RubyGems - devise-2fa - Versions diffs - 0.1.0 - Mend

devise-2fa 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (95) hide show

checksums.yaml +7 -0
data/.gitignore +36 -0
data/.hound.yml +2 -0
data/.ruby-style.yml +1248 -0
data/.travis.yml +28 -0
data/Gemfile +25 -0
data/LICENSE +21 -0
data/README.md +130 -0
data/Rakefile +41 -0
data/app/controllers/devise/credentials_controller.rb +100 -0
data/app/controllers/devise/tokens_controller.rb +99 -0
data/app/views/devise/credentials/refresh.html.erb +20 -0
data/app/views/devise/credentials/show.html.erb +23 -0
data/app/views/devise/tokens/_token_secret.html.erb +19 -0
data/app/views/devise/tokens/_trusted_devices.html.erb +10 -0
data/app/views/devise/tokens/recovery.html.erb +21 -0
data/app/views/devise/tokens/recovery_codes.text.erb +3 -0
data/app/views/devise/tokens/show.html.erb +19 -0
data/config/locales/en.yml +57 -0
data/devise-2fa.gemspec +27 -0
data/lib/devise-2fa.rb +74 -0
data/lib/devise-2fa/version.rb +5 -0
data/lib/devise_two_factorable/controllers/helpers.rb +136 -0
data/lib/devise_two_factorable/controllers/url_helpers.rb +30 -0
data/lib/devise_two_factorable/engine.rb +22 -0
data/lib/devise_two_factorable/helpers.rb +136 -0
data/lib/devise_two_factorable/hooks.rb +11 -0
data/lib/devise_two_factorable/hooks/sessions.rb +49 -0
data/lib/devise_two_factorable/mapping.rb +12 -0
data/lib/devise_two_factorable/models/two_factorable.rb +131 -0
data/lib/devise_two_factorable/routes.rb +26 -0
data/lib/devise_two_factorable/two_factorable.rb +131 -0
data/lib/generators/active_record/devise_two_factor_generator.rb +32 -0
data/lib/generators/active_record/templates/migration.rb +27 -0
data/lib/generators/devise_two_factor/devise_two_factor_generator.rb +16 -0
data/lib/generators/devise_two_factor/install_generator.rb +52 -0
data/lib/generators/devise_two_factor/views_generator.rb +19 -0
data/lib/generators/mongoid/devise_two_factor_generator.rb +34 -0
data/test/dummy/README.rdoc +261 -0
data/test/dummy/Rakefile +7 -0
data/test/dummy/app/assets/javascripts/application.js +13 -0
data/test/dummy/app/assets/stylesheets/application.css +13 -0
data/test/dummy/app/controllers/application_controller.rb +4 -0
data/test/dummy/app/controllers/posts_controller.rb +83 -0
data/test/dummy/app/helpers/application_helper.rb +2 -0
data/test/dummy/app/helpers/posts_helper.rb +2 -0
data/test/dummy/app/mailers/.gitkeep +0 -0
data/test/dummy/app/models/post.rb +2 -0
data/test/dummy/app/models/user.rb +20 -0
data/test/dummy/app/views/layouts/application.html.erb +14 -0
data/test/dummy/app/views/posts/_form.html.erb +25 -0
data/test/dummy/app/views/posts/edit.html.erb +6 -0
data/test/dummy/app/views/posts/index.html.erb +25 -0
data/test/dummy/app/views/posts/new.html.erb +5 -0
data/test/dummy/app/views/posts/show.html.erb +15 -0
data/test/dummy/config.ru +4 -0
data/test/dummy/config/application.rb +67 -0
data/test/dummy/config/boot.rb +10 -0
data/test/dummy/config/database.yml +25 -0
data/test/dummy/config/environment.rb +5 -0
data/test/dummy/config/environments/development.rb +37 -0
data/test/dummy/config/environments/production.rb +73 -0
data/test/dummy/config/environments/test.rb +36 -0
data/test/dummy/config/initializers/backtrace_silencers.rb +7 -0
data/test/dummy/config/initializers/devise.rb +251 -0
data/test/dummy/config/initializers/inflections.rb +15 -0
data/test/dummy/config/initializers/mime_types.rb +5 -0
data/test/dummy/config/initializers/secret_token.rb +8 -0
data/test/dummy/config/initializers/session_store.rb +8 -0
data/test/dummy/config/initializers/wrap_parameters.rb +14 -0
data/test/dummy/config/locales/en.yml +5 -0
data/test/dummy/config/routes.rb +6 -0
data/test/dummy/db/migrate/20130125101430_create_users.rb +9 -0
data/test/dummy/db/migrate/20130131092406_add_devise_to_users.rb +52 -0
data/test/dummy/db/migrate/20130131142320_create_posts.rb +10 -0
data/test/dummy/db/migrate/20130131160351_devise_otp_add_to_users.rb +28 -0
data/test/dummy/lib/assets/.gitkeep +0 -0
data/test/dummy/public/404.html +26 -0
data/test/dummy/public/422.html +26 -0
data/test/dummy/public/500.html +25 -0
data/test/dummy/public/favicon.ico +0 -0
data/test/dummy/script/rails +6 -0
data/test/integration/persistence_test.rb +63 -0
data/test/integration/refresh_test.rb +103 -0
data/test/integration/sign_in_test.rb +85 -0
data/test/integration/token_test.rb +30 -0
data/test/integration_tests_helper.rb +64 -0
data/test/model_tests_helper.rb +20 -0
data/test/models/two_factorable_test.rb +120 -0
data/test/orm/active_record.rb +4 -0
data/test/orm/mongoid.rb +13 -0
data/test/support/mongoid.yml +6 -0
data/test/support/symmetric_encryption.yml +70 -0
data/test/test_helper.rb +18 -0
metadata +269 -0

data/lib/devise_two_factorable/engine.rb ADDED

@@ -0,0 +1,22 @@
+module DeviseTwoFactorable
+  class Engine < ::Rails::Engine
+    ActiveSupport.on_load(:action_controller) do
+      include DeviseTwoFactorable::Controllers::UrlHelpers
+      include DeviseTwoFactorable::Controllers::Helpers
+    end
+    ActiveSupport.on_load(:action_view) do
+      include DeviseTwoFactorable::Controllers::UrlHelpers
+      include DeviseTwoFactorable::Controllers::Helpers
+    end
+    # We use to_prepare instead of after_initialize here because Devise is a Rails engine;
+    config.to_prepare do
+      DeviseTwoFactorable::Hooks.apply
+    end
+    # extend mapping with after_initialize because is not reloaded
+    config.after_initialize do
+      Devise::Mapping.send :prepend, DeviseTwoFactorable::Mapping
+    end
+  end
+end

data/lib/devise_two_factorable/helpers.rb ADDED

@@ -0,0 +1,136 @@
+require 'rqrcode'
+require 'base64'
+module DeviseTwoFactorable
+  module Controllers
+    module Helpers
+      def authenticate_scope!
+        send(:"authenticate_#{resource_name}!", force: true)
+        self.resource = send("current_#{resource_name}")
+      end
+      #
+      # similar to DeviseController#set_flash_message, but sets the scope inside
+      # the otp controller
+      #
+      def otp_set_flash_message(key, kind, options = {})
+        options[:scope] ||= "devise.two_factor.#{controller_name}"
+        options[:default] = Array(options[:default]).unshift(kind.to_sym)
+        options[:resource_name] = resource_name
+        options = devise_i18n_options(options) if respond_to?(:devise_i18n_options, true)
+        message = I18n.t("#{options[:resource_name]}.#{kind}", options)
+        flash[key] = message if message.present?
+      end
+      def otp_t
+      end
+      def trusted_devices_enabled?
+        resource.class.otp_trust_persistence && (resource.class.otp_trust_persistence > 0)
+      end
+      def recovery_enabled?
+        resource_class.otp_recovery_tokens && (resource_class.otp_recovery_tokens > 0)
+      end
+      #
+      # Sanity check for resource validity
+      #
+      def ensure_resource!
+        raise ArgumentError, 'Should not happen' if resource.nil?
+      end
+      # FIXME: do cookies and persistence need to be scoped? probably
+      #
+      # check if the resource needs a credentials refresh. IE, they need to be asked a password again to access
+      # this resource.
+      #
+      def needs_credentials_refresh?(resource)
+        return false unless resource.class.otp_credentials_refresh
+        (!session[otp_scoped_refresh_property].present? ||
+            (session[otp_scoped_refresh_property] < DateTime.now)).tap { |need| otp_set_refresh_return_url if need }
+      end
+      #
+      # credentials are refreshed
+      #
+      def otp_refresh_credentials_for(resource)
+        return false unless resource.class.otp_credentials_refresh
+        session[otp_scoped_refresh_property] = (Time.now + resource.class.otp_credentials_refresh)
+      end
+      #
+      # is the current browser trusted?
+      #
+      def is_otp_trusted_device_for?(resource)
+        return false unless resource.class.otp_trust_persistence
+        if cookies[otp_scoped_persistence_cookie].present?
+          cookies.signed[otp_scoped_persistence_cookie] ==
+            [resource.to_key, resource.authenticatable_salt, resource.otp_persistence_seed]
+        else
+          false
+        end
+      end
+      #
+      # make the current browser trusted
+      #
+      def otp_set_trusted_device_for(resource)
+        return unless resource.class.otp_trust_persistence
+        cookies.signed[otp_scoped_persistence_cookie] = {
+          httponly: true,
+          expires: Time.now + resource.class.otp_trust_persistence,
+          value: [resource.to_key, resource.authenticatable_salt, resource.otp_persistence_seed]
+        }
+      end
+      def otp_set_refresh_return_url
+        session[otp_scoped_refresh_return_url_property] = request.fullpath
+      end
+      def otp_fetch_refresh_return_url
+        session.delete(otp_scoped_refresh_return_url_property) { :root }
+      end
+      def otp_scoped_refresh_return_url_property
+        "otp_#{resource_name}refresh_return_url".to_sym
+      end
+      def otp_scoped_refresh_property
+        "otp_#{resource_name}refresh_after".to_sym
+      end
+      def otp_scoped_persistence_cookie
+        "otp_#{resource_name}_device_trusted"
+      end
+      #
+      # make the current browser NOT trusted
+      #
+      def otp_clear_trusted_device_for(_resource)
+        cookies.delete(otp_scoped_persistence_cookie)
+      end
+      #
+      # clears the persistence list for this kind of resource
+      #
+      def otp_reset_persistence_for(resource)
+        otp_clear_trusted_device_for(resource)
+        resource.reset_otp_persistence!
+      end
+      #
+      # returns the URL for the QR Code to initialize the Authenticator device
+      #
+      def otp_authenticator_token_image(resource)
+        data = resource.otp_provisioning_uri
+        qrcode = RQRCode::QRCode.new(data, level: :m, mode: :byte_8bit)
+        png = qrcode.as_png(fill: 'white', color: 'black', border_modules: 1, module_px_size: 4)
+        url = "data:image/png;base64,#{Base64.encode64(png.to_s).strip}"
+        image_tag(url, alt: 'OTP Authenticator QRCode')
+      end
+    end
+  end
+end

data/lib/devise_two_factorable/hooks.rb ADDED

@@ -0,0 +1,11 @@
+module DeviseTwoFactorable
+  module Hooks
+    autoload :Sessions, 'devise_two_factorable/hooks/sessions.rb'
+    class << self
+      def apply
+        Devise::SessionsController.send :prepend, Hooks::Sessions
+      end
+    end
+  end
+end

data/lib/devise_two_factorable/hooks/sessions.rb ADDED

@@ -0,0 +1,49 @@
+module DeviseTwoFactorable::Hooks
+  module Sessions
+    extend ActiveSupport::Concern
+    include DeviseTwoFactorable::Controllers::UrlHelpers
+    #
+    # replaces Devise::SessionsController#create
+    #
+    def create
+      resource = warden.authenticate!(auth_options)
+      devise_stored_location = stored_location_for(resource) # Grab the current stored location before it gets lost by warden.logout
+      otp_refresh_credentials_for(resource)
+      if otp_challenge_required_on?(resource)
+        challenge = resource.generate_otp_challenge!
+        warden.logout
+        store_location_for(resource, devise_stored_location) # restore the stored location
+        respond_with resource, location: credential_path_for(resource, challenge: challenge)
+      elsif otp_mandatory_on?(resource) # if mandatory, log in user but send him to the must activate otp
+        set_flash_message(:notice, :signed_in_but_otp) if is_navigational_format?
+        sign_in(resource_name, resource)
+        respond_with resource, location: token_path_for(resource)
+      else
+        super
+      end
+    end
+    private
+    #
+    # resource should be challenged for otp
+    #
+    def otp_challenge_required_on?(resource)
+      return false unless resource.respond_to?(:otp_enabled) && resource.respond_to?(:otp_auth_secret)
+      resource.otp_enabled && !is_otp_trusted_device_for?(resource)
+    end
+    #
+    # the resource -should- have otp turned on, but it isn't
+    #
+    def otp_mandatory_on?(resource)
+      return true if resource.class.otp_mandatory
+      return false unless resource.respond_to?(:otp_mandatory)
+      resource.otp_mandatory && !resource.otp_enabled
+    end
+  end
+end

data/lib/devise_two_factorable/mapping.rb ADDED

@@ -0,0 +1,12 @@
+module DeviseTwoFactorable
+  module Mapping
+    private
+    def default_controllers(options)
+      options[:controllers] ||= {}
+      options[:controllers][:tokens]      ||= 'devise/tokens'
+      options[:controllers][:credentials] ||= 'devise/credentials'
+      super
+    end
+  end
+end

data/lib/devise_two_factorable/models/two_factorable.rb ADDED

@@ -0,0 +1,131 @@
+require 'rotp'
+module Devise::Models
+  module TwoFactorable
+    extend ActiveSupport::Concern
+    included do
+      before_validation :generate_otp_auth_secret, on: :create
+      before_validation :generate_otp_persistence_seed, on: :create
+      scope :with_valid_otp_challenge, ->{ where(:otp_challenge_expires.gt => Time.current) }
+    end
+    module ClassMethods
+      ::Devise::Models.config(self, :otp_authentication_timeout, :otp_drift_window, :otp_trust_persistence,
+                              :otp_mandatory, :otp_credentials_refresh, :otp_issuer, :otp_recovery_tokens)
+      def find_valid_otp_challenge(challenge)
+        with_valid_otp_challenge.where(otp_session_challenge: challenge).first
+      end
+    end
+    def time_based_otp
+      @time_based_otp ||= ROTP::TOTP.new(otp_auth_secret, issuer: (self.class.otp_issuer || Rails.application.class.parent_name).to_s)
+    end
+    def recovery_otp
+      @recovery_otp ||= ROTP::HOTP.new(otp_recovery_secret)
+    end
+    def otp_provisioning_uri
+      time_based_otp.provisioning_uri(otp_provisioning_identifier)
+    end
+    def otp_provisioning_identifier
+      email
+    end
+    def reset_otp_credentials
+      @time_based_otp = nil
+      @recovery_otp = nil
+      generate_otp_auth_secret
+      reset_otp_persistence
+      update_attributes!(otp_enabled: false,
+                         otp_session_challenge: nil,
+                         otp_challenge_expires: nil,
+                         otp_recovery_counter: 0)
+    end
+    def reset_otp_credentials!
+      reset_otp_credentials
+      save!
+    end
+    def reset_otp_persistence
+      generate_otp_persistence_seed
+    end
+    def reset_otp_persistence!
+      reset_otp_persistence
+      save!
+    end
+    def enable_otp!
+      reset_otp_credentials! if otp_persistence_seed.nil?
+      update_attributes!(otp_enabled: true, otp_enabled_on: Time.now)
+    end
+    def disable_otp!
+      update_attributes!(otp_enabled: false, otp_enabled_on: nil)
+    end
+    def generate_otp_challenge!(expires = nil)
+      update_attributes!(otp_session_challenge: SecureRandom.hex,
+                         otp_challenge_expires: DateTime.now + (expires || self.class.otp_authentication_timeout))
+      otp_session_challenge
+    end
+    def otp_challenge_valid?
+      (otp_challenge_expires.nil? || otp_challenge_expires > Time.now)
+    end
+    def validate_otp_token(token, recovery = false)
+      if recovery
+        validate_otp_recovery_token token
+      else
+        validate_otp_time_token token
+      end
+    end
+    alias valid_otp_token? validate_otp_token
+    def validate_otp_time_token(token)
+      return false if token.blank?
+      validate_otp_token_with_drift(token)
+    end
+    alias valid_otp_time_token? validate_otp_time_token
+    def next_otp_recovery_tokens(number = self.class.otp_recovery_tokens)
+      (otp_recovery_counter..otp_recovery_counter + number).inject({}) do |h, index|
+        h[index] = recovery_otp.at(index)
+        h
+      end
+    end
+    def validate_otp_recovery_token(token)
+      recovery_otp.verify(token, otp_recovery_counter).tap do
+        self.otp_recovery_counter += 1
+        save!
+      end
+    end
+    alias valid_otp_recovery_token? validate_otp_recovery_token
+    private
+    def validate_otp_token_with_drift(token)
+      # should be centered around saved drift
+      (-self.class.otp_drift_window..self.class.otp_drift_window).any? do |drift|
+        time_based_otp.verify(token, Time.now.ago(30 * drift))
+      end
+    end
+    def generate_otp_persistence_seed
+      self.otp_persistence_seed = SecureRandom.hex
+    end
+    def generate_otp_auth_secret
+      self.otp_auth_secret = ROTP::Base32.random_base32
+      self.otp_recovery_secret = ROTP::Base32.random_base32
+    end
+  end
+end

data/lib/devise_two_factorable/routes.rb ADDED

@@ -0,0 +1,26 @@
+module ActionDispatch::Routing
+  class Mapper
+    protected
+    #########
+    def devise_token(mapping, controllers)
+      resource :token, only: [:show, :update, :destroy],
+                       path: mapping.path_names[:token], controller: controllers[:tokens] do
+        if Devise.otp_trust_persistence
+          get  :persistence, action: 'get_persistence'
+          post :persistence, action: 'clear_persistence'
+          delete :persistence, action: 'delete_persistence'
+        end
+        get  :recovery
+      end
+      resource :credential, only: [:show, :update],
+                            path: mapping.path_names[:credential], controller: controllers[:credentials] do
+        get  :refresh, action: 'get_refresh'
+        put :refresh, action: 'set_refresh'
+      end
+    end
+  end
+end

data/lib/devise_two_factorable/two_factorable.rb ADDED

@@ -0,0 +1,131 @@
+require 'rotp'
+module Devise::Models
+  module TwoFactorable
+    extend ActiveSupport::Concern
+    included do
+      before_validation :generate_otp_auth_secret, on: :create
+      before_validation :generate_otp_persistence_seed, on: :create
+      scope :with_valid_otp_challenge, ->{ where(:otp_challenge_expires.gt => Time.current) }
+    end
+    module ClassMethods
+      ::Devise::Models.config(self, :otp_authentication_timeout, :otp_drift_window, :otp_trust_persistence,
+                              :otp_mandatory, :otp_credentials_refresh, :otp_issuer, :otp_recovery_tokens)
+      def find_valid_otp_challenge(challenge)
+        with_valid_otp_challenge.where(otp_session_challenge: challenge).first
+      end
+    end
+    def time_based_otp
+      @time_based_otp ||= ROTP::TOTP.new(otp_auth_secret, issuer: (self.class.otp_issuer || Rails.application.class.parent_name).to_s)
+    end
+    def recovery_otp
+      @recovery_otp ||= ROTP::HOTP.new(otp_recovery_secret)
+    end
+    def otp_provisioning_uri
+      time_based_otp.provisioning_uri(otp_provisioning_identifier)
+    end
+    def otp_provisioning_identifier
+      email
+    end
+    def reset_otp_credentials
+      @time_based_otp = nil
+      @recovery_otp = nil
+      generate_otp_auth_secret
+      reset_otp_persistence
+      update_attributes!(otp_enabled: false,
+                         otp_session_challenge: nil,
+                         otp_challenge_expires: nil,
+                         otp_recovery_counter: 0)
+    end
+    def reset_otp_credentials!
+      reset_otp_credentials
+      save!
+    end
+    def reset_otp_persistence
+      generate_otp_persistence_seed
+    end
+    def reset_otp_persistence!
+      reset_otp_persistence
+      save!
+    end
+    def enable_otp!
+      reset_otp_credentials! if otp_persistence_seed.nil?
+      update_attributes!(otp_enabled: true, otp_enabled_on: Time.now)
+    end
+    def disable_otp!
+      update_attributes!(otp_enabled: false, otp_enabled_on: nil)
+    end
+    def generate_otp_challenge!(expires = nil)
+      update_attributes!(otp_session_challenge: SecureRandom.hex,
+                         otp_challenge_expires: DateTime.now + (expires || self.class.otp_authentication_timeout))
+      otp_session_challenge
+    end
+    def otp_challenge_valid?
+      (otp_challenge_expires.nil? || otp_challenge_expires > Time.now)
+    end
+    def validate_otp_token(token, recovery = false)
+      if recovery
+        validate_otp_recovery_token token
+      else
+        validate_otp_time_token token
+      end
+    end
+    alias valid_otp_token? validate_otp_token
+    def validate_otp_time_token(token)
+      return false if token.blank?
+      validate_otp_token_with_drift(token)
+    end
+    alias valid_otp_time_token? validate_otp_time_token
+    def next_otp_recovery_tokens(number = self.class.otp_recovery_tokens)
+      (otp_recovery_counter..otp_recovery_counter + number).inject({}) do |h, index|
+        h[index] = recovery_otp.at(index)
+        h
+      end
+    end
+    def validate_otp_recovery_token(token)
+      recovery_otp.verify(token, otp_recovery_counter).tap do
+        self.otp_recovery_counter += 1
+        save!
+      end
+    end
+    alias valid_otp_recovery_token? validate_otp_recovery_token
+    private
+    def validate_otp_token_with_drift(token)
+      # should be centered around saved drift
+      (-self.class.otp_drift_window..self.class.otp_drift_window).any? do |drift|
+        time_based_otp.verify(token, Time.now.ago(30 * drift))
+      end
+    end
+    def generate_otp_persistence_seed
+      self.otp_persistence_seed = SecureRandom.hex
+    end
+    def generate_otp_auth_secret
+      self.otp_auth_secret = ROTP::Base32.random_base32
+      self.otp_recovery_secret = ROTP::Base32.random_base32
+    end
+  end
+end