devise-2fa 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 818ff39f300655bfc5e4595926641b1d8b7e9bfe
-  data.tar.gz: c5efa8ee1d94153371f2a5f484d01c63391432da
+SHA256:
+  metadata.gz: 83df80ebf1e6b543d6ac9e53d8577e70d727323312ea8748d5709fc8cd6fb491
+  data.tar.gz: ee76f7c9922b69ba53fe2fd13b6409a241c4da93d6ec89b47f6b2384409a1ee7
 SHA512:
-  metadata.gz: f8ea4680d7be412d4c2a5cbe3b031950e8370ba125d2b7b612114e12d1629297c894c8a343b33709e49208ef35d13874f7c1502acf7aecae7e59980443b53e19
-  data.tar.gz: 484dc83eb67d9071190988e53a7bc84cf68dc1f078d50fb994fb0e62e297fa4cebae0b9372465141cd3255bd5c03147aa121677d75a66444c8a48f2ae9fdeb68
+  metadata.gz: 0e799896dc4f81b392382af681bb1aa346bb1271a61c85c243231b2045a58674ac552ecce6dbefbaef9198f5bc5d967426fec3acc9ac64ced888c244c5895275
+  data.tar.gz: 88e4f90b42ea6447f90f6d3e0a96814ee161fd859266dcdca7a89418855eaf637d5420e1c2fb7982b95684f73d188bd49ff97c7b7d058eff1213d47b800ac948

data/.circleci/config.yml

@@ -0,0 +1,46 @@
+version: 2
+jobs:
+  build:
+    docker:
+      - image: circleci/ruby:2.4.1-node-browsers
+
+    working_directory: ~/repo
+
+    steps:
+      - checkout
+
+      - restore_cache:
+          keys:
+            - v1-dependencies-{{ checksum "Gemfile.lock" }}
+            - v1-dependencies-
+
+      - run:
+          name: install dependencies
+          command: |
+            bundle install --jobs=4 --retry=3 --path vendor/bundle
+
+      - save_cache:
+          paths:
+            - ./vendor/bundle
+          key: v1-dependencies-{{ checksum "Gemfile.lock" }}
+
+      - run: cd spec/dummy && bin/setup
+
+      - run:
+          name: run tests
+          command: |
+            mkdir /tmp/test-results
+            TEST_FILES="$(circleci tests glob "spec/**/*_spec.rb" | \
+              circleci tests split --split-by=timings)"
+
+            bundle exec rspec \
+              --format progress \
+              --out /tmp/test-results/rspec.xml \
+              --format progress \
+              $TEST_FILES
+
+      - store_test_results:
+          path: /tmp/test-results
+      - store_artifacts:
+          path: /tmp/test-results
+          destination: test-results

data/.gitignore

@@ -34,3 +34,11 @@ build/
 
 # unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
 .rvmrc
+
+# Rails
+spec/dummy/db/development.sqlite3
+spec/dummy/log/*
+spec/dummy/db/test.sqlite3
+*.cache
+spec/dummy/tmp/development_secret.txt
+spec/dummy/tmp/restart.txt

data/Gemfile

@@ -1,25 +1,6 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
+git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
 gemspec
-
-gem 'rdoc'
-
-group :test do
-  platforms :jruby do
-    gem 'activerecord-jdbcsqlite3-adapter', '>= 1.3.0.beta1'
-  end
-
-  platforms :ruby do
-    gem 'sqlite3', '~> 1.3.4'
-  end
-
-  gem 'devise', '~> 4.0'
-  gem 'activerecord', '~> 4.2.6'
-  gem 'mongo'
-
-  gem 'capybara'
-  gem 'shoulda'
-  gem 'selenium-webdriver'
-
-  gem 'minitest-reporters', '>= 0.5.0'
-end

data/README.md

@@ -1,10 +1,11 @@
 # Devise::TwoFactor
-[![Build Status](https://travis-ci.org/williamatodd/devise-2fa.png?branch=master)](https://travis-ci.org/williamatodd/devise-2fa)
+
+[![CircleCI](https://circleci.com/gh/williamatodd/devise-2fa.svg?style=svg)](https://circleci.com/gh/williamatodd/devise-2fa)
 
 Devise TwoFactor implements two-factor authentication for Devise, using an rfc6238 compatible Time-Based One-Time Password Algorithm.
-* Uses [rotp library](https://github.com/mdp/rotp) for the generation and verification of codes.
+* Uses [rotp](https://github.com/mdp/rotp) for the generation and verification of codes.
 * Uses [RQRCode](https://github.com/whomwah/rqrcode) to generate QR Code PNGs.
-* Uses [SymmetricEncryption](https://github.com/rocketjob/symmetric-encryption) to generate QR Code PNGs.
+* Uses [SymmetricEncryption](https://github.com/rocketjob/symmetric-encryption) to encrypt secrets and recovery codes.
 
 It currently has the following features:
 
@@ -19,17 +20,6 @@ Compatible token devices are:
 * [Google Authenticator](https://code.google.com/p/google-authenticator/)
 * [FreeOTP](https://fedorahosted.org/freeotp/)
 
-## Quick overview of Two Factors Authentication, using OTPs.
-
-* A shared secret is generated on the server, and stored both on the token device (eg: the phone) and the server itself.
-* The secret is used to generate short numerical tokens that are either time or sequence based.
-* Tokens can be generated on a phone without internet connectivity.
-* The token provides an additional layer of security against password theft.
-* OTP's should always be used as a second factor of authentication(if your phone is lost, you account is still secured with a password)
-
-Although there's an adjustable drift window, it is important that both the server and the token device (phone) have their clocks set (eg: using NTP).
-
-
 ## Installation
 
 Setup the symmetric-encryption gem by following the steps on the (configuration page)[http://rocketjob.github.io/symmetric-encryption/configuration.html]
@@ -98,6 +88,7 @@ With this extension enabled, the following is expected behavior:
 * Users may go to _/MODEL/token_ and enable their OTP state, they might be asked to provide their password again (and OTP token, if it's enabled)
 * Once enabled they're shown an alphanumeric code (for manual provisioning) and a QR code, for automatic provisioning of their authentication device (for instance, Google Authenticator)
 * If config.otp_mandatory or model_instance.otp_mandatory, users will be required to enable, and provision, next time they successfully sign-in.
+* Although there's an adjustable drift window, it is important that both the server and the token device (phone) have their clocks set (eg: using NTP).
 
 
 ### Configuration Options
@@ -112,6 +103,12 @@ The install generator adds some options to the end of your Devise config file (c
 * `config.otp_trust_persistence` - The user is allowed to set his browser as "trusted", no more OTP challenges will be asked for that browser, for a limited time. (default: `1.month`, set to false to disable setting the browser as trusted)
 * `config.otp_issuer` - The name of the token issuer, to be added to the provisioning url. Display will vary based on token application. (defaults to the Rails application class)
 
+### Development
+
+Set up the gem for development with `bin/setup`.
+
+Run the test suite with `bin/rspec`.
+
 ## Contributing
 
 1. Fork it
@@ -128,3 +125,5 @@ This extension is a hodgepodge of
 ## License
 
 MIT Licensed
+
+Copyright © 2015-2019 William A. Todd and contributors.

data/Rakefile

@@ -1,41 +1,19 @@
-#!/usr/bin/env rake
 begin
   require 'bundler/setup'
 rescue LoadError
   puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
 end
-begin
-  require 'rdoc/task'
-rescue LoadError
-  require 'rdoc/rdoc'
-  require 'rake/rdoctask'
-  RDoc::Task = Rake::RDocTask
-end
+
+require 'rdoc/task'
 
 RDoc::Task.new(:rdoc) do |rdoc|
   rdoc.rdoc_dir = 'rdoc'
-  rdoc.title    = 'Foobar'
+  rdoc.title    = 'Devise::TwoFactor'
   rdoc.options << '--line-numbers'
-  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('README.md')
   rdoc.rdoc_files.include('lib/**/*.rb')
 end
 
-Bundler::GemHelper.install_tasks
-
-require 'rake/testtask'
-Rake::TestTask.new(:test) do |test|
-  test.libs << 'lib' << 'test'
-  test.pattern = 'test/**/*_test.rb'
-  test.verbose = true
-end
-
-desc 'Run Devise tests for all ORMs.'
-task :tests do
-  Dir[File.join(File.dirname(__FILE__), 'test', 'orm', '*.rb')].each do |file|
-    orm = File.basename(file).split('.').first
-    system "rake test DEVISE_ORM=#{orm}"
-  end
-end
+require 'bundler/gem_tasks'
 
-desc 'Default: run tests for all ORMs.'
-task default: :tests
+task default: :rdoc

data/bin/rspec

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+begin
+  load File.expand_path('../spring', __FILE__)
+rescue LoadError => e
+  raise unless e.message.include?('spring')
+end
+require 'bundler/setup'
+load Gem.bin_path('rspec-core', 'rspec')

data/bin/setup

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# Fail out, bail out
+set -e
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+echo "Installing dependencies"
+gem install bundler --conservative
+bundle check || bundle install
+
+$DIR/../spec/dummy/bin/setup

data/{devise-2fa.gemspec → devise_2fa.gemspec}

@@ -1,27 +1,34 @@
-# -*- encoding: utf-8 -*-
-lib = File.expand_path('../lib', __FILE__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'devise-2fa/version'
+$:.push File.expand_path("lib", __dir__)
 
+# Maintain your gem's version:
+require "devise-2fa/version"
+
+# Describe your gem and declare its dependencies:
 Gem::Specification.new do |gem|
   gem.name          = 'devise-2fa'
   gem.version       = Devise::TwoFactor::VERSION
   gem.authors       = ['William A. Todd']
-  gem.email         = ['info@investinwaffles.com']
+  gem.email         = ['info@rockcreek.io']
   gem.description   = 'Time Based OTP/rfc6238 authentication for Devise'
   gem.summary       = 'Includes ActiveRecord and Mongoid ORM support'
   gem.homepage      = 'http://www.github.com/williamatodd/devise-2fa'
   gem.license       = 'MIT'
 
   gem.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
-  gem.executables   = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ['lib']
 
+  gem.add_dependency "rails", "~> 5.0"
+
   gem.add_runtime_dependency 'devise', '~> 4.0'
   gem.add_runtime_dependency 'rotp', '~> 3.0'
   gem.add_runtime_dependency 'rqrcode', '~> 0.10.1'
-  gem.add_runtime_dependency 'symmetric-encryption', '~> 3.8'
+  gem.add_runtime_dependency 'symmetric-encryption', '~> 4.2.0'
 
-  gem.add_development_dependency 'sqlite3', '~> 0'
+  gem.add_development_dependency 'sqlite3', '~> 1.3.6'
+  gem.add_development_dependency 'selenium-webdriver'
+  gem.add_development_dependency 'rspec-rails'
+  gem.add_development_dependency 'capybara'
+  gem.add_development_dependency 'rspec'
+  gem.add_development_dependency 'pry'
 end

data/lib/devise-2fa/version.rb

@@ -1,5 +1,5 @@
 module Devise
   module TwoFactor
-    VERSION = '0.1.1'.freeze
+    VERSION = '0.2.0'.freeze
   end
 end

data/lib/devise_two_factorable/models/two_factorable.rb

@@ -7,7 +7,11 @@ module Devise::Models
     included do
       before_validation :generate_otp_auth_secret, on: :create
       before_validation :generate_otp_persistence_seed, on: :create
-      scope :with_valid_otp_challenge, ->{ where(:otp_challenge_expires.gt => Time.current) }
+      if defined?(ActiveRecord) && self < ActiveRecord::Base
+        scope :with_valid_otp_challenge, ->{ where(User.arel_table[:otp_challenge_expires].gt(Time.current)) }
+      else # Mongoid
+        scope :with_valid_otp_challenge, ->{ where(:otp_challenge_expires.gt => Time.current) }
+      end
     end
 
     module ClassMethods

data/{test → spec}/dummy/Rakefile

@@ -1,7 +1,6 @@
-#!/usr/bin/env rake
 # Add your own tasks in files placed in lib/tasks ending in .rake,
 # for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
 
-require File.expand_path('../config/application', __FILE__)
+require_relative 'config/application'
 
-Dummy::Application.load_tasks
+Rails.application.load_tasks

data/spec/dummy/app/assets/javascripts/application.js

@@ -0,0 +1,3 @@
+//= require rails-ujs
+//= require activestorage
+//= require_tree .

data/spec/dummy/app/assets/stylesheets/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
+ * files in this directory. Styles in this file should be added after the last require_* statement.
+ * It is generally better to create a new file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/{test → spec}/dummy/app/controllers/application_controller.rb

@@ -1,4 +1,7 @@
 class ApplicationController < ActionController::Base
-  protect_from_forgery
   before_action :authenticate_user!
+
+  def show
+    render html: "", layout: "application"
+  end
 end

data/spec/dummy/app/models/application_record.rb

@@ -0,0 +1,3 @@
+class ApplicationRecord < ActiveRecord::Base
+  self.abstract_class = true
+end

data/spec/dummy/app/models/user.rb

@@ -0,0 +1,6 @@
+class User < ApplicationRecord
+  # Include default devise modules. Others available are:
+  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
+  devise :two_factorable, :database_authenticatable, :registerable,
+         :recoverable, :rememberable, :validatable
+end

data/spec/dummy/app/views/layouts/application.html.erb

@@ -0,0 +1,19 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <p class="notice"><%= notice %></p>
+    <p class="alert"><%= alert %></p>
+
+    <title>Dummy</title>
+    <%= csrf_meta_tags %>
+    <%= csp_meta_tag %>
+
+    <%= stylesheet_link_tag    'application', media: 'all' %>
+    <%= javascript_include_tag 'application' %>
+  </head>
+
+  <body>
+    <%= link_to('Logout', destroy_user_session_path, method: :delete) %>
+    <%= yield %>
+  </body>
+</html>

data/spec/dummy/app/views/layouts/mailer.text.erb

@@ -0,0 +1 @@
+<%= yield %>

data/spec/dummy/bin/bundle

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
+load Gem.bin_path('bundler', 'bundle')

data/spec/dummy/bin/rails

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+APP_PATH = File.expand_path('../config/application', __dir__)
+require_relative '../config/boot'
+require 'rails/commands'

data/spec/dummy/bin/rake

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require_relative '../config/boot'
+require 'rake'
+Rake.application.run

data/spec/dummy/bin/setup

@@ -0,0 +1,25 @@
+#!/usr/bin/env ruby
+require 'fileutils'
+include FileUtils
+
+# path to your application root.
+APP_ROOT = File.expand_path('..', __dir__)
+
+def system!(*args)
+  system(*args) || abort("\n== Command #{args} failed ==")
+end
+
+chdir APP_ROOT do
+  puts '== Installing dependencies =='
+  system! 'gem install bundler --conservative'
+  system('bundle check') || system!('bundle install')
+
+  puts "\n== Preparing database =="
+  system! 'bin/rails db:setup'
+
+  puts "\n== Removing old logs and tempfiles =="
+  system! 'bin/rails log:clear tmp:clear'
+
+  puts "\n== Restarting application server =="
+  system! 'bin/rails restart'
+end

data/spec/dummy/bin/update

@@ -0,0 +1,25 @@
+#!/usr/bin/env ruby
+require 'fileutils'
+include FileUtils
+
+# path to your application root.
+APP_ROOT = File.expand_path('..', __dir__)
+
+def system!(*args)
+  system(*args) || abort("\n== Command #{args} failed ==")
+end
+
+chdir APP_ROOT do
+  puts '== Installing dependencies =='
+  system! 'gem install bundler --conservative'
+  system('bundle check') || system!('bundle install')
+
+  puts "\n== Updating database =="
+  system! 'bin/rails db:migrate'
+
+  puts "\n== Removing old logs and tempfiles =="
+  system! 'bin/rails log:clear tmp:clear'
+
+  puts "\n== Restarting application server =="
+  system! 'bin/rails restart'
+end