devise-authy 1.11.0 → 2.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b4dcb41db3fa90c5055347a840927fe3480f2eb6622499775dac3996f9d3683a
-  data.tar.gz: e7d144883aa6ac75efb34ef13f1a9145529604d6dc9fc648a2427f9749e8f719
+  metadata.gz: 9157eb5b102b0297c975ea71d190f500e0bf6dc5831717df0ca5695b9f0af13e
+  data.tar.gz: 7582bfb6b18310dd7697a808460ac87282d1c2e3fc9fd09838c431d69315d655
 SHA512:
-  metadata.gz: 89a291d8930edb905bae19949b253b645f7aaa319ff631fe0ec19da5133a363d0fcbbaa54e706e1f1495d8a219f8c4e2925309f9f22cfba94a531fb9413e3425
-  data.tar.gz: a89caa9abd9fbbcc088175b66949f945602a7758dc120b12a274bd0967ea41d9a42fc13b86561e51dfd269c33bb4174b6b024b499c2d98b93d0e7746b64f6dca
+  metadata.gz: 36cc430cf270f535c3068c15668a398bbc9a297d345bb0c659db49ef5fb9febb43761abcf118c340476797a8c7150de37cb6ddcd0caf14b408cdecb94ab856f6
+  data.tar.gz: 856434e4038f931c25f84ddac5281f0b5f762e4a6d9d27a355362822342c255bea58ee6b087a52d912802b654436ef7505efc6a310375cafb67bdfafa5d800e1

data/.gitignore

@@ -31,14 +31,15 @@ build/
 Gemfile.lock
 .ruby-version
 .ruby-gemset
+gemfiles/*.lock
 
 # unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
 .rvmrc
 
-spec/rails-app/tmp
-spec/rails-app/db
-spec/rails-app/log
-*.sqlite3DS_Store
+**/*.sqlite
+**/*.log
 
 initializers/authy.rb
 .byebug_history
+
+.rspec_status

data/.rspec

@@ -1 +1,2 @@
 --color
+--require ./spec/spec_helper

data/.travis.yml

@@ -1,18 +1,17 @@
 language: ruby
-before_install:
-  - "find /home/travis/.rvm/rubies -wholename '*default/bundler-*.gemspec' -delete"
-  - rvm @global do gem uninstall bundler -a -x
-  - rvm @global do yes | gem install bundler -v '< 2.0.0'
-  - cd spec/rails-app && BUNDLE_GEMFILE=$TRAVIS_BUILD_DIR/spec/rails-app/Gemfile bundle install && cd ../..
 script: bundle exec rspec
 rvm:
+  - 2.7
   - 2.6
   - 2.5
   - 2.4
-  - 2.3
-  - 2.2
   - ruby-head
+gemfile:
+  - gemfiles/rails_5_2.gemfile
+  - gemfiles/rails_6.gemfile
 matrix:
   allow_failures:
     - rvm: ruby-head
-    - rvm: 2.2
+  exclude:
+    - rvm: 2.4
+      gemfile: gemfiles/rails_6.gemfile

data/Appraisals

@@ -0,0 +1,21 @@
+appraise "rails-5-2" do
+  gem "rails", "~> 5.2.0"
+  gem "sqlite3", "~> 1.3.13"
+
+  group :development, :test do
+    gem 'factory_girl_rails', :require => false
+    gem 'rspec-rails', "~>4.0.0.beta3", :require => false
+    gem 'database_cleaner', :require => false
+  end
+end
+
+appraise "rails-6" do
+  gem "rails", "~> 6.0.0"
+  gem "sqlite3", "~> 1.4"
+
+  group :development, :test do
+    gem 'factory_girl_rails', :require => false
+    gem 'rspec-rails', "~>4.0.0.beta3", :require => false
+    gem 'database_cleaner', :require => false
+  end
+end if RUBY_VERSION.to_f >= 2.5

data/CHANGELOG.md

@@ -9,6 +9,55 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ...
 
+## [2.2.1] - 2020-10-13
+
+### Fixed
+
+- If the app offers a QR code scan and user fails to verify authy installation, the QR code wasn't shown again. Fixed in (#149)
+
+## [2.2.0] - 2020-06-04
+
+### Fixed
+
+- Don't delete user in Authy if another user has the same authy_id (#144)
+
+## [2.1.0] - 2020-05-05
+
+### Added
+
+- Support for generic authenticator tokens (#141)
+
+### Fixed
+
+- Can remember device when enabling 2FA for the first time (#139)
+
+## [2.0.0] - 2020-04-28
+
+Releasing this as version 2 because there is a significant change in dependencies. Minimum version of Rails is now 5 and of Devise is now 4. Otherwise the gem should work as before.
+
+### Added
+
+- HTTP Only flag to remember_device cookie (#116 thanks @agronv)
+- Remembers device when user logs in with One Touch (#128 thanks @cplopez4)
+- Autocomplete attributes for HTML form (#130)
+
+### Changed
+
+- Mocked API calls in test suite (#123)
+- Full test suite refactor (#124)
+- Increased required version for Devise and Rails (#125)
+- Stopped calling `signed_in?` before it is needed (#126)
+
+### Fixes
+
+- Remembers user correctly when logging in with One Touch (#129)
+
+## [1.11.1] - 2019-02-02
+
+### Fixed
+
+- Using the version before loading it broke everything. :facepalm:
+
 ## [1.11.0] - 2019-02-01
 
 ### Fixed

data/Gemfile

@@ -2,28 +2,5 @@ source 'https://rubygems.org'
 
 gemspec
 
-group :test do
-  gem 'rails', '~> 4.2.7'
-  gem 'sqlite3'
-
-  # Use SCSS for stylesheets
-  gem 'sass-rails', '~> 5.0'
-
-  # Use Uglifier as compressor for JavaScript assets
-  gem 'uglifier', '>= 1.3.0'
-
-  # Use CoffeeScript for .coffee assets and views
-  gem 'coffee-rails', '~> 4.1.0'
-
-  # Use jquery as the JavaScript library
-  gem 'jquery-rails'
-
-  gem 'launchy'
-  gem 'rspec-rails'
-  gem 'database_cleaner'
-  gem 'capybara'
-  gem 'test-unit'
-end
-
 # bundle exec rake doc:rails generates the API under doc/api.
 gem 'sdoc', '~> 0.4.0', group: :doc

data/README.md

@@ -1,10 +1,28 @@
 # Authy Devise [![Build Status](https://travis-ci.org/twilio/authy-devise.svg?branch=master)](https://travis-ci.org/twilio/authy-devise)
 
-This is a [Devise](https://github.com/plataformatec/devise) extension to add Two-Factor Authentication with Authy to your rails application.
+This is a [Devise](https://github.com/plataformatec/devise) extension to add [Two-Factor Authentication with Authy](https://www.twilio.com/docs/authy) to your Rails application.
+
+* [Pre-requisites](#pre-requisites)
+* [Demo](#demo)
+* [Getting started](#getting-started)
+  * [Configuring Models](#configuring-models)
+    * [With the generator](#with-the-generator)
+    * [Manually](#manually)
+    * [Final steps](#final-steps)
+* [Custom Views](#custom-views)
+  * [Request a phone call](#request-a-phone-call)
+* [Custom Redirect Paths (eg. using modules)](#custom-redirect-paths-eg-using-modules)
+* [I18n](#i18n)
+* [Session variables](#session-variables)
+* [OneTouch support](#onetouch-support)
+* [Generic authenticator token support](#generic-authenticator-token-support)
+* [Rails 5 CSRF protection](#rails-5-csrf-protection)
+* [Running Tests](#running-tests)
+* [Copyright](#copyright)
 
 ## Pre-requisites
 
-To use the Authy API you will need a Twilio Account, [sign up for a free account here](https://www.twilio.com/try-twilio).
+To use the Authy API you will need a Twilio Account, [sign up for a free Twilio account here](https://www.twilio.com/try-twilio).
 
 Create an [Authy Application in the Twilio console](https://www.twilio.com/console/authy/applications) and take note of the API key.
 
@@ -42,24 +60,28 @@ You can add devise_authy to your user model in two ways.
 
 #### With the generator
 
-This is the easiest way and is recommended. Run the following command:
+Run the following command:
 
 ```bash
 rails g devise_authy [MODEL_NAME]
 ```
 
+To support account locking (recommended), you must add `:authy_lockable` to the `devise :authy_authenticatable, ...` configuration in your model as this is not yet supported by the generator.
+
 #### Manually
 
-Add `:authy_authenticatable` to the `devise` options in your Devise user model:
+Add `:authy_authenticatable` and `:authy_lockable` to the `devise` options in your Devise user model:
 
 ```ruby
-devise :authy_authenticatable, :database_authenticatable
+devise :authy_authenticatable, :authy_lockable, :database_authenticatable, :lockable
 ```
 
+(Note, `:authy_lockable` is optional but recommended. It should be used with Devise's own `:lockable` module).
+
 Also add a new migration. For example, if you are adding to the `User` model, use this migration:
 
 ```ruby
-class DeviseAuthyAddToUsers < ActiveRecord::Migration[5.2]
+class DeviseAuthyAddToUsers < ActiveRecord::Migration[6.0]
   def self.up
     change_table :users do |t|
       t.string    :authy_id
@@ -177,6 +199,20 @@ To enable [Authy push authentication](https://www.twilio.com/authy/features/push
 config.authy_enable_onetouch = true
 ```
 
+## Generic authenticator token support
+
+Authy supports other authenticator apps by providing a QR code that your users can scan.
+
+> **To use this feature, you need to enable it in your [Twilio Console](https://www.twilio.com/console/authy/applications)**
+
+Once you have enabled generic authenticator tokens, you can enable this in devise-authy by modifying the Devise config file `config/initializers/devise.rb` and adding the configuration:
+
+```
+config.authy_enable_qr_code = true
+```
+
+This will display a QR code on the verification screen (you still need to take a user's phone number and country code). If you have implemented your own views, the QR code URL is available on the verification page as `@authy_qr_code`.
+
 ## Rails 5 CSRF protection
 
 In Rails 5 `protect_from_forgery` is no longer prepended to the `before_action` chain. If you call `authenticate_user` before `protect_from_forgery` your request will result in a "Can't verify CSRF token authenticity" error.
@@ -205,13 +241,6 @@ Now on the project root run the following commands:
 $ bundle exec rspec spec/
 ```
 
-## Backporting to Rails 3
-
-While we are not currently supporting Rails 3, there's an active fork that maintains the backwards compatibility.
-
-https://github.com/gcosta/authy-devise
-
 ## Copyright
 
-Copyright (c) 2012-2020 Authy Inc. See LICENSE.txt for
-further details.
+Copyright (c) 2012-2020 Authy Inc. See LICENSE.txt for further details.

data/app/controllers/devise/devise_authy_controller.rb

@@ -5,17 +5,25 @@ class Devise::DeviseAuthyController < DeviseController
   prepend_before_action :find_resource_and_require_password_checked, :only => [
     :GET_verify_authy, :POST_verify_authy, :GET_authy_onetouch_status
   ]
+
+  prepend_before_action :check_resource_has_authy_id, :only => [
+    :GET_verify_authy_installation, :POST_verify_authy_installation
+  ]
+
+  prepend_before_action :check_resource_not_authy_enabled, :only => [
+    :GET_verify_authy_installation, :POST_verify_authy_installation
+  ]
+
   prepend_before_action :authenticate_scope!, :only => [
-    :GET_enable_authy, :POST_enable_authy,
-    :GET_verify_authy_installation, :POST_verify_authy_installation,
-    :POST_disable_authy
+    :GET_enable_authy, :POST_enable_authy, :GET_verify_authy_installation,
+    :POST_verify_authy_installation, :POST_disable_authy
   ]
+
   include Devise::Controllers::Helpers
 
   def GET_verify_authy
-    @authy_id = @resource.authy_id
     if resource_class.authy_enable_onetouch
-      approval_request = send_one_touch_request['approval_request']
+      approval_request = send_one_touch_request(@resource.authy_id)['approval_request']
       @onetouch_uuid = approval_request['uuid'] if approval_request.present?
     end
     render :verify_authy
@@ -30,10 +38,8 @@ class Devise::DeviseAuthyController < DeviseController
     })
 
     if token.ok?
-      remember_device if params[:remember_device].to_i == 1
-      if session.delete("#{resource_name}_remember_me") == true && @resource.respond_to?(:remember_me=)
-        @resource.remember_me = true
-      end
+      remember_device(@resource.id) if params[:remember_device].to_i == 1
+      remember_user
       record_authy_authentication
       respond_with resource, :location => after_sign_in_path_for(@resource)
     else
@@ -61,13 +67,11 @@ class Devise::DeviseAuthyController < DeviseController
     if @authy_user.ok?
       resource.authy_id = @authy_user.id
       if resource.save
-        set_flash_message(:notice, :enabled)
+        redirect_to [resource_name, :verify_authy_installation] and return
       else
         set_flash_message(:error, :not_enabled)
         redirect_to after_authy_enabled_path_for(resource) and return
       end
-
-      redirect_to [resource_name, :verify_authy_installation]
     else
       set_flash_message(:error, :not_enabled)
       render :enable_authy
@@ -76,22 +80,39 @@ class Devise::DeviseAuthyController < DeviseController
 
   # Disable 2FA
   def POST_disable_authy
-    response = Authy::API.delete_user(:id => resource.authy_id)
-
-    if response.ok?
-      resource.update_attribute(:authy_enabled, false)
-      resource.update_attribute(:authy_id, nil)
+    authy_id = resource.authy_id
+    resource.assign_attributes(:authy_enabled => false, :authy_id => nil)
+    resource.save(:validate => false)
+
+    other_resource = resource.class.find_by(:authy_id => authy_id)
+    if other_resource
+      # If another resource has the same authy_id, do not delete the user from
+      # the API.
       forget_device
-
       set_flash_message(:notice, :disabled)
     else
-      set_flash_message(:error, :not_disabled)
+      response = Authy::API.delete_user(:id => authy_id)
+      if response.ok?
+        forget_device
+        set_flash_message(:notice, :disabled)
+      else
+        # If deleting the user from the API fails, set everything back to what
+        # it was before.
+        # I'm not sure this is a good idea, but it was existing behaviour.
+        # Could be changed in a major version bump.
+        resource.assign_attributes(:authy_enabled => true, :authy_id => authy_id)
+        resource.save(:validate => false)
+        set_flash_message(:error, :not_disabled)
+      end
     end
-
     redirect_to after_authy_disabled_path_for(resource)
   end
 
   def GET_verify_authy_installation
+    if resource_class.authy_enable_qr_code
+      response = Authy::API.request_qr_code(id: resource.authy_id)
+      @authy_qr_code = response.qr_code
+    end
     render :verify_authy_installation
   end
 
@@ -105,26 +126,34 @@ class Devise::DeviseAuthyController < DeviseController
     self.resource.authy_enabled = token.ok?
 
     if token.ok? && self.resource.save
+      remember_device(@resource.id) if params[:remember_device].to_i == 1
       record_authy_authentication
       set_flash_message(:notice, :enabled)
       redirect_to after_authy_verified_path_for(resource)
     else
+      if resource_class.authy_enable_qr_code
+        response = Authy::API.request_qr_code(id: resource.authy_id)
+        @authy_qr_code = response.qr_code
+      end
       handle_invalid_token :verify_authy_installation, :not_enabled
     end
   end
 
   def GET_authy_onetouch_status
-    status = Authy::API.get_request("onetouch/json/approval_requests/#{params[:onetouch_uuid]}")['approval_request']['status']
+    response = Authy::OneTouch.approval_request_status(:uuid => params[:onetouch_uuid])
+    status = response.dig('approval_request', 'status')
     case status
     when 'pending'
       head 202
     when 'approved'
+      remember_device(@resource.id) if params[:remember_device].to_i == 1
+      remember_user
       record_authy_authentication
       render json: { redirect: after_sign_in_path_for(@resource) }
     when 'denied'
       head :unauthorized
     else
-      head :error
+      head :internal_server_error
     end
   end
 
@@ -172,6 +201,16 @@ class Devise::DeviseAuthyController < DeviseController
     end
   end
 
+  def check_resource_has_authy_id
+    redirect_to [resource_name, :enable_authy] if !resource.authy_id
+  end
+
+  def check_resource_not_authy_enabled
+    if resource.authy_id && resource.authy_enabled
+      redirect_to after_authy_verified_path_for(resource)
+    end
+  end
+
   protected
 
   def after_authy_enabled_path_for(resource)
@@ -202,4 +241,10 @@ class Devise::DeviseAuthyController < DeviseController
   def after_account_is_locked
     sign_out_and_redirect @resource
   end
+
+  def remember_user
+    if session.delete("#{resource_name}_remember_me") == true && @resource.respond_to?(:remember_me=)
+      @resource.remember_me = true
+    end
+  end
 end

data/app/controllers/devise_authy/passwords_controller.rb

@@ -1,4 +1,22 @@
 class DeviseAuthy::PasswordsController < Devise::PasswordsController
+  ##
+  # In the passwords controller a user can update their password using a
+  # recovery token. If `Devise.sign_in_after_reset_password` is `true` then the
+  # user is signed in immediately with the
+  # `Devise::Controllers::SignInOut#sign_in` method. However, if the user has
+  # 2FA enabled they should enter their second factor before they are signed in.
+  #
+  # This method overrides `Devise::Controllers::SignInOut#sign_in` but only
+  # within the `Devise::PasswordsController`. If the user needs to verify 2FA
+  # then `sign_in` returns `true`. This short circuits the method before it can
+  # call `warden.set_user` and log the user in.
+  #
+  # The user is redirected to `after_resetting_password_path_for(user)` at which
+  # point, since the user is not logged in, redirects again to sign in.
+  #
+  # This doesn't retain the expected behaviour of
+  # `Devise.sign_in_after_reset_password`, but is forgivable because this
+  # shouldn't be an avenue to bypass 2FA.
   def sign_in(resource_or_scope, *args)
     resource = args.last || resource_or_scope
 

data/app/views/devise/verify_authy.html.erb

@@ -5,7 +5,7 @@
 <%= verify_authy_form do %>
   <legend><%= I18n.t('submit_token_title', {:scope => 'devise'}) %></legend>
   <%= label_tag 'authy-token' %>
-  <%= text_field_tag :token, "", :autocomplete => :off, :id => 'authy-token' %>
+  <%= text_field_tag :token, "", :autocomplete => "one-time-code", :inputmode => "numeric", :pattern => "[0-9]*", :id => 'authy-token' %>
   <label>
     <%= check_box_tag :remember_device %>
     <span><%= I18n.t('remember_device', {:scope => 'devise'}) %></span>
@@ -25,11 +25,12 @@
       (function(){
         var onetouchInterval = setInterval(function(){
           var onetouchRequest = new XMLHttpRequest();
+          var rememberDevice = document.getElementById("remember_device").checked ? '1' : '0';
           onetouchRequest.addEventListener("load", function(){
             if(this.status != 202) clearInterval(onetouchInterval);
             if(this.status == 200) window.location = JSON.parse(this.responseText).redirect;
           });
-          onetouchRequest.open("GET", "<%= polymorphic_path [resource_name, :authy_onetouch_status] %>?onetouch_uuid=<%= @onetouch_uuid %>");
+          onetouchRequest.open("GET", "<%= polymorphic_path [resource_name, :authy_onetouch_status] %>?remember_device="+rememberDevice+"&onetouch_uuid=<%= @onetouch_uuid %>");
           onetouchRequest.send();
         }, 3000);
       })();

data/app/views/devise/verify_authy.html.haml

@@ -4,7 +4,7 @@
   %legend= I18n.t('submit_token_title', {:scope => 'devise'})
   = hidden_field_tag :"#{resource_name}_id", @resource.id
   = label_tag 'authy-token'
-  = text_field_tag :token, "", :autocomplete => :off, :id => 'authy-token'
+  = text_field_tag :token, "", :autocomplete => "one-time-code", :inputmode => "numeric", :pattern => "[0-9]*", :id => 'authy-token'
   %label
     = check_box_tag :remember_device
     %span= I18n.t('remember_device', {:scope => 'devise'})
@@ -22,11 +22,12 @@
     (function(){
       var onetouchInterval = setInterval(function(){
         var onetouchRequest = new XMLHttpRequest();
+        var rememberDevice = document.getElementById("remember_device").checked ? '1' : '0';
         onetouchRequest.addEventListener("load", function(){
           if(this.status != 202) clearInterval(onetouchInterval);
           if(this.status == 200) window.location = JSON.parse(this.responseText).redirect;
         });
-        onetouchRequest.open("GET", "#{polymorphic_path [resource_name, :authy_onetouch_status]}?onetouch_uuid=#{@onetouch_uuid}");
+        onetouchRequest.open("GET", "#{polymorphic_path [resource_name, :authy_onetouch_status]}?remember_device="+rememberDevice+"&onetouch_uuid=#{@onetouch_uuid}");
         onetouchRequest.send();
       }, 3000);
     })();

data/app/views/devise/verify_authy_installation.html.erb

@@ -1,10 +1,18 @@
 <h2><%= I18n.t('authy_verify_installation_title', {:scope => 'devise'}) %></h2>
 
+<% if @authy_qr_code %>
+  <%= image_tag @authy_qr_code, :size => '256x256', :alt => I18n.t('authy_qr_code_alt', {:scope => 'devise'}) %>
+  <p><%= I18n.t('authy_qr_code_instructions', {:scope => 'devise'}) %></p>
+<% end %>
+
 <%= verify_authy_installation_form do %>
   <legend><%= I18n.t('submit_token_title', {:scope => 'devise'}) %></legend>
   <%= label_tag :token %>
-  <%= text_field_tag :token, "", :autocomplete => :off, :id => 'authy-token' %>
+  <%= text_field_tag :token, "", :autocomplete => "one-time-code", :inputmode => "numeric", :pattern => "[0-9]*", :id => 'authy-token' %>
+  <label>
+    <%= check_box_tag :remember_device %>
+    <span><%= I18n.t('remember_device', {:scope => 'devise'}) %></span>
+  </label>
   <%= authy_request_sms_link %>
   <%= submit_tag I18n.t('enable_my_account', {:scope => 'devise'}), :class => 'btn' %>
-<% end %>
-
+<% end %>

data/app/views/devise/verify_authy_installation.html.haml

@@ -1,8 +1,16 @@
 %h2= I18n.t('authy_verify_installation_title', {:scope => 'devise'})
+
+- if @authy_qr_code
+  = image_tag @authy_qr_code, :size => '256x256', :alt => I18n.t('authy_qr_code_alt', {:scope => 'devise'})
+  %p= I18n.t('authy_qr_code_instructions', {:scope => 'devise'})
+
 = verify_authy_installation_form do
   %legend= I18n.t('submit_token_title', {:scope => 'devise'})
   = label_tag :token
-  = text_field_tag :token, "", :autocomplete => :off, :id => 'authy-token'
+  = text_field_tag :token, "", :autocomplete => "one-time-code", :inputmode => "numeric", :pattern => "[0-9]*", :id => 'authy-token'
+  %label
+    = check_box_tag :remember_device
+    %span= I18n.t('remember_device', {:scope => 'devise'})
   = authy_request_sms_link
   = submit_tag I18n.t('enable_my_account', {:scope => 'devise'}), :class => 'btn'
 

data/config.ru

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require "rubygems"
+require "bundler"
+
+Bundler.require :default, :development
+
+Combustion.initialize! :all
+run Combustion::Application

data/config/locales/en.yml

@@ -14,6 +14,9 @@ en:
     authy_verify_installation_title: 'Verify your account'
     enable_my_account: 'Enable my account'
 
+    authy_qr_code_alt: 'QR code for scanning with your authenticator app.'
+    authy_qr_code_instructions: 'Scan this QR code with your authenticator application and enter the code below.'
+
     devise_authy:
       user:
         enabled: 'Two factor authentication was enabled'

data/devise-authy.gemspec

@@ -12,29 +12,39 @@ Gem::Specification.new do |spec|
 
   spec.summary       = %q{Authy plugin for Devise.}
   spec.description   = %q{Authy plugin to add two factor authentication to Devise.}
-  spec.homepage      = "https://github.com/authy/authy-devise"
+  spec.homepage      = "https://github.com/twilio/authy-devise"
   spec.license       = "MIT"
 
   spec.metadata      = {
-    "bug_tracker_uri"   => "https://github.com/authy/authy-devise/issues",
-    "change_log_uri"    => "https://github.com/authy/authy-devise/blob/master/CHANGELOG.md",
-    "documentation_uri" => "https://github.com/authy/authy-devise",
-    "homepage_uri"      => "https://github.com/authy/authy-devise",
-    "source_code_uri"   => "https://github.com/authy/authy-devise"
+    "bug_tracker_uri"   => "https://github.com/twilio/authy-devise/issues",
+    "change_log_uri"    => "https://github.com/twilio/authy-devise/blob/master/CHANGELOG.md",
+    "documentation_uri" => "https://github.com/twilio/authy-devise",
+    "homepage_uri"      => "https://github.com/twilio/authy-devise",
+    "source_code_uri"   => "https://github.com/twilio/authy-devise"
   }
 
   spec.files         = `git ls-files -z`.split("\x0").reject do |f|
-    f.match(%r{^(test|spec|features|authy-devise-demo)/})
+    f.match(%r{^(test|spec|features)/})
   end
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "devise", ">= 3.0.0"
+  spec.add_dependency "devise", ">= 4.0.0"
   spec.add_dependency "authy", ">= 2.7.5"
 
+  spec.add_development_dependency "appraisal", "~> 2.2"
   spec.add_development_dependency "bundler", ">= 1.16"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "combustion", "~> 1.1"
   spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "rspec-rails"
+  spec.add_development_dependency "rails-controller-testing", "~> 1.0"
   spec.add_development_dependency "yard", "~> 0.9.11"
   spec.add_development_dependency "rdoc", "~> 4.3.0"
-  spec.add_development_dependency "simplecov", "~> 0.16.1"
+  spec.add_development_dependency "simplecov", "~> 0.17.1"
+  spec.add_development_dependency "webmock", "~> 3.7.6"
+  spec.add_development_dependency "rails", ">= 5"
+  spec.add_development_dependency "sqlite3"
+  spec.add_development_dependency "generator_spec"
+  spec.add_development_dependency "database_cleaner", "~> 1.7"
+  spec.add_development_dependency "factory_bot_rails", "~> 5.1.1"
 end

data/gemfiles/.bundle/config

@@ -0,0 +1,2 @@
+---
+BUNDLE_RETRY: "1"

data/gemfiles/rails_5_2.gemfile

@@ -0,0 +1,15 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "sdoc", "~> 0.4.0", group: :doc
+gem "rails", "~> 5.2.0"
+gem "sqlite3", "~> 1.3.13"
+
+group :development, :test do
+  gem "factory_girl_rails", require: false
+  gem "rspec-rails", "~>4.0.0.beta3", require: false
+  gem "database_cleaner", require: false
+end
+
+gemspec path: "../"

data/gemfiles/rails_6.gemfile

@@ -0,0 +1,15 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "sdoc", "~> 0.4.0", group: :doc
+gem "rails", "~> 6.0.0"
+gem "sqlite3", "~> 1.4"
+
+group :development, :test do
+  gem "factory_girl_rails", require: false
+  gem "rspec-rails", "~>4.0.0.beta3", require: false
+  gem "database_cleaner", require: false
+end
+
+gemspec path: "../"

data/lib/devise-authy.rb

@@ -3,12 +3,11 @@ require 'active_support/core_ext/integer/time'
 require 'devise'
 require 'authy'
 
-Authy.user_agent = "DeviseAuthy/#{DeviseAuthy::VERSION} - #{Authy.user_agent}"
-
 module Devise
-  mattr_accessor :authy_remember_device, :authy_enable_onetouch
+  mattr_accessor :authy_remember_device, :authy_enable_onetouch, :authy_enable_qr_code
   @@authy_remember_device = 1.month
   @@authy_enable_onetouch = false
+  @@authy_enable_qr_code = false
 end
 
 module DeviseAuthy
@@ -30,5 +29,7 @@ require 'devise-authy/models/authy_authenticatable'
 require 'devise-authy/models/authy_lockable'
 require 'devise-authy/version'
 
+Authy.user_agent = "DeviseAuthy/#{DeviseAuthy::VERSION} - #{Authy.user_agent}"
+
 Devise.add_module :authy_authenticatable, :model => 'devise-authy/models/authy_authenticatable', :controller => :devise_authy, :route => :authy
 Devise.add_module :authy_lockable,        :model => 'devise-authy/models/authy_lockable'

data/lib/devise-authy/controllers/helpers.rb

@@ -9,11 +9,11 @@ module DeviseAuthy
 
       private
 
-      def remember_device
-        id = @resource.id
+      def remember_device(id)
         cookies.signed[:remember_device] = {
           :value => {expires: Time.now.to_i, id: id}.to_json,
           :secure => !(Rails.env.test? || Rails.env.development?),
+          :httponly => !(Rails.env.test? || Rails.env.development?),
           :expires => resource_class.authy_remember_device.from_now
         }
       end
@@ -40,7 +40,7 @@ module DeviseAuthy
       end
 
       def is_signing_in?
-        if devise_controller? && signed_in?(resource_name) &&
+        if devise_controller? &&
           is_devise_sessions_controller? &&
           self.action_name == "create"
           return true
@@ -76,8 +76,8 @@ module DeviseAuthy
         send(:"#{scope}_verify_authy_path")
       end
 
-      def send_one_touch_request
-        Authy::OneTouch.send_approval_request(id: @authy_id, message: I18n.t('request_to_login', { :scope => 'devise' }))
+      def send_one_touch_request(authy_id)
+        Authy::OneTouch.send_approval_request(id: authy_id, message: I18n.t('request_to_login', { :scope => 'devise' }))
       end
 
       def record_authy_authentication

data/lib/devise-authy/models/authy_authenticatable.rb

@@ -17,7 +17,7 @@ module Devise
           where(authy_id: authy_id).first
         end
 
-        Devise::Models.config(self, :authy_remember_device, :authy_enable_onetouch)
+        Devise::Models.config(self, :authy_remember_device, :authy_enable_onetouch, :authy_enable_qr_code)
       end
     end
   end

data/lib/devise-authy/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module DeviseAuthy
-  VERSION = '1.11.0'
-end
+  VERSION = '2.2.1'
+end

data/lib/generators/active_record/devise_authy_generator.rb

@@ -11,12 +11,12 @@ module ActiveRecord
 
       private
 
-      def rails5?
-        Rails.version.start_with? '5'
+      def versioned_migrations?
+        Rails::VERSION::MAJOR >= 5
       end
 
       def migration_version
-        "[#{Rails::VERSION::MAJOR}.#{Rails::VERSION::MINOR}]" if rails5?
+        "[#{Rails::VERSION::MAJOR}.#{Rails::VERSION::MINOR}]" if versioned_migrations?
       end
     end
   end

data/lib/generators/devise_authy/devise_authy_generator.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module DeviseAuthy
   module Generators
     class DeviseAuthyGenerator < Rails::Generators::NamedBase
@@ -7,7 +9,7 @@ module DeviseAuthy
       desc "Add :authy_authenticatable directive in the given model, plus accessors. Also generate migration for ActiveRecord"
 
       def inject_devise_authy_content
-        path = File.join("app","models","#{file_path}.rb")
+        path = File.join(destination_root, "app","models","#{file_path}.rb")
         if File.exists?(path) &&
           !File.read(path).include?("authy_authenticatable")
           inject_into_file(path,
@@ -19,7 +21,7 @@ module DeviseAuthy
           !File.read(path).include?(":authy_id")
           inject_into_file(path,
                            ":authy_id, :last_sign_in_with_authy, ",
-                           :after => "attr_accessible ") 
+                           :after => "attr_accessible ")
         end
       end
 

data/lib/generators/devise_authy/install_generator.rb

@@ -1,7 +1,9 @@
+require "rails/generators"
+
 module DeviseAuthy
   module Generators
     # Install Generator
-    class InstallGenerator < Rails::Generators::Base
+    class InstallGenerator < ::Rails::Generators::Base
       source_root File.expand_path("../../templates", __FILE__)
 
       class_option :haml, :type => :boolean, :required => false, :default => false, :desc => "Generate views in Haml"
@@ -15,8 +17,10 @@ module DeviseAuthy
         "  # How long should the user's device be remembered for.\n" +
         "  # config.authy_remember_device = 1.month\n\n" +
         "  # Should Authy OneTouch be enabled?\n" +
-        "  # config.authy_enable_onetouch = false\n\n", :after => "Devise.setup do |config|\n"
-
+        "  # config.authy_enable_onetouch = false\n\n" +
+        "  # Should generating QR codes for other authenticator apps be enabled?\n" +
+        "  # Note: you need to enable this in your Twilio console.\n" +
+        "  # config.authy_enable_qr_code = false\n\n", :after => "Devise.setup do |config|\n"
       end
 
       def add_initializer
@@ -61,14 +65,14 @@ module DeviseAuthy
 @
           },
           :erb => {
-            :before => %r{\s*</\s*head\s*>\s*},
+            :before => %r{\s*<\/\s*head\s*>\s*},
             :content => %@
   <%=javascript_include_tag "https://www.authy.com/form.authy.min.js" %>
   <%=stylesheet_link_tag "https://www.authy.com/form.authy.min.css" %>
 @
           }
         }.each do |extension, opts|
-          file_path = "app/views/layouts/application.html.#{extension}"
+          file_path = File.join(destination_root, "app", "views", "layouts", "application.html.#{extension}")
           if File.exists?(file_path) && !File.read(file_path).include?("form.authy.min.js")
             inject_into_file(file_path, opts.delete(:content), opts)
           end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise-authy
 version: !ruby/object:Gem::Version
-  version: 1.11.0
+  version: 2.2.1
 platform: ruby
 authors:
 - Authy Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-01-31 00:00:00.000000000 Z
+date: 2020-10-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.0.0
+        version: 4.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.0.0
+        version: 4.0.0
 - !ruby/object:Gem::Dependency
   name: authy
   requirement: !ruby/object:Gem::Requirement
@@ -38,6 +38,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 2.7.5
+- !ruby/object:Gem::Dependency
+  name: appraisal
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -54,18 +68,32 @@ dependencies:
         version: '1.16'
 - !ruby/object:Gem::Dependency
   name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: combustion
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '1.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '1.1'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -80,6 +108,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rails-controller-testing
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: yard
   requirement: !ruby/object:Gem::Requirement
@@ -114,14 +170,98 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.16.1
+        version: 0.17.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.17.1
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.7.6
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.7.6
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: generator_spec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: database_cleaner
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: factory_bot_rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.1.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.16.1
+        version: 5.1.1
 description: Authy plugin to add two factor authentication to Devise.
 email:
 - support@authy.com
@@ -133,6 +273,7 @@ files:
 - ".gitignore"
 - ".rspec"
 - ".travis.yml"
+- Appraisals
 - CHANGELOG.md
 - Gemfile
 - LICENSE.txt
@@ -149,8 +290,12 @@ files:
 - app/views/devise/verify_authy.html.haml
 - app/views/devise/verify_authy_installation.html.erb
 - app/views/devise/verify_authy_installation.html.haml
+- config.ru
 - config/locales/en.yml
 - devise-authy.gemspec
+- gemfiles/.bundle/config
+- gemfiles/rails_5_2.gemfile
+- gemfiles/rails_6.gemfile
 - lib/devise-authy.rb
 - lib/devise-authy/controllers/helpers.rb
 - lib/devise-authy/controllers/view_helpers.rb
@@ -165,15 +310,15 @@ files:
 - lib/generators/active_record/templates/migration.rb
 - lib/generators/devise_authy/devise_authy_generator.rb
 - lib/generators/devise_authy/install_generator.rb
-homepage: https://github.com/authy/authy-devise
+homepage: https://github.com/twilio/authy-devise
 licenses:
 - MIT
 metadata:
-  bug_tracker_uri: https://github.com/authy/authy-devise/issues
-  change_log_uri: https://github.com/authy/authy-devise/blob/master/CHANGELOG.md
-  documentation_uri: https://github.com/authy/authy-devise
-  homepage_uri: https://github.com/authy/authy-devise
-  source_code_uri: https://github.com/authy/authy-devise
+  bug_tracker_uri: https://github.com/twilio/authy-devise/issues
+  change_log_uri: https://github.com/twilio/authy-devise/blob/master/CHANGELOG.md
+  documentation_uri: https://github.com/twilio/authy-devise
+  homepage_uri: https://github.com/twilio/authy-devise
+  source_code_uri: https://github.com/twilio/authy-devise
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -189,7 +334,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.1
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: Authy plugin for Devise.