devise-authy 1.10.0 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c2944ca880949d1d99ba1116f87399c9be0043cc210d29c4d5c500b08b74a3ba
-  data.tar.gz: 400fe93a97c18c62904d7f3b2795193bdfe724b4022c677bf20a507f12881cab
+  metadata.gz: e9332df09a8a1b3e1a71ff775f2cccc75c573123eccb8a6830454cdc3ef3834d
+  data.tar.gz: a0e4f00b59ece3eefe9fee9c04c51227216e13f241ac24afe94c4ec361416443
 SHA512:
-  metadata.gz: 394a6c85daf4d32bd9a7f8be985cdb81dbc6aad4578b317bfbf2cd0514226bbef466fe0f3831b85034d7de6d99d7be2f4c461243705bb1936491e9454d595360
-  data.tar.gz: a5defe4716260f048cf8080bd40fa47d4fb13da62ed42a75461b62c46c0b4b7eba25d6d8896064666e8252364d6da159b4375111019174591dc1f2b046f370ed
+  metadata.gz: 3d00cb1eb54d0169277b2e514431bb121f8c5e2dc6a565e07786a4866a29904b301a3730cdbff201f48d1ba5afb4c8b10249b75e9c8ab45da8a0022b9b1f64f9
+  data.tar.gz: 54596845d7b20034aa433497281d74135886f59828e9ae8026ae9fc43f0cfe2b4874cd90c4d69f8295ff76bc02ac7eaadb077fd53d1281354f7a3aa113dac65e

data/.gitignore

@@ -31,14 +31,15 @@ build/
 Gemfile.lock
 .ruby-version
 .ruby-gemset
+gemfiles/*.lock
 
 # unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
 .rvmrc
 
-spec/rails-app/tmp
-spec/rails-app/db
-spec/rails-app/log
-*.sqlite3DS_Store
+**/*.sqlite
+**/*.log
 
 initializers/authy.rb
 .byebug_history
+
+.rspec_status

data/.rspec

@@ -1 +1,2 @@
 --color
+--require ./spec/spec_helper

data/.travis.yml

@@ -1,12 +1,17 @@
 language: ruby
-before_install: cd spec/rails-app && bundle install
 script: bundle exec rspec
 rvm:
+  - 2.7
+  - 2.6
   - 2.5
   - 2.4
-  - 2.3
-  - 2.2
   - ruby-head
+gemfile:
+  - gemfiles/rails_5_2.gemfile
+  - gemfiles/rails_6.gemfile
 matrix:
   allow_failures:
     - rvm: ruby-head
+  exclude:
+    - rvm: 2.4
+      gemfile: gemfiles/rails_6.gemfile

data/Appraisals

@@ -0,0 +1,21 @@
+appraise "rails-5-2" do
+  gem "rails", "~> 5.2.0"
+  gem "sqlite3", "~> 1.3.13"
+
+  group :development, :test do
+    gem 'factory_girl_rails', :require => false
+    gem 'rspec-rails', "~>4.0.0.beta3", :require => false
+    gem 'database_cleaner', :require => false
+  end
+end
+
+appraise "rails-6" do
+  gem "rails", "~> 6.0.0"
+  gem "sqlite3", "~> 1.4"
+
+  group :development, :test do
+    gem 'factory_girl_rails', :require => false
+    gem 'rspec-rails', "~>4.0.0.beta3", :require => false
+    gem 'database_cleaner', :require => false
+  end
+end if RUBY_VERSION.to_f >= 2.5

data/CHANGELOG.md

@@ -9,49 +9,127 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ...
 
+## [2.2.0] - 2020-06-04
+
+### Fixed
+
+- Don't delete user in Authy if another user has the same authy_id (#144)
+
+## [2.1.0] - 2020-05-05
+
+### Added
+
+- Support for generic authenticator tokens (#141)
+
+### Fixed
+
+- Can remember device when enabling 2FA for the first time (#139)
+
+## [2.0.0] - 2020-04-28
+
+Releasing this as version 2 because there is a significant change in dependencies. Minimum version of Rails is now 5 and of Devise is now 4. Otherwise the gem should work as before.
+
+### Added
+
+- HTTP Only flag to remember_device cookie (#116 thanks @agronv)
+- Remembers device when user logs in with One Touch (#128 thanks @cplopez4)
+- Autocomplete attributes for HTML form (#130)
+
+### Changed
+
+- Mocked API calls in test suite (#123)
+- Full test suite refactor (#124)
+- Increased required version for Devise and Rails (#125)
+- Stopped calling `signed_in?` before it is needed (#126)
+
+### Fixes
+
+- Remembers user correctly when logging in with One Touch (#129)
+
+## [1.11.1] - 2019-02-02
+
+### Fixed
+
+- Using the version before loading it broke everything. :facepalm:
+
+## [1.11.0] - 2019-02-01
+
+### Fixed
+
+- Corrects for label in verify_authy view (#103 thanks @mstruebing)
+- Corrects heading in verify_authy view (#104 thanks @mstruebing)
+
+### Changed
+
+- Allows you to define paths for request_sms and request_phone_call (#108 thanks @dedene)
+
+### Added
+
+- Now sets a distinct user agent through the Authy gem (#110)
+
 ## [1.10.0] - 2018-09-26
 
 ### Changed
+
 - Moves OneTouch approval request copy to locale file.
 
 ### Removed
+
 - Demo app now lives in its own repo
 
 ## [1.9.0] - 2018-09-04
 
 ### Fixed
+
 - Generated migration now includes version number for Rails 5
 
 ### Changed
+
 - Removes Jeweler in favour of administering the gemspec by hand
 - Removes demo app files from gem package
 
 ## [1.8.3] - 2018-07-05
+
 ### Fixed
+
 - Fixes Ruby interpolation in HAML for onetouch (thanks @muan)
 - Records Authy authentication after install verification (thanks @nukturnal)
 - Forgets remember device cookie when disabling Authy (thanks @senekis)
 
 ### Changed
+
 - Updated testing Rubies in CI
 
 ## Older releases
 
-__*The following releases happened before the changelog was started. Some history will be added for clarity.*__
+**_The following releases happened before the changelog was started. Some history will be added for clarity._**
 
 ## [1.8.2] - 2017-12-22
+
 ## [1.8.1] - 2016-12-06
+
 ## [1.8.0] - 2016-10-25
+
 ## [1.7.0] - 2015-12-22
+
 ## [1.6.0] - 2015-01-07
+
 ## [1.5.3] - 2014-06-11
+
 ## [1.5.2] - 2014-06-11
+
 ## [1.5.1] - 2014-04-24
+
 ## [1.5.0] - 2014-01-07
+
 ## [1.4.0] - 2013-12-17
+
 ## [1.3.0] - 2013-11-16
+
 ## [1.2.2] - 2013-09-04
+
 ## [1.2.1] - 2013-04-22
+
 ## [1.2.0] - 2013-04-22 [YANKED]
-## [1.0.0] - 2013-04-10
 
+## [1.0.0] - 2013-04-10

data/Gemfile

@@ -2,28 +2,5 @@ source 'https://rubygems.org'
 
 gemspec
 
-group :test do
-  gem 'rails', '~> 4.2.7'
-  gem 'sqlite3'
-
-  # Use SCSS for stylesheets
-  gem 'sass-rails', '~> 5.0'
-
-  # Use Uglifier as compressor for JavaScript assets
-  gem 'uglifier', '>= 1.3.0'
-
-  # Use CoffeeScript for .coffee assets and views
-  gem 'coffee-rails', '~> 4.1.0'
-
-  # Use jquery as the JavaScript library
-  gem 'jquery-rails'
-
-  gem 'launchy'
-  gem 'rspec-rails'
-  gem 'database_cleaner'
-  gem 'capybara'
-  gem 'test-unit'
-end
-
 # bundle exec rake doc:rails generates the API under doc/api.
 gem 'sdoc', '~> 0.4.0', group: :doc

data/README.md

@@ -1,10 +1,28 @@
 # Authy Devise [![Build Status](https://travis-ci.org/twilio/authy-devise.svg?branch=master)](https://travis-ci.org/twilio/authy-devise)
 
-This is a [Devise](https://github.com/plataformatec/devise) extension to add Two-Factor Authentication with Authy to your rails application.
+This is a [Devise](https://github.com/plataformatec/devise) extension to add [Two-Factor Authentication with Authy](https://www.twilio.com/docs/authy) to your Rails application.
+
+* [Pre-requisites](#pre-requisites)
+* [Demo](#demo)
+* [Getting started](#getting-started)
+  * [Configuring Models](#configuring-models)
+    * [With the generator](#with-the-generator)
+    * [Manually](#manually)
+    * [Final steps](#final-steps)
+* [Custom Views](#custom-views)
+  * [Request a phone call](#request-a-phone-call)
+* [Custom Redirect Paths (eg. using modules)](#custom-redirect-paths-eg-using-modules)
+* [I18n](#i18n)
+* [Session variables](#session-variables)
+* [OneTouch support](#onetouch-support)
+* [Generic authenticator token support](#generic-authenticator-token-support)
+* [Rails 5 CSRF protection](#rails-5-csrf-protection)
+* [Running Tests](#running-tests)
+* [Copyright](#copyright)
 
 ## Pre-requisites
 
-To use the Authy API you will need a Twilio Account, [sign up for a free account here](https://www.twilio.com/try-twilio).
+To use the Authy API you will need a Twilio Account, [sign up for a free Twilio account here](https://www.twilio.com/try-twilio).
 
 Create an [Authy Application in the Twilio console](https://www.twilio.com/console/authy/applications) and take note of the API key.
 
@@ -38,17 +56,55 @@ Add `Devise Authy` to your App:
 
 ### Configuring Models
 
-Configure your Devise user model:
+You can add devise_authy to your user model in two ways.
 
-    rails g devise_authy [MODEL_NAME]
+#### With the generator
 
-or add the following line to your `User` model
+This is the easiest way and is recommended. Run the following command:
+
+```bash
+rails g devise_authy [MODEL_NAME]
+```
+
+#### Manually
+
+Add `:authy_authenticatable` to the `devise` options in your Devise user model:
 
 ```ruby
 devise :authy_authenticatable, :database_authenticatable
 ```
 
-Update the default routes to point to something like:
+Also add a new migration. For example, if you are adding to the `User` model, use this migration:
+
+```ruby
+class DeviseAuthyAddToUsers < ActiveRecord::Migration[6.0]
+  def self.up
+    change_table :users do |t|
+      t.string    :authy_id
+      t.datetime  :last_sign_in_with_authy
+      t.boolean   :authy_enabled, :default => false
+    end
+
+    add_index :users, :authy_id
+  end
+
+  def self.down
+    change_table :users do |t|
+      t.remove :authy_id, :last_sign_in_with_authy, :authy_enabled
+    end
+  end
+end
+```
+
+#### Final steps
+
+For either method above, run the migrations:
+
+```bash
+rake db:migrate
+```
+
+**[Optional]** Update the default routes to point to something like:
 
 ```ruby
 devise_for :users, :path_names => {
@@ -59,10 +115,6 @@ devise_for :users, :path_names => {
 }
 ```
 
-Then run the migrations:
-
-    rake db:migrate
-
 Now whenever a user wants to enable two-factor authentication they can go to:
 
     http://your-app/users/enable-two-factor
@@ -71,7 +123,6 @@ And when the user logs in they will be redirected to:
 
     http://your-app/users/verify-token
 
-
 ## Custom Views
 
 If you want to customise your views, you can modify the files that are located at:
@@ -118,7 +169,6 @@ And tell the router to use this controller
 devise_for :users, controllers: {devise_authy: 'my_custom_module/devise_authy'}
 ```
 
-
 ## I18n
 
 The install generator also copies a `Devise Authy` i18n file which you can find at:
@@ -145,10 +195,36 @@ To enable [Authy push authentication](https://www.twilio.com/authy/features/push
 config.authy_enable_onetouch = true
 ```
 
+## Generic authenticator token support
+
+Authy supports other authenticator apps by providing a QR code that your users can scan.
+
+> **To use this feature, you need to enable it in your [Twilio Console](https://www.twilio.com/console/authy/applications)**
+
+Once you have enabled generic authenticator tokens, you can enable this in devise-authy by modifying the Devise config file `config/initializers/devise.rb` and adding the configuration:
+
+```
+config.authy_enable_qr_code = true
+```
+
+This will display a QR code on the verification screen (you still need to take a user's phone number and country code). If you have implemented your own views, the QR code URL is available on the verification page as `@authy_qr_code`.
+
+## Rails 5 CSRF protection
+
+In Rails 5 `protect_from_forgery` is no longer prepended to the `before_action` chain. If you call `authenticate_user` before `protect_from_forgery` your request will result in a "Can't verify CSRF token authenticity" error.
+
+To remedy this, add `prepend: true` to your `protect_from_forgery` call, like in this example from the [Authy Devise demo app](https://github.com/twilio/authy-devise-demo):
+
+```ruby
+class ApplicationController < ActionController::Base
+  protect_from_forgery with: :exception, prepend: true
+end
+```
 
 ## Running Tests
 
 To prepare the tests run the following commands:
+
 ```bash
 $ cd spec/rails-app
 $ bundle install
@@ -156,17 +232,11 @@ $ RAILS_ENV=test bundle exec rake db:migrate
 ```
 
 Now on the project root run the following commands:
+
 ```bash
 $ bundle exec rspec spec/
 ```
 
-## Backporting to Rails 3
-
-While we are not currently supporting Rails 3, there's an active fork that maintains the backwards compatibility.
-
-https://github.com/gcosta/authy-devise
-
 ## Copyright
 
-Copyright (c) 2012-2020 Authy Inc. See LICENSE.txt for
-further details.
+Copyright (c) 2012-2020 Authy Inc. See LICENSE.txt for further details.

data/app/controllers/devise/devise_authy_controller.rb

@@ -5,17 +5,25 @@ class Devise::DeviseAuthyController < DeviseController
   prepend_before_action :find_resource_and_require_password_checked, :only => [
     :GET_verify_authy, :POST_verify_authy, :GET_authy_onetouch_status
   ]
+
+  prepend_before_action :check_resource_has_authy_id, :only => [
+    :GET_verify_authy_installation, :POST_verify_authy_installation
+  ]
+
+  prepend_before_action :check_resource_not_authy_enabled, :only => [
+    :GET_verify_authy_installation, :POST_verify_authy_installation
+  ]
+
   prepend_before_action :authenticate_scope!, :only => [
-    :GET_enable_authy, :POST_enable_authy,
-    :GET_verify_authy_installation, :POST_verify_authy_installation,
-    :POST_disable_authy
+    :GET_enable_authy, :POST_enable_authy, :GET_verify_authy_installation,
+    :POST_verify_authy_installation, :POST_disable_authy
   ]
+
   include Devise::Controllers::Helpers
 
   def GET_verify_authy
-    @authy_id = @resource.authy_id
     if resource_class.authy_enable_onetouch
-      approval_request = send_one_touch_request['approval_request']
+      approval_request = send_one_touch_request(@resource.authy_id)['approval_request']
       @onetouch_uuid = approval_request['uuid'] if approval_request.present?
     end
     render :verify_authy
@@ -30,10 +38,8 @@ class Devise::DeviseAuthyController < DeviseController
     })
 
     if token.ok?
-      remember_device if params[:remember_device].to_i == 1
-      if session.delete("#{resource_name}_remember_me") == true && @resource.respond_to?(:remember_me=)
-        @resource.remember_me = true
-      end
+      remember_device(@resource.id) if params[:remember_device].to_i == 1
+      remember_user
       record_authy_authentication
       respond_with resource, :location => after_sign_in_path_for(@resource)
     else
@@ -61,13 +67,11 @@ class Devise::DeviseAuthyController < DeviseController
     if @authy_user.ok?
       resource.authy_id = @authy_user.id
       if resource.save
-        set_flash_message(:notice, :enabled)
+        redirect_to [resource_name, :verify_authy_installation] and return
       else
         set_flash_message(:error, :not_enabled)
         redirect_to after_authy_enabled_path_for(resource) and return
       end
-
-      redirect_to [resource_name, :verify_authy_installation]
     else
       set_flash_message(:error, :not_enabled)
       render :enable_authy
@@ -76,22 +80,39 @@ class Devise::DeviseAuthyController < DeviseController
 
   # Disable 2FA
   def POST_disable_authy
-    response = Authy::API.delete_user(:id => resource.authy_id)
-
-    if response.ok?
-      resource.update_attribute(:authy_enabled, false)
-      resource.update_attribute(:authy_id, nil)
+    authy_id = resource.authy_id
+    resource.assign_attributes(:authy_enabled => false, :authy_id => nil)
+    resource.save(:validate => false)
+
+    other_resource = resource.class.find_by(:authy_id => authy_id)
+    if other_resource
+      # If another resource has the same authy_id, do not delete the user from
+      # the API.
       forget_device
-
       set_flash_message(:notice, :disabled)
     else
-      set_flash_message(:error, :not_disabled)
+      response = Authy::API.delete_user(:id => authy_id)
+      if response.ok?
+        forget_device
+        set_flash_message(:notice, :disabled)
+      else
+        # If deleting the user from the API fails, set everything back to what
+        # it was before.
+        # I'm not sure this is a good idea, but it was existing behaviour.
+        # Could be changed in a major version bump.
+        resource.assign_attributes(:authy_enabled => true, :authy_id => authy_id)
+        resource.save(:validate => false)
+        set_flash_message(:error, :not_disabled)
+      end
     end
-
     redirect_to after_authy_disabled_path_for(resource)
   end
 
   def GET_verify_authy_installation
+    if resource_class.authy_enable_qr_code
+      response = Authy::API.request_qr_code(id: resource.authy_id)
+      @authy_qr_code = response.qr_code
+    end
     render :verify_authy_installation
   end
 
@@ -105,6 +126,7 @@ class Devise::DeviseAuthyController < DeviseController
     self.resource.authy_enabled = token.ok?
 
     if token.ok? && self.resource.save
+      remember_device(@resource.id) if params[:remember_device].to_i == 1
       record_authy_authentication
       set_flash_message(:notice, :enabled)
       redirect_to after_authy_verified_path_for(resource)
@@ -114,17 +136,20 @@ class Devise::DeviseAuthyController < DeviseController
   end
 
   def GET_authy_onetouch_status
-    status = Authy::API.get_request("onetouch/json/approval_requests/#{params[:onetouch_uuid]}")['approval_request']['status']
+    response = Authy::OneTouch.approval_request_status(:uuid => params[:onetouch_uuid])
+    status = response.dig('approval_request', 'status')
     case status
     when 'pending'
       head 202
     when 'approved'
+      remember_device(@resource.id) if params[:remember_device].to_i == 1
+      remember_user
       record_authy_authentication
       render json: { redirect: after_sign_in_path_for(@resource) }
     when 'denied'
       head :unauthorized
     else
-      head :error
+      head :internal_server_error
     end
   end
 
@@ -172,6 +197,16 @@ class Devise::DeviseAuthyController < DeviseController
     end
   end
 
+  def check_resource_has_authy_id
+    redirect_to [resource_name, :enable_authy] if !resource.authy_id
+  end
+
+  def check_resource_not_authy_enabled
+    if resource.authy_id && resource.authy_enabled
+      redirect_to after_authy_verified_path_for(resource)
+    end
+  end
+
   protected
 
   def after_authy_enabled_path_for(resource)
@@ -202,4 +237,10 @@ class Devise::DeviseAuthyController < DeviseController
   def after_account_is_locked
     sign_out_and_redirect @resource
   end
+
+  def remember_user
+    if session.delete("#{resource_name}_remember_me") == true && @resource.respond_to?(:remember_me=)
+      @resource.remember_me = true
+    end
+  end
 end