devise-2fa 0.1.1 → 0.2.0

data/spec/dummy/config/initializers/filter_parameter_logging.rb

@@ -0,0 +1,4 @@
+# Be sure to restart your server when you modify this file.
+
+# Configure sensitive parameters which will be filtered from the log file.
+Rails.application.config.filter_parameters += [:password]

data/{test → spec}/dummy/config/initializers/inflections.rb

@@ -1,15 +1,16 @@
 # Be sure to restart your server when you modify this file.
 
-# Add new inflection rules using the following format
-# (all these examples are active by default):
-# ActiveSupport::Inflector.inflections do |inflect|
+# Add new inflection rules using the following format. Inflections
+# are locale specific, and you may define rules for as many different
+# locales as you wish. All of these examples are active by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
 #   inflect.plural /^(ox)$/i, '\1en'
 #   inflect.singular /^(ox)en/i, '\1'
 #   inflect.irregular 'person', 'people'
 #   inflect.uncountable %w( fish sheep )
 # end
-#
+
 # These inflection rules are supported but not enabled by default:
-# ActiveSupport::Inflector.inflections do |inflect|
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
 #   inflect.acronym 'RESTful'
 # end

data/{test → spec}/dummy/config/initializers/mime_types.rb

@@ -2,4 +2,3 @@
 
 # Add new mime types for use in respond_to blocks:
 # Mime::Type.register "text/richtext", :rtf
-# Mime::Type.register_alias "text/html", :iphone

data/{test → spec}/dummy/config/initializers/wrap_parameters.rb

@@ -1,5 +1,5 @@
 # Be sure to restart your server when you modify this file.
-#
+
 # This file contains settings for ActionController::ParamsWrapper which
 # is enabled by default.
 
@@ -8,7 +8,7 @@ ActiveSupport.on_load(:action_controller) do
   wrap_parameters format: [:json]
 end
 
-# Disable root element in JSON by default.
-ActiveSupport.on_load(:active_record) do
-  self.include_root_in_json = false
-end
+# To enable root element in JSON for ActiveRecord objects.
+# ActiveSupport.on_load(:active_record) do
+#   self.include_root_in_json = true
+# end

data/spec/dummy/config/locales/devise.en.yml

@@ -0,0 +1,68 @@
+# Additional translations at https://github.com/plataformatec/devise/wiki/I18n
+
+en:
+  devise:
+    confirmations:
+      confirmed: "Your email address has been successfully confirmed."
+      send_instructions: "You will receive an email with instructions for how to confirm your email address in a few minutes."
+      send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions for how to confirm your email address in a few minutes."
+    failure:
+      already_authenticated: "You are already signed in."
+      inactive: "Your account is not activated yet."
+      invalid: "Invalid %{authentication_keys} or password."
+      locked: "Your account is locked."
+      last_attempt: "You have one more attempt before your account is locked."
+      not_found_in_database: "Invalid %{authentication_keys} or password."
+      timeout: "Your session expired. Please sign in again to continue."
+      unauthenticated: "You need to sign in or sign up before continuing."
+      unconfirmed: "You have to confirm your email address before continuing."
+    mailer:
+      confirmation_instructions:
+        subject: "Confirmation instructions"
+      reset_password_instructions:
+        subject: "Reset password instructions"
+      unlock_instructions:
+        subject: "Unlock instructions"
+      email_changed:
+        subject: "Email Changed"
+      password_change:
+        subject: "Password Changed"
+    omniauth_callbacks:
+      failure: "Could not authenticate you from %{kind} because \"%{reason}\"."
+      success: "Successfully authenticated from %{kind} account."
+    passwords:
+      no_token: "You can't access this page without coming from a password reset email. If you do come from a password reset email, please make sure you used the full URL provided."
+      send_instructions: "You will receive an email with instructions on how to reset your password in a few minutes."
+      send_paranoid_instructions: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
+      updated: "Your password has been changed successfully. You are now signed in."
+      updated_not_active: "Your password has been changed successfully."
+    registrations:
+      destroyed: "Bye! Your account has been successfully cancelled. We hope to see you again soon."
+      signed_up: "Welcome! You have signed up successfully."
+      signed_up_but_inactive: "You have signed up successfully. However, we could not sign you in because your account is not yet activated."
+      signed_up_but_locked: "You have signed up successfully. However, we could not sign you in because your account is locked."
+      signed_up_but_unconfirmed: "A message with a confirmation link has been sent to your email address. Please follow the link to activate your account."
+      update_needs_confirmation: "You updated your account successfully, but we need to verify your new email address. Please check your email and follow the confirm link to confirm your new email address."
+      updated: "Your account has been updated successfully."
+      updated_but_not_signed_in: "Your account has been updated successfully, but since your password was changed, you need to sign in again"
+    sessions:
+      signed_in: "Signed in successfully."
+      signed_out: "Signed out successfully."
+      already_signed_out: "Signed out successfully."
+    credentials:
+      signed_in: 'Signed in successfully.'
+      signed_out: 'Signed out successfully.'
+    unlocks:
+      send_instructions: "You will receive an email with instructions for how to unlock your account in a few minutes."
+      send_paranoid_instructions: "If your account exists, you will receive an email with instructions for how to unlock it in a few minutes."
+      unlocked: "Your account has been unlocked successfully. Please sign in to continue."
+  errors:
+    messages:
+      already_confirmed: "was already confirmed, please try signing in"
+      confirmation_period_expired: "needs to be confirmed within %{period}, please request a new one"
+      expired: "has expired, please request a new one"
+      not_found: "not found"
+      not_locked: "was not locked"
+      not_saved:
+        one: "1 error prohibited this %{resource} from being saved:"
+        other: "%{count} errors prohibited this %{resource} from being saved:"

data/spec/dummy/config/locales/devise.two_factor.en.yml

@@ -0,0 +1,57 @@
+en:
+  devise:
+    two_factor:
+      submit_token:
+        title: 'Check Token'
+        explain: "A token is required because two-factor authentication is enabled on your account"
+        prompt: 'Please enter your two-factor authentication token:'
+        recovery_prompt: 'Please enter your recovery code:'
+        submit: 'Submit Token'
+        submit_recovery: 'Submit Recovery Code'
+        recovery_link: "I don't have my device, I want to use a recovery code"
+      credentials:
+        token_invalid: 'The token you provided was invalid.'
+        token_blank: 'Please provide a token generated by your device.'
+        need_to_refresh_credentials: 'We need to check your credentials before you can change these settings.'
+        valid_refresh: 'Thank you, your credentials were accepted.'
+        invalid_refresh: 'Sorry, you provided the wrong credentials.'
+      credentials_refresh:
+        title: 'Please enter your password again.'
+        explain: 'To confirm your identity, please re-enter your password.'
+        go_on: 'Continue'
+        identity: 'Identity'
+        token: 'Your two-factor authentication token'
+      token_secret:
+        title: 'Token Secret'
+        explain: 'Take a photo of this QR code with your mobile device.'
+        manual_provisioning: 'Manual provisioning code'
+        reset_otp: 'Reset your Two-Factor Authentication status'
+        reset_explain: 'This will reset your credentials, and disable two-factor authentication.'
+        reset_explain_warn: 'You will need to enroll your mobile device again.'
+      tokens:
+        title: 'Two-Factor Authentication'
+        explain: 'Two-Factor Authentication adds adds an additional layer of security to your account. When logging in you will be asked for a code that you can generate on a physical device, like your phone.'
+        enable_request: 'Would you like to enable Two-Factor Authentication?'
+        status: 'Enable Two-Factor Authentication'
+        submit: 'Continue'
+        successfully_updated: 'Your two-factor authentication settings have been updated.'
+        successfully_reset_creds: 'Your two-factor authentication credentials have been reset.'
+        successfully_set_persistence: 'Your device is now trusted.'
+        successfully_cleared_persistence: 'Your device has been removed from the list of trusted devices.'
+        successfully_reset_persistence: 'Your list of trusted devices has been cleared.'
+        need_to_refresh_credentials: 'We need to check your credentials before you can change these settings.'
+        recovery:
+          title: 'Recovery Codes'
+          explain: 'Store these recovery codes in a safe place. They will allow you to log back in if your token device is lost, stolen, or unavailable.'
+          sequence: 'Sequence'
+          code: 'Recovery Code'
+          codes_list: 'View recovery codes'
+          download_codes: 'Download recovery codes'
+      trusted_devices:
+        title: 'Trusted Browsers'
+        explain: 'If you set this browser as trusted, you will not be asked to perform two-factor authentication when logging in for one month.'
+        device_trusted: 'This browser is trusted.'
+        device_not_trusted: 'This browser is not trusted.'
+        trust_remove: 'Untrust this browser'
+        trust_add: 'Trust this browser'
+        trust_clear: 'Clear all trusted browsers'

data/spec/dummy/config/locales/en.yml

@@ -0,0 +1,2 @@
+en:
+  hello: "Hello world"

data/spec/dummy/config/puma.rb

@@ -0,0 +1,9 @@
+threads_count = ENV.fetch("RAILS_MAX_THREADS") { 5 }
+threads threads_count, threads_count
+
+port        ENV.fetch("PORT") { 3000 }
+
+
+environment ENV.fetch("RAILS_ENV") { "development" }
+
+plugin :tmp_restart

data/spec/dummy/config/routes.rb

@@ -0,0 +1,4 @@
+Rails.application.routes.draw do
+  devise_for :users
+  root to: "application#show"
+end

data/spec/dummy/config/spring.rb

@@ -0,0 +1,6 @@
+%w[
+  .ruby-version
+  .rbenv-vars
+  tmp/restart.txt
+  tmp/caching-dev.txt
+].each { |path| Spring.watch(path) }

data/spec/dummy/config/storage.yml

@@ -0,0 +1,8 @@
+test:
+  service: Disk
+  root: <%= Rails.root.join("tmp/storage") %>
+
+local:
+  service: Disk
+  root: <%= Rails.root.join("storage") %>
+

data/spec/dummy/db/migrate/20190311184605_devise_create_users.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+class DeviseCreateUsers < ActiveRecord::Migration[5.2]
+  def change
+    create_table :users do |t|
+      ## Database authenticatable
+      t.string :email,              null: false, default: ""
+      t.string :encrypted_password, null: false, default: ""
+
+      ## Recoverable
+      t.string   :reset_password_token
+      t.datetime :reset_password_sent_at
+
+      ## Rememberable
+      t.datetime :remember_created_at
+
+      ## Trackable
+      # t.integer  :sign_in_count, default: 0, null: false
+      # t.datetime :current_sign_in_at
+      # t.datetime :last_sign_in_at
+      # t.string   :current_sign_in_ip
+      # t.string   :last_sign_in_ip
+
+      ## Confirmable
+      # t.string   :confirmation_token
+      # t.datetime :confirmed_at
+      # t.datetime :confirmation_sent_at
+      # t.string   :unconfirmed_email # Only if using reconfirmable
+
+      ## Lockable
+      # t.integer  :failed_attempts, default: 0, null: false # Only if lock strategy is :failed_attempts
+      # t.string   :unlock_token # Only if unlock strategy is :email or :both
+      # t.datetime :locked_at
+
+
+      t.timestamps null: false
+    end
+
+    add_index :users, :email,                unique: true
+    add_index :users, :reset_password_token, unique: true
+    # add_index :users, :confirmation_token,   unique: true
+    # add_index :users, :unlock_token,         unique: true
+  end
+end

data/{test/dummy/db/migrate/20130131160351_devise_otp_add_to_users.rb → spec/dummy/db/migrate/20190312222952_devise_two_factor_add_to_users.rb}

@@ -1,4 +1,4 @@
-class DeviseTwoFactorAddToUsers < ActiveRecord::Migration
+class DeviseTwoFactorAddToUsers < ActiveRecord::Migration[5.0]
   def self.up
     change_table :users do |t|
       t.string    :otp_auth_secret
@@ -6,7 +6,6 @@ class DeviseTwoFactorAddToUsers < ActiveRecord::Migration
       t.boolean   :otp_enabled,          default: false, null: false
       t.boolean   :otp_mandatory,        default: false, null: false
       t.datetime  :otp_enabled_on
-      t.integer   :otp_time_drift,       default: 0, null: false
       t.integer   :otp_failed_attempts,  default: 0, null: false
       t.integer   :otp_recovery_counter, default: 0, null: false
       t.string    :otp_persistence_seed
@@ -14,15 +13,15 @@ class DeviseTwoFactorAddToUsers < ActiveRecord::Migration
       t.string    :otp_session_challenge
       t.datetime  :otp_challenge_expires
     end
-
-    add_index :users, :otp_session_challenge, unique: true
+    add_index :users, :otp_session_challenge,  unique: true
     add_index :users, :otp_challenge_expires
   end
 
   def self.down
     change_table :users do |t|
       t.remove :otp_auth_secret, :otp_recovery_secret, :otp_enabled, :otp_mandatory, :otp_enabled_on, :otp_session_challenge,
-               :otp_challenge_expires, :otp_time_drift, :otp_failed_attempts, :otp_recovery_counter, :otp_persistence_seed
+          :otp_challenge_expires, :otp_failed_attempts, :otp_recovery_counter, :otp_persistence_seed
+
     end
   end
 end

data/spec/dummy/db/schema.rb

@@ -0,0 +1,39 @@
+# This file is auto-generated from the current state of the database. Instead
+# of editing this file, please use the migrations feature of Active Record to
+# incrementally modify your database, and then regenerate this schema definition.
+#
+# Note that this schema.rb definition is the authoritative source for your
+# database schema. If you need to create the application database on another
+# system, you should be using db:schema:load, not running all the migrations
+# from scratch. The latter is a flawed and unsustainable approach (the more migrations
+# you'll amass, the slower it'll run and the greater likelihood for issues).
+#
+# It's strongly recommended that you check this file into your version control system.
+
+ActiveRecord::Schema.define(version: 2019_03_12_222952) do
+
+  create_table "users", force: :cascade do |t|
+    t.string "email", default: "", null: false
+    t.string "encrypted_password", default: "", null: false
+    t.string "reset_password_token"
+    t.datetime "reset_password_sent_at"
+    t.datetime "remember_created_at"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.string "otp_auth_secret"
+    t.string "otp_recovery_secret"
+    t.boolean "otp_enabled", default: false, null: false
+    t.boolean "otp_mandatory", default: false, null: false
+    t.datetime "otp_enabled_on"
+    t.integer "otp_failed_attempts", default: 0, null: false
+    t.integer "otp_recovery_counter", default: 0, null: false
+    t.string "otp_persistence_seed"
+    t.string "otp_session_challenge"
+    t.datetime "otp_challenge_expires"
+    t.index ["email"], name: "index_users_on_email", unique: true
+    t.index ["otp_challenge_expires"], name: "index_users_on_otp_challenge_expires"
+    t.index ["otp_session_challenge"], name: "index_users_on_otp_session_challenge", unique: true
+    t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
+  end
+
+end

data/spec/dummy/package.json

@@ -0,0 +1,5 @@
+{
+  "name": "dummy",
+  "private": true,
+  "dependencies": {}
+}

data/spec/dummy/public/404.html

@@ -0,0 +1 @@
+<h1>404</h1>

data/spec/dummy/public/422.html

@@ -0,0 +1 @@
+<h1>422</h1>

data/spec/dummy/public/500.html

@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>We're sorry, but something went wrong (500)</title>
+  <meta name="viewport" content="width=device-width,initial-scale=1">
+  <style>
+  </style>
+</head>
+
+<body class="rails-default-error-page">
+  <!-- This file lives in public/500.html -->
+  <div class="dialog">
+    <div>
+      <h1>We're sorry, but something went wrong.</h1>
+    </div>
+    <p>If you are the application owner check the logs for more information.</p>
+  </div>
+</body>
+</html>

data/spec/models/user_spec.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe User, type: :model do
+  subject (:user) { User.new(email: 'mb@geemail.com', password: 'iwantabigmac1') }
+  it 'is valid' do
+    expect(user).to be_valid
+  end
+
+  describe '#associations' do
+    it { is_expected.to respond_to(:email) }
+    it { is_expected.to respond_to(:encrypted_password) }
+  end
+
+  describe 'validations' do
+    describe '#email' do
+      subject(:user) { User.new(password: 'iwantabigmac1') }
+
+      it 'is required' do
+        expect(user).to be_invalid
+      end
+    end
+
+    describe '#password' do
+      subject(:user) { User.new(email: 'mb@geemail.com')}
+
+      it 'is required' do
+        expect(user).to be_invalid
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+ENV["RAILS_ENV"] ||= "test"
+
+require "rails/all"
+require "dummy/config/application"
+require 'bundler/setup'
+require 'rspec/rails'
+
+Dir[Rails.root.join("spec/support/**/*.rb")].each { |f| require f }
+
+Dummy::Application.initialize!
+
+require 'capybara/rails'
+
+Capybara.server = :webrick
+
+RSpec.configure do |config|
+  config.infer_spec_type_from_file_location!
+  config.use_transactional_fixtures = true
+
+  config.include Devise::Test::IntegrationHelpers, type: :system
+
+  config.before(:each, type: :system) do
+    driven_by :rack_test
+  end
+end
+
+
+def enable_otp_and_sign_in(user)
+  sign_in user
+  visit user_token_path
+
+  fill_in 'user_refresh_password', with: user.password
+  click_on 'Continue'
+  check 'user_otp_enabled'
+  click_on 'Continue'
+  Capybara.reset_sessions!
+
+  visit '/'
+
+  fill_in 'user_email', with: user.email
+  fill_in 'user_password', with: user.password
+  click_button('Log in')
+end
+
+def disable_otp
+  visit user_token_path
+  uncheck 'user_otp_enabled'
+  click_button 'Continue'
+end
+
+def sign_in_user(user)
+  visit '/users/sign_in'
+  fill_in 'user_email', with: user.email
+  fill_in 'user_password', with: user.password
+  click_button('Log in')
+end
+
+def otp_challenge_for(user)
+  fill_in 'user_token', with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+  click_button 'Submit Token'
+end
+
+def enable_otp_and_sign_in_with_otp(user)
+  enable_otp_and_sign_in(user)
+  fill_in 'user_token', with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+  click_button 'Submit Token'
+end