= I18n.t('title', {scope: 'devise.two_factor.tokens'}) %></h2>
+<p><%= I18n.t('explain', {scope: 'devise.two_factor.tokens'}) %></p>
+
+<%= form_for(resource, as: resource_name, url: [resource_name, :token], html: { method: :put }) do |f| %>
+
+	<%= devise_error_messages! %>
+
+	<h3><%= I18n.t('enable_request', {scope: 'devise.two_factor.tokens'}) %></h3>
+
+	<p><%= f.label :otp_enabled, I18n.t('status', {scope: 'devise.two_factor.tokens'}) %><br />
+	<%= f.check_box :otp_enabled %></p>
+
+	<p><%= f.submit I18n.t('submit', {scope: 'devise.two_factor.tokens'}) %></p>
+<% end %>
+
+<%- if resource.otp_enabled? %>
+  <%= render partial: 'token_secret' if resource.otp_enabled? %>
+  <%= render partial: 'trusted_devices' if trusted_devices_enabled? %>
+<% end %>

data/config/locales/en.yml

@@ -0,0 +1,57 @@
+en:
+  devise:
+    two_factor:
+      submit_token:
+        title: 'Check Token'
+        explain: "A token is required because two-factor authentication is enabled on your account"
+        prompt: 'Please enter your two-factor authentication token:'
+        recovery_prompt: 'Please enter your recovery code:'
+        submit: 'Submit Token'
+        submit_recovery: 'Submit Recovery Code'
+        recovery_link: "I don't have my device, I want to use a recovery code"
+      credentials:
+        token_invalid: 'The token you provided was invalid.'
+        token_blank: 'Please provide a token generated by your device.'
+        need_to_refresh_credentials: 'We need to check your credentials before you can change these settings.'
+        valid_refresh: 'Thank you, your credentials were accepted.'
+        invalid_refresh: 'Sorry, you provided the wrong credentials.'
+      credentials_refresh:
+        title: 'Please enter your password again.'
+        explain: 'To confirm your identity, please re-enter your password.'
+        go_on: 'Continue'
+        identity: 'Identity'
+        token: 'Your two-factor authentication token'
+      token_secret:
+        title: 'Token Secret'
+        explain: 'Take a photo of this QR code with your mobile device.'
+        manual_provisioning: 'Manual provisioning code'
+        reset_otp: 'Reset your Two-Factor Authentication status'
+        reset_explain: 'This will reset your credentials, and disable two-factor authentication.'
+        reset_explain_warn: 'You will need to enroll your mobile device again.'
+      tokens:
+        title: 'Two-Factor Authentication'
+        explain: 'Two-Factor Authentication adds adds an additional layer of security to your account. When logging in you will be asked for a code that you can generate on a physical device, like your phone.'
+        enable_request: 'Would you like to enable Two-Factor Authentication?'
+        status: 'Enable Two-Factor Authentication'
+        submit: 'Continue'
+        successfully_updated: 'Your two-factor authentication settings have been updated.'
+        successfully_reset_creds: 'Your two-factor authentication credentials have been reset.'
+        successfully_set_persistence: 'Your device is now trusted.'
+        successfully_cleared_persistence: 'Your device has been removed from the list of trusted devices.'
+        successfully_reset_persistence: 'Your list of trusted devices has been cleared.'
+        need_to_refresh_credentials: 'We need to check your credentials before you can change these settings.'
+        recovery:
+          title: 'Recovery Codes'
+          explain: 'Store these recovery codes in a safe place. They will allow you to log back in if your token device is lost, stolen, or unavailable.'
+          sequence: 'Sequence'
+          code: 'Recovery Code'
+          codes_list: 'View recovery codes'
+          download_codes: 'Download recovery codes'
+      trusted_devices:
+        title: 'Trusted Browsers'
+        explain: 'If you set this browser as trusted, you will not be asked to perform two-factor authentication when logging in for one month.'
+        device_trusted: 'This browser is trusted.'
+        device_not_trusted: 'This browser is not trusted.'
+        trust_remove: 'Untrust this browser'
+        trust_add: 'Trust this browser'
+        trust_clear: 'Clear all trusted browsers'

data/devise-2fa.gemspec

@@ -0,0 +1,27 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'devise-2fa/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = 'devise-2fa'
+  gem.version       = Devise::TwoFactor::VERSION
+  gem.authors       = ['William A. Todd']
+  gem.email         = ['info@investinwaffles.com']
+  gem.description   = 'Time Based OTP/rfc6238 authentication for Devise'
+  gem.summary       = 'Includes ActiveRecord and Mongoid ORM support'
+  gem.homepage      = 'http://www.github.com/williamatodd/devise-2fa'
+  gem.license      = 'MIT'
+
+  gem.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
+  gem.executables   = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ['lib']
+
+  gem.add_runtime_dependency 'devise', '~> 3.2', '>= 3.2.0'
+  gem.add_runtime_dependency 'rotp', '~> 3.0'
+  gem.add_runtime_dependency 'rqrcode', '~> 0.10.1'
+  gem.add_runtime_dependency 'symmetric-encryption', '~> 3.8'
+
+  gem.add_development_dependency 'sqlite3', '~> 0'
+end

data/lib/devise-2fa.rb

@@ -0,0 +1,74 @@
+module DeviseTwoFactorable
+  autoload :Hooks,   'devise_two_factorable/hooks'
+  autoload :Mapping, 'devise_two_factorable/mapping'
+
+  module Controllers
+    autoload :Helpers,    'devise_two_factorable/controllers/helpers'
+    autoload :UrlHelpers, 'devise_two_factorable/controllers/url_helpers'
+  end
+end
+
+require 'devise-2fa/version'
+require 'active_support'
+require 'active_support/core_ext'
+require 'active_support/core_ext/integer'
+require 'active_support/core_ext/string'
+require 'active_support/ordered_hash'
+require 'active_support/concern'
+require 'devise_two_factorable/routes'
+require 'devise_two_factorable/engine'
+require 'devise'
+
+module Devise
+  #
+  #
+  #
+  mattr_accessor :otp_mandatory
+  @@otp_mandatory = false
+
+  #
+  #
+  #
+  mattr_accessor :otp_authentication_timeout
+  @@otp_authentication_timeout = 3.minutes
+
+  #
+  #
+  #
+  mattr_accessor :otp_recovery_tokens
+  @@otp_recovery_tokens = 10 ## false to disable
+
+  #
+  # If the user is given the chance to set his browser as trusted, how long will it stay trusted.
+  # set to nil/false to disable the ability to set a device as trusted
+  #
+  mattr_accessor :otp_trust_persistence
+  @@otp_trust_persistence = 30.days
+
+  #
+  #
+  #
+  mattr_accessor :otp_drift_window
+  @@otp_drift_window = 3 # in minutes
+
+  #
+  # if the user wants to change Otp settings,
+  # ask the password (and the token) again if this time has passed since the last
+  # time the user has provided valid credentials
+  #
+  mattr_accessor :otp_credentials_refresh
+  @@otp_credentials_refresh = 15.minutes # or like 15.minutes, false to disable
+
+  #
+  # the name of the token issuer
+  #
+  mattr_accessor :otp_issuer
+  @@otp_issuer = Rails.application.class.parent_name
+
+  module TwoFactor
+  end
+end
+
+Devise.add_module :two_factorable,
+                  controller: :tokens,
+                  model: 'devise_two_factorable/models/two_factorable', route: :token

data/lib/devise-2fa/version.rb

@@ -0,0 +1,5 @@
+module Devise
+  module TwoFactor
+    VERSION = '0.1.0'.freeze
+  end
+end

data/lib/devise_two_factorable/controllers/helpers.rb

@@ -0,0 +1,136 @@
+require 'rqrcode'
+require 'base64'
+
+module DeviseTwoFactorable
+  module Controllers
+    module Helpers
+      def authenticate_scope!
+        send(:"authenticate_#{resource_name}!", force: true)
+        self.resource = send("current_#{resource_name}")
+      end
+
+      #
+      # similar to DeviseController#set_flash_message, but sets the scope inside
+      # the otp controller
+      #
+      def otp_set_flash_message(key, kind, options = {})
+        options[:scope] ||= "devise.two_factor.#{controller_name}"
+        options[:default] = Array(options[:default]).unshift(kind.to_sym)
+        options[:resource_name] = resource_name
+        options = devise_i18n_options(options) if respond_to?(:devise_i18n_options, true)
+        message = I18n.t("#{options[:resource_name]}.#{kind}", options)
+        flash[key] = message if message.present?
+      end
+
+      def otp_t
+      end
+
+      def trusted_devices_enabled?
+        resource.class.otp_trust_persistence && (resource.class.otp_trust_persistence > 0)
+      end
+
+      def recovery_enabled?
+        resource_class.otp_recovery_tokens && (resource_class.otp_recovery_tokens > 0)
+      end
+
+      #
+      # Sanity check for resource validity
+      #
+      def ensure_resource!
+        raise ArgumentError, 'Should not happen' if resource.nil?
+      end
+
+      # FIXME: do cookies and persistence need to be scoped? probably
+
+      #
+      # check if the resource needs a credentials refresh. IE, they need to be asked a password again to access
+      # this resource.
+      #
+      def needs_credentials_refresh?(resource)
+        return false unless resource.class.otp_credentials_refresh
+
+        (!session[otp_scoped_refresh_property].present? ||
+            (session[otp_scoped_refresh_property] < DateTime.now)).tap { |need| otp_set_refresh_return_url if need }
+      end
+
+      #
+      # credentials are refreshed
+      #
+      def otp_refresh_credentials_for(resource)
+        return false unless resource.class.otp_credentials_refresh
+        session[otp_scoped_refresh_property] = (Time.now + resource.class.otp_credentials_refresh)
+      end
+
+      #
+      # is the current browser trusted?
+      #
+      def is_otp_trusted_device_for?(resource)
+        return false unless resource.class.otp_trust_persistence
+        if cookies[otp_scoped_persistence_cookie].present?
+          cookies.signed[otp_scoped_persistence_cookie] ==
+            [resource.to_key, resource.authenticatable_salt, resource.otp_persistence_seed]
+        else
+          false
+        end
+      end
+
+      #
+      # make the current browser trusted
+      #
+      def otp_set_trusted_device_for(resource)
+        return unless resource.class.otp_trust_persistence
+        cookies.signed[otp_scoped_persistence_cookie] = {
+          httponly: true,
+          expires: Time.now + resource.class.otp_trust_persistence,
+          value: [resource.to_key, resource.authenticatable_salt, resource.otp_persistence_seed]
+        }
+      end
+
+      def otp_set_refresh_return_url
+        session[otp_scoped_refresh_return_url_property] = request.fullpath
+      end
+
+      def otp_fetch_refresh_return_url
+        session.delete(otp_scoped_refresh_return_url_property) { :root }
+      end
+
+      def otp_scoped_refresh_return_url_property
+        "otp_#{resource_name}refresh_return_url".to_sym
+      end
+
+      def otp_scoped_refresh_property
+        "otp_#{resource_name}refresh_after".to_sym
+      end
+
+      def otp_scoped_persistence_cookie
+        "otp_#{resource_name}_device_trusted"
+      end
+
+      #
+      # make the current browser NOT trusted
+      #
+      def otp_clear_trusted_device_for(_resource)
+        cookies.delete(otp_scoped_persistence_cookie)
+      end
+
+      #
+      # clears the persistence list for this kind of resource
+      #
+      def otp_reset_persistence_for(resource)
+        otp_clear_trusted_device_for(resource)
+        resource.reset_otp_persistence!
+      end
+
+      #
+      # returns the URL for the QR Code to initialize the Authenticator device
+      #
+      def otp_authenticator_token_image(resource)
+        data = resource.otp_provisioning_uri
+        qrcode = RQRCode::QRCode.new(data, level: :m, mode: :byte_8bit)
+        png = qrcode.as_png(fill: 'white', color: 'black', border_modules: 1, module_px_size: 4)
+        url = "data:image/png;base64,#{Base64.encode64(png.to_s).strip}"
+        image_tag(url, alt: 'OTP Authenticator QRCode')
+      end
+    end
+  end
+end

data/lib/devise_two_factorable/controllers/url_helpers.rb

@@ -0,0 +1,30 @@
+module DeviseTwoFactorable
+  module Controllers
+    module UrlHelpers
+      def recovery_token_for(resource_or_scope, opts = {})
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        send("recovery_#{scope}_token_path", opts)
+      end
+
+      def refresh_credential_path_for(resource_or_scope, opts = {})
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        send("refresh_#{scope}_credential_path", opts)
+      end
+
+      def persistence_token_path_for(resource_or_scope, opts = {})
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        send("persistence_#{scope}_token_path", opts)
+      end
+
+      def token_path_for(resource_or_scope, opts = {})
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        send("#{scope}_token_path", opts)
+      end
+
+      def credential_path_for(resource_or_scope, opts = {})
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        send("#{scope}_credential_path", opts)
+      end
+    end
+  end
+end