devise-2fa 0.1.0

data/test/dummy/public/404.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The page you were looking for doesn't exist (404)</title>
+  <style type="text/css">
+    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: 4em auto 0 auto;
+      border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/404.html -->
+  <div class="dialog">
+    <h1>The page you were looking for doesn't exist.</h1>
+    <p>You may have mistyped the address or the page may have moved.</p>
+  </div>
+</body>
+</html>

data/test/dummy/public/422.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The change you wanted was rejected (422)</title>
+  <style type="text/css">
+    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: 4em auto 0 auto;
+      border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/422.html -->
+  <div class="dialog">
+    <h1>The change you wanted was rejected.</h1>
+    <p>Maybe you tried to change something you didn't have access to.</p>
+  </div>
+</body>
+</html>

data/test/dummy/public/500.html

@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>We're sorry, but something went wrong (500)</title>
+  <style type="text/css">
+    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: 4em auto 0 auto;
+      border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/500.html -->
+  <div class="dialog">
+    <h1>We're sorry, but something went wrong.</h1>
+  </div>
+</body>
+</html>

data/test/dummy/script/rails

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# This command will automatically be run when you run "rails" with Rails 3 gems installed from the root of your application.
+
+APP_PATH = File.expand_path('../../config/application', __FILE__)
+require File.expand_path('../../config/boot', __FILE__)
+require 'rails/commands'

data/test/integration/persistence_test.rb

@@ -0,0 +1,63 @@
+require 'test_helper'
+require 'integration_tests_helper'
+
+class PersistenceTest < ActionDispatch::IntegrationTest
+  def setup
+    @old_persistence = User.otp_trust_persistence
+    User.otp_trust_persistence = 3.seconds
+  end
+
+  def teardown
+    User.otp_trust_persistence = @old_persistence
+    Capybara.reset_sessions!
+  end
+
+  test 'a user should be requested the otp challenge every log in' do
+    # log in 1fa
+    user = enable_otp_and_sign_in
+    otp_challenge_for user
+
+    visit user_token_path
+    assert_equal user_token_path, current_path
+
+    sign_out
+    sign_user_in
+
+    assert_equal user_credential_path, current_path
+  end
+
+  test 'a user should be able to set their browser as trusted' do
+    # log in 1fa
+    user = enable_otp_and_sign_in
+    otp_challenge_for user
+
+    visit user_token_path
+    assert_equal user_token_path, current_path
+
+    click_link('Trust this browser')
+    assert_text 'Your browser is trusted.'
+    sign_out
+
+    sign_user_in
+
+    assert_equal root_path, current_path
+  end
+
+  test 'trusted status should expire' do
+    # log in 1fa
+    user = enable_otp_and_sign_in
+    otp_challenge_for user
+
+    visit user_token_path
+    assert_equal user_token_path, current_path
+
+    click_link('Trust this browser')
+    assert_text 'Your browser is trusted.'
+    sign_out
+
+    sleep User.otp_trust_persistence.to_i + 1
+    sign_user_in
+
+    assert_equal user_credential_path, current_path
+  end
+end

data/test/integration/refresh_test.rb

@@ -0,0 +1,103 @@
+require 'test_helper'
+require 'integration_tests_helper'
+
+class RefreshTest < ActionDispatch::IntegrationTest
+  def setup
+    @old_refresh = User.otp_credentials_refresh
+    User.otp_credentials_refresh = 1.second
+  end
+
+  def teardown
+    User.otp_credentials_refresh = @old_refresh
+    Capybara.reset_sessions!
+  end
+
+  test 'a user that just signed in should be able to access their OTP settings without refreshing' do
+    sign_user_in
+
+    visit user_token_path
+    assert_equal user_token_path, current_path
+  end
+
+  test 'a user should be prompted for credentials when the credentials_refresh time is expired' do
+    sign_user_in
+    visit user_token_path
+    assert_equal user_token_path, current_path
+
+    sleep(2)
+
+    visit user_token_path
+    assert_equal refresh_user_credential_path, current_path
+  end
+
+  test 'a user should be able to access their OTP settings after refreshing' do
+    sign_user_in
+    visit user_token_path
+    assert_equal user_token_path, current_path
+
+    sleep(2)
+
+    visit user_token_path
+    assert_equal refresh_user_credential_path, current_path
+
+    fill_in 'user_refresh_password', with: '12345678'
+    click_button 'Continue...'
+    assert_equal user_token_path, current_path
+  end
+
+  test 'a user should NOT be able to access their OTP settings unless refreshing' do
+    sign_user_in
+    visit user_token_path
+    assert_equal user_token_path, current_path
+
+    sleep(2)
+
+    visit user_token_path
+    assert_equal refresh_user_credential_path, current_path
+
+    fill_in 'user_refresh_password', with: '12345670'
+    click_button 'Continue...'
+    assert_equal refresh_user_credential_path, current_path
+  end
+
+  test 'user should be asked their OTP challenge in order to refresh, if they have OTP' do
+    enable_otp_and_sign_in_with_otp
+
+    sleep(2)
+    visit user_token_path
+    assert_equal refresh_user_credential_path, current_path
+
+    fill_in 'user_refresh_password', with: '12345678'
+    click_button 'Continue...'
+
+    assert_equal refresh_user_credential_path, current_path
+  end
+
+  test 'user should be finally be able to access their settings, if they provide both a password and a valid OTP token' do
+    user = enable_otp_and_sign_in_with_otp
+
+    sleep(2)
+    visit user_token_path
+    assert_equal refresh_user_credential_path, current_path
+
+    fill_in 'user_refresh_password', with: '12345678'
+    fill_in 'user_token', with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    click_button 'Continue...'
+
+    assert_equal user_token_path, current_path
+  end
+
+  test 'and rejected when the token is blank or null' do
+    user = enable_otp_and_sign_in_with_otp
+
+    sleep(2)
+    visit user_token_path
+    assert_equal refresh_user_credential_path, current_path
+
+    fill_in 'user_refresh_password', with: '12345678'
+    fill_in 'user_token', with: ''
+    click_button 'Continue...'
+
+    assert_equal refresh_user_credential_path, current_path
+  end
+end

data/test/integration/sign_in_test.rb

@@ -0,0 +1,85 @@
+require 'test_helper'
+require 'integration_tests_helper'
+
+class SignInTest < ActionDispatch::IntegrationTest
+  def teardown
+    Capybara.reset_sessions!
+  end
+
+  test 'a new user should be able to sign in without using their token' do
+    create_full_user
+
+    visit new_user_session_path
+    fill_in 'user_email', with: 'user@email.invalid'
+    fill_in 'user_password', with: '12345678'
+    page.has_content?('Log in') ? click_button('Log in') : click_button('Sign in')
+
+    assert_equal root_path, current_path
+  end
+
+  test 'a new user, just signed in, should be able to sign in and enable their OTP authentication' do
+    user = sign_user_in
+
+    visit user_token_path
+    assert !page.has_content?('Your token secret')
+
+    check 'user_otp_enabled'
+    click_button 'Continue...'
+
+    assert_equal user_token_path, current_path
+
+    assert page.has_content?('Your token secret')
+    assert !user.otp_auth_secret.nil?
+    assert !user.otp_persistence_seed.nil?
+  end
+
+  test 'a new user should be able to sign in enable OTP and be prompted for their token' do
+    enable_otp_and_sign_in
+
+    assert_equal user_credential_path, current_path
+  end
+
+  test 'fail token authentication' do
+    enable_otp_and_sign_in
+    assert_equal user_credential_path, current_path
+
+    fill_in 'user_token', with: '123456'
+    click_button 'Submit Token'
+
+    assert_equal new_user_session_path, current_path
+  end
+
+  test 'fail blank token authentication' do
+    enable_otp_and_sign_in
+    assert_equal user_credential_path, current_path
+
+    fill_in 'user_token', with: ''
+    click_button 'Submit Token'
+
+    assert_equal user_credential_path, current_path
+  end
+
+  test 'successful token authentication' do
+    user = enable_otp_and_sign_in
+
+    fill_in 'user_token', with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    click_button 'Submit Token'
+
+    assert_equal root_path, current_path
+  end
+
+  test 'should fail if the the challenge times out' do
+    old_timeout = User.otp_authentication_timeout
+    User.otp_authentication_timeout = 1.second
+
+    user = enable_otp_and_sign_in
+
+    sleep(2)
+
+    fill_in 'user_token', with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    click_button 'Submit Token'
+
+    User.otp_authentication_timeout = old_timeout
+    assert_equal new_user_session_path, current_path
+  end
+end

data/test/integration/token_test.rb

@@ -0,0 +1,30 @@
+require 'test_helper'
+require 'integration_tests_helper'
+
+class TokenTest < ActionDispatch::IntegrationTest
+  def teardown
+    Capybara.reset_sessions!
+  end
+
+  test 'disabling OTP after successfully enabling' do
+    # log in 1fa
+    user = enable_otp_and_sign_in
+    assert_equal user_credential_path, current_path
+
+    # otp two_factor
+    fill_in 'user_token', with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    click_button 'Submit Token'
+    assert_equal root_path, current_path
+
+    # disable OTP
+    disable_otp
+
+    # logout
+    sign_out
+
+    # log back in 1fa
+    sign_user_in(user)
+
+    assert_equal root_path, current_path
+  end
+end

data/test/integration_tests_helper.rb

@@ -0,0 +1,64 @@
+class ActionDispatch::IntegrationTest
+  include Warden::Test::Helpers
+
+  def warden
+    request.env['warden']
+  end
+
+  def create_full_user
+    @user ||= begin
+      user = User.create!(
+        email: 'user@email.invalid',
+        password: '12345678',
+        password_confirmation: '12345678'
+      )
+      user
+    end
+  end
+
+  def enable_otp_and_sign_in_with_otp
+    enable_otp_and_sign_in.tap do |user|
+      fill_in 'user_token', with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+      click_button 'Submit Token'
+    end
+  end
+
+  def enable_otp_and_sign_in
+    user = create_full_user
+    sign_user_in(user)
+    visit user_token_path
+    check 'user_otp_enabled'
+    click_button 'Continue...'
+
+    Capybara.reset_sessions!
+
+    sign_user_in(user)
+    user
+  end
+
+  def otp_challenge_for(user)
+    fill_in 'user_token', with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    click_button 'Submit Token'
+  end
+
+  def disable_otp
+    visit user_token_path
+    uncheck 'user_otp_enabled'
+    click_button 'Continue...'
+  end
+
+  def sign_out
+    logout :user
+  end
+
+  def sign_user_in(user = nil)
+    user ||= create_full_user
+    resource_name = user.class.name.underscore
+    visit send("new_#{resource_name}_session_path")
+    fill_in "#{resource_name}_email", with: user.email
+    fill_in "#{resource_name}_password", with: user.password
+
+    page.has_content?('Log in') ? click_button('Log in') : click_button('Sign in')
+    user
+  end
+end

data/test/model_tests_helper.rb

@@ -0,0 +1,20 @@
+class ActiveSupport::TestCase
+  #
+  # Helpers for creating new users
+  #
+  def unique_identity
+    @@unique_identity_count ||= 0
+    @@unique_identity_count += 1
+    "user-#{@@unique_identity_count}@mail.invalid"
+  end
+
+  def valid_attributes(attributes = {})
+    { email: unique_identity,
+      password: '12345678',
+      password_confirmation: '12345678' }.update(attributes)
+  end
+
+  def new_user(attributes = {})
+    User.new(valid_attributes(attributes)).save
+  end
+end