devise-authy 1.5.3 → 1.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7a567fa8bbad855383c29a5bda348dbeb6d57b63
-  data.tar.gz: 5157b30f2294c1c5f07cba33b538daf4b137efa5
+  metadata.gz: e459c469815b8231e8134201d93fce4549dae9a6
+  data.tar.gz: a049bec15607162733009e40118b738596f476ae
 SHA512:
-  metadata.gz: 796c3197ca44d7658a11bb7cf0d67aebdbce65f83c40e2cc6fb9dfeeddffa8844f73476edefb4e05d13d3fa7799c2088c94daedd42112d1709b0861f54f684a5
-  data.tar.gz: ba9c039d84e42c35bfec5edeb1a9ac8c5ee1a29cff04f4505521ac7a42cdb276a194ba193b5685ec2f53d194758844b835dc5ad23934458bac861b41f3125e6d
+  metadata.gz: ac16e44154437ba153eba18c70960b49f49f80de71f11e9fb3784d2b4ec2a0e5a55661379d92fa72722566966e8337073b27341384db9c3d3c14a198772802d7
+  data.tar.gz: c826d6ef69433cff85a45d79a0267c922d5f7ee8e59233347ecaa5d4758dd9d32b2b07152d945e9912e2d8910a41985ceb01011c7d4c9180c5e79dea1fd096ed

data/Gemfile.lock

@@ -30,7 +30,7 @@ GEM
       multi_json (~> 1.0)
     addressable (2.3.6)
     arel (3.0.2)
-    authy (2.3.1)
+    authy (2.4.0)
       httpclient (>= 2.3.4)
     bcrypt-ruby (3.0.1)
     builder (3.0.4)
@@ -62,7 +62,7 @@ GEM
     hashie (2.1.1)
     highline (1.6.21)
     hike (1.2.2)
-    httpclient (2.3.4.1)
+    httpclient (2.5.3.3)
     i18n (0.6.1)
     jeweler (2.0.1)
       builder

data/README.md

@@ -13,7 +13,7 @@ See [https://github.com/authy/authy-devise/tree/master/authy-devise-demo](https:
 
 ## Getting started
 
-First create an initializer in `config/initializer/authy.rb`
+First create an initializer in `config/initializers/authy.rb`
 
 ```ruby
 Authy.api_key = ENV['AUTHY_API_KEY'] || 'your_authy_api_key'
@@ -105,6 +105,12 @@ class MyCustomModule::DeviseAuthyController < Devise::DeviseAuthyController
 end
 ```
 
+And tell the router to use this controller
+
+```ruby
+devise_for :users, controllers: {devise_authy: 'my_custom_module/devise_authy'}
+```
+
 
 ## I18n
 
@@ -112,6 +118,21 @@ The install generator also copy a `Devise Authy` i18n file which you can find at
 
     config/locales/devise.authy.en.yml
 
+
+## Running Tests
+
+To prepare the tests run the following commands:
+```bash
+$ cd spec/rails-app
+$ bundle install
+$ RAILS_ENV=test bundle exec rake db:migrate
+```
+
+Now on the project root run the following commands:
+```bash
+$ bundle exec rspec spec/
+```
+
 ## Copyright
 
 Copyright (c) 2014 Authy Inc. See LICENSE.txt for

data/VERSION

@@ -1 +1 @@
-1.5.3
+1.6.0

data/app/controllers/devise/devise_authy_controller.rb

@@ -37,8 +37,7 @@ class Devise::DeviseAuthyController < DeviseController
       set_flash_message(:notice, :signed_in) if is_navigational_format?
       respond_with resource, :location => after_sign_in_path_for(@resource)
     else
-      set_flash_message(:error, :invalid_token)
-      render :verify_authy
+      handle_invalid_token :verify_authy, :invalid_token
     end
   end
 
@@ -103,9 +102,9 @@ class Devise::DeviseAuthyController < DeviseController
     })
 
     self.resource.authy_enabled = token.ok?
+
     if !token.ok? || !self.resource.save
-      set_flash_message(:error, :not_enabled)
-      render :verify_authy_installation
+      handle_invalid_token :verify_authy_installation, :not_enabled
     else
       set_flash_message(:notice, :enabled)
       redirect_to after_authy_verified_path_for(resource)
@@ -127,6 +126,7 @@ class Devise::DeviseAuthyController < DeviseController
   def authenticate_scope!
     send(:"authenticate_#{resource_name}!", :force => true)
     self.resource = send("current_#{resource_name}")
+    @resource = resource
   end
 
   def find_resource
@@ -147,15 +147,28 @@ class Devise::DeviseAuthyController < DeviseController
 
   protected
 
-    def after_authy_enabled_path_for(resource)
-      root_path
-    end
+  def after_authy_enabled_path_for(resource)
+    root_path
+  end
 
-    def after_authy_verified_path_for(resource)
-      after_authy_enabled_path_for(resource)
-    end
+  def after_authy_verified_path_for(resource)
+    after_authy_enabled_path_for(resource)
+  end
 
-    def invalid_resource_path
-      root_path
+  def invalid_resource_path
+    root_path
+  end
+
+  def handle_invalid_token(view, error_message)
+    if @resource.respond_to?(:invalid_authy_attempt!) && @resource.invalid_authy_attempt!
+      after_account_is_locked
+    else
+      set_flash_message(:error, error_message)
+      render view
     end
+  end
+
+  def after_account_is_locked
+    sign_out_and_redirect @resource
+  end
 end

data/app/controllers/devise_authy/passwords_controller.rb

@@ -2,11 +2,11 @@ class DeviseAuthy::PasswordsController < Devise::PasswordsController
   def sign_in(resource_or_scope, *args)
     resource = args.last || resource_or_scope
 
-    if resource.with_authy_authentication?(request)
+    if resource.respond_to?(:with_authy_authentication?) && resource.with_authy_authentication?(request)
       # Do nothing. Because we need verify the 2FA
       true
     else
       super
     end
   end
-end
+end

data/authy-devise-demo/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    devise-authy (1.5.2)
+    devise-authy (1.5.3)
       authy
       devise
 
@@ -36,7 +36,7 @@ GEM
       i18n (= 0.6.1)
       multi_json (~> 1.0)
     arel (3.0.2)
-    authy (2.3.1)
+    authy (2.4.0)
       httpclient (>= 2.3.4)
     bcrypt-ruby (3.0.1)
     builder (3.0.4)
@@ -57,7 +57,7 @@ GEM
     execjs (1.4.0)
       multi_json (~> 1.0)
     hike (1.2.2)
-    httpclient (2.3.4.1)
+    httpclient (2.5.3.3)
     i18n (0.6.1)
     journey (1.0.4)
     jquery-rails (2.2.1)
@@ -80,7 +80,7 @@ GEM
     rack (1.4.5)
     rack-cache (1.2)
       rack (>= 0.4)
-    rack-ssl (1.3.3)
+    rack-ssl (1.3.4)
       rack
     rack-test (0.6.2)
       rack (>= 1.0)

data/authy-devise-demo/app/controllers/welcome_controller.rb

@@ -1,6 +1,15 @@
 class WelcomeController < ApplicationController
-  before_filter :authenticate_user!
+  before_filter :authenticate_user!, only: "user_page"
+  before_filter :authenticate_admin!, only: "admin_page"
 
   def index
+    redirect_to welcome_admin_page_path if current_admin
+    redirect_to welcome_user_page_path if current_user
+  end
+
+  def admin_page
+  end
+
+  def user_page
   end
 end

data/authy-devise-demo/app/models/admin.rb

@@ -0,0 +1,10 @@
+class Admin < ActiveRecord::Base
+  # Include default devise modules. Others available are:
+  # :token_authenticatable, :confirmable,
+  # :lockable, :timeoutable and :omniauthable
+  devise :authy_authenticatable, :authy_lockable, :database_authenticatable, :registerable,
+         :recoverable, :rememberable, :trackable, :validatable, :lockable
+
+  # Setup accessible (or protected) attributes for your model
+  attr_accessible :authy_id, :last_sign_in_with_authy, :email, :password, :password_confirmation, :remember_me
+end

data/authy-devise-demo/app/models/user.rb

@@ -2,10 +2,9 @@ class User < ActiveRecord::Base
   # Include default devise modules. Others available are:
   # :token_authenticatable, :confirmable,
   # :lockable, :timeoutable and :omniauthable
-  devise :authy_authenticatable, :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable, :trackable, :validatable, :lockable
 
   # Setup accessible (or protected) attributes for your model
-  attr_accessible :authy_id, :last_sign_in_with_authy, :email, :password, :password_confirmation, :remember_me
-  # attr_accessible :authy_id, :last_sign_in_with_authy, :title, :body
+  attr_accessible :email, :password, :password_confirmation, :remember_me
 end

data/authy-devise-demo/app/views/welcome/admin_page.html.erb

@@ -0,0 +1,12 @@
+<h1>Welcome#admin_page</h1>
+<p>Find me in app/views/welcome/admin_page.html.erb</p>
+
+
+<% if current_admin.authy_enabled %>
+  <%= link_to "Disable authy", admin_disable_authy_path, :method => :post %>
+<% else %>
+  <%= link_to "Enable authy", admin_enable_authy_path %>
+<% end %>
+
+<%= link_to "Logout", destroy_admin_session_path, :method => :delete %>
+

data/authy-devise-demo/app/views/welcome/index.html.erb

@@ -1,10 +1,5 @@
 <h1>Welcome#index</h1>
 <p>Find me in app/views/welcome/index.html.erb</p>
 
-<% if current_user.authy_enabled %>
-  <%= link_to "Disable authy", user_disable_authy_path, :method => :post %>
-<% else %>
-  <%= link_to "Enable authy", user_enable_authy_path %>
-<% end %>
-
-<%= link_to "Logout", destroy_user_session_path, :method => :delete %>
+<%= link_to "User Login", new_user_session_path %>
+<%= link_to "Admin Login", new_admin_session_path %>

data/authy-devise-demo/app/views/welcome/user_page.html.erb

@@ -0,0 +1,5 @@
+<h1>Welcome#user_page</h1>
+<p>Find me in app/views/welcome/user_page.html.erb</p>
+
+<%= link_to "Logout", destroy_user_session_path, :method => :delete %>
+

data/authy-devise-demo/config/initializers/devise.rb

@@ -143,14 +143,14 @@ Devise.setup do |config|
   # :time  = Re-enables login after a certain amount of time (see :unlock_in below)
   # :both  = Enables both strategies
   # :none  = No unlock strategy. You should handle unlocking by yourself.
-  # config.unlock_strategy = :both
+  config.unlock_strategy = :time
 
   # Number of authentication tries before locking an account if lock_strategy
   # is failed attempts.
-  # config.maximum_attempts = 20
+  config.maximum_attempts = 20
 
   # Time interval to unlock the account if :time is enabled as unlock_strategy.
-  # config.unlock_in = 1.hour
+  config.unlock_in = 1.hour
 
   # ==> Configuration for :recoverable
   #

data/authy-devise-demo/config/locales/devise.authy.en.yml

@@ -13,9 +13,9 @@ en:
     enable_my_account: 'Enable my account'
 
     devise_authy:
-      user:
+      admin:
         enabled: 'Two factor authentication was enabled'
         not_enabled: 'Something went wrong while enabling two factor authentication'
         signed_in: 'Signed in with Authy successfully.'
         already_enabled: "Two factor authentication is already enabled."
-        invalid_token: 'The entered token is invalid.'
+        invalid_token: 'The entered token is invalid.'

data/authy-devise-demo/config/routes.rb

@@ -1,7 +1,10 @@
 AuthyDeviseDemo::Application.routes.draw do
+  devise_for :admins
   devise_for :users
 
   get "welcome/index"
+  get "welcome/user_page"
+  get "welcome/admin_page"
 
   # The priority is based upon order of creation:
   # first created -> highest priority.
@@ -52,7 +55,7 @@ AuthyDeviseDemo::Application.routes.draw do
 
   # You can have the root of your site routed with "root"
   # just remember to delete public/index.html.
-   root :to => 'welcome#index'
+  root :to => 'welcome#index'
 
   # See how all your routes lay out with "rake routes"
 

data/authy-devise-demo/db/migrate/20130409234357_devise_create_users.rb

@@ -26,9 +26,9 @@ class DeviseCreateUsers < ActiveRecord::Migration
       # t.string   :unconfirmed_email # Only if using reconfirmable
 
       ## Lockable
-      # t.integer  :failed_attempts, :default => 0 # Only if lock strategy is :failed_attempts
-      # t.string   :unlock_token # Only if unlock strategy is :email or :both
-      # t.datetime :locked_at
+      t.integer  :failed_attempts, :default => 0 # Only if lock strategy is :failed_attempts
+      t.string   :unlock_token # Only if unlock strategy is :email or :both
+      t.datetime :locked_at
 
       ## Token authenticatable
       # t.string :authentication_token

data/authy-devise-demo/db/migrate/20141202000744_devise_create_admins.rb

@@ -0,0 +1,46 @@
+class DeviseCreateAdmins < ActiveRecord::Migration
+  def change
+    create_table(:admins) do |t|
+      ## Database authenticatable
+      t.string :email,              :null => false, :default => ""
+      t.string :encrypted_password, :null => false, :default => ""
+
+      ## Recoverable
+      t.string   :reset_password_token
+      t.datetime :reset_password_sent_at
+
+      ## Rememberable
+      t.datetime :remember_created_at
+
+      ## Trackable
+      t.integer  :sign_in_count, :default => 0
+      t.datetime :current_sign_in_at
+      t.datetime :last_sign_in_at
+      t.string   :current_sign_in_ip
+      t.string   :last_sign_in_ip
+
+      ## Confirmable
+      # t.string   :confirmation_token
+      # t.datetime :confirmed_at
+      # t.datetime :confirmation_sent_at
+      # t.string   :unconfirmed_email # Only if using reconfirmable
+
+      ## Lockable
+      # t.integer  :failed_attempts, :default => 0 # Only if lock strategy is :failed_attempts
+      # t.string   :unlock_token # Only if unlock strategy is :email or :both
+      # t.datetime :locked_at
+
+      ## Token authenticatable
+      # t.string :authentication_token
+
+
+      t.timestamps
+    end
+
+    add_index :admins, :email,                :unique => true
+    add_index :admins, :reset_password_token, :unique => true
+    # add_index :admins, :confirmation_token,   :unique => true
+    # add_index :admins, :unlock_token,         :unique => true
+    # add_index :admins, :authentication_token, :unique => true
+  end
+end

data/authy-devise-demo/db/migrate/20141202004246_devise_authy_add_to_admins.rb

@@ -0,0 +1,21 @@
+class DeviseAuthyAddToAdmins < ActiveRecord::Migration
+  def self.up
+    change_table :admins do |t|
+      t.string    :authy_id
+      t.datetime  :last_sign_in_with_authy
+      t.boolean   :authy_enabled, :default => false
+      t.integer   :failed_attempts, :default => 0
+      t.string    :unlock_token
+      t.datetime  :locked_at
+    end
+
+    add_index :admins, :authy_id
+  end
+
+  def self.down
+    change_table :admins do |t|
+      t.remove :authy_id, :last_sign_in_with_authy, :authy_enabled, :failed_attempts, :unlock_token, :locked_at
+    end
+  end
+end
+

data/authy-devise-demo/db/schema.rb

@@ -11,9 +11,9 @@
 #
 # It's strongly recommended to check this file into your version control system.
 
-ActiveRecord::Schema.define(:version => 20130409234434) do
+ActiveRecord::Schema.define(:version => 20141202004246) do
 
-  create_table "users", :force => true do |t|
+  create_table "admins", :force => true do |t|
     t.string   "email",                   :default => "",    :null => false
     t.string   "encrypted_password",      :default => "",    :null => false
     t.string   "reset_password_token"
@@ -29,9 +29,33 @@ ActiveRecord::Schema.define(:version => 20130409234434) do
     t.string   "authy_id"
     t.datetime "last_sign_in_with_authy"
     t.boolean  "authy_enabled",           :default => false
+    t.integer  "failed_attempts",         :default => 0
+    t.string   "unlock_token"
+    t.datetime "locked_at"
+  end
+
+  add_index "admins", ["authy_id"], :name => "index_admins_on_authy_id"
+  add_index "admins", ["email"], :name => "index_admins_on_email", :unique => true
+  add_index "admins", ["reset_password_token"], :name => "index_admins_on_reset_password_token", :unique => true
+
+  create_table "users", :force => true do |t|
+    t.string   "email",                  :default => "", :null => false
+    t.string   "encrypted_password",     :default => "", :null => false
+    t.string   "reset_password_token"
+    t.datetime "reset_password_sent_at"
+    t.datetime "remember_created_at"
+    t.integer  "sign_in_count",          :default => 0
+    t.datetime "current_sign_in_at"
+    t.datetime "last_sign_in_at"
+    t.string   "current_sign_in_ip"
+    t.string   "last_sign_in_ip"
+    t.integer  "failed_attempts",        :default => 0
+    t.string   "unlock_token"
+    t.datetime "locked_at"
+    t.datetime "created_at",                             :null => false
+    t.datetime "updated_at",                             :null => false
   end
 
-  add_index "users", ["authy_id"], :name => "index_users_on_authy_id"
   add_index "users", ["email"], :name => "index_users_on_email", :unique => true
   add_index "users", ["reset_password_token"], :name => "index_users_on_reset_password_token", :unique => true
 

data/devise-authy.gemspec

@@ -11,7 +11,7 @@ Gem::Specification.new do |s|
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.require_paths = ["lib"]
   s.authors = ["Authy Inc."]
-  s.date = "2014-06-11"
+  s.date = "2014-12-03"
   s.description = "Authy plugin for Devise"
   s.email = "support@authy.com"
   s.extra_rdoc_files = [
@@ -56,12 +56,15 @@ Gem::Specification.new do |s|
     "authy-devise-demo/app/helpers/welcome_helper.rb",
     "authy-devise-demo/app/mailers/.gitkeep",
     "authy-devise-demo/app/models/.gitkeep",
+    "authy-devise-demo/app/models/admin.rb",
     "authy-devise-demo/app/models/user.rb",
     "authy-devise-demo/app/views/devise/devise_authy/enable_authy.html.erb",
     "authy-devise-demo/app/views/devise/devise_authy/verify_authy.html.erb",
     "authy-devise-demo/app/views/devise/devise_authy/verify_authy_installation.html.erb",
     "authy-devise-demo/app/views/layouts/application.html.erb",
+    "authy-devise-demo/app/views/welcome/admin_page.html.erb",
     "authy-devise-demo/app/views/welcome/index.html.erb",
+    "authy-devise-demo/app/views/welcome/user_page.html.erb",
     "authy-devise-demo/config.ru",
     "authy-devise-demo/config/application.rb",
     "authy-devise-demo/config/boot.rb",
@@ -83,7 +86,8 @@ Gem::Specification.new do |s|
     "authy-devise-demo/config/locales/en.yml",
     "authy-devise-demo/config/routes.rb",
     "authy-devise-demo/db/migrate/20130409234357_devise_create_users.rb",
-    "authy-devise-demo/db/migrate/20130409234434_devise_authy_add_to_users.rb",
+    "authy-devise-demo/db/migrate/20141202000744_devise_create_admins.rb",
+    "authy-devise-demo/db/migrate/20141202004246_devise_authy_add_to_admins.rb",
     "authy-devise-demo/db/schema.rb",
     "authy-devise-demo/db/seeds.rb",
     "authy-devise-demo/lib/assets/.gitkeep",
@@ -116,6 +120,7 @@ Gem::Specification.new do |s|
     "lib/devise-authy/hooks/authy_authenticatable.rb",
     "lib/devise-authy/mapping.rb",
     "lib/devise-authy/models/authy_authenticatable.rb",
+    "lib/devise-authy/models/authy_lockable.rb",
     "lib/devise-authy/rails.rb",
     "lib/devise-authy/routes.rb",
     "lib/generators/active_record/devise_authy_generator.rb",
@@ -125,8 +130,10 @@ Gem::Specification.new do |s|
     "spec/controllers/devise_authy_controller_spec.rb",
     "spec/controllers/passwords_controller_spec.rb",
     "spec/features/authy_authenticatable_spec.rb",
+    "spec/features/authy_lockable_spec.rb",
     "spec/generators_spec.rb",
-    "spec/models/authy_authenticatable.rb",
+    "spec/models/authy_authenticatable_spec.rb",
+    "spec/models/authy_lockable_spec.rb",
     "spec/orm/active_record.rb",
     "spec/rails-app/Gemfile",
     "spec/rails-app/Gemfile.lock",
@@ -144,6 +151,7 @@ Gem::Specification.new do |s|
     "spec/rails-app/app/helpers/welcome_helper.rb",
     "spec/rails-app/app/mailers/.gitkeep",
     "spec/rails-app/app/models/.gitkeep",
+    "spec/rails-app/app/models/lockable_user.rb",
     "spec/rails-app/app/models/user.rb",
     "spec/rails-app/app/views/devise/devise_authy/enable_authy.html.erb",
     "spec/rails-app/app/views/devise/devise_authy/verify_authy.html.erb",
@@ -189,7 +197,7 @@ Gem::Specification.new do |s|
   ]
   s.homepage = "https://github.com/authy/authy-devise"
   s.licenses = ["MIT"]
-  s.rubygems_version = "2.2.2"
+  s.rubygems_version = "2.4.3"
   s.summary = "Authy plugin for Devise"
 
   if s.respond_to? :specification_version then

data/lib/devise-authy.rb

@@ -24,5 +24,7 @@ end
 require 'devise-authy/routes'
 require 'devise-authy/rails'
 require 'devise-authy/models/authy_authenticatable'
+require 'devise-authy/models/authy_lockable'
 
 Devise.add_module :authy_authenticatable, :model => 'devise-authy/models/authy_authenticatable', :controller => :devise_authy, :route => :authy
+Devise.add_module :authy_lockable,        :model => 'devise-authy/models/authy_lockable'

data/lib/devise-authy/controllers/helpers.rb

@@ -26,10 +26,14 @@ module DeviseAuthy
         return true
       end
 
+      def is_devise_sessions_controller?
+        self.class == Devise::SessionsController || self.class.ancestors.include?(Devise::SessionsController)
+      end
+
       def is_signing_in?
         if devise_controller? && signed_in?(resource_name) &&
-           self.class == Devise::SessionsController || self.class.ancestors.include?(Devise::SessionsController) && 
-           self.action_name == "create"
+          is_devise_sessions_controller? &&
+          self.action_name == "create"
           return true
         end
 
@@ -65,4 +69,4 @@ module DeviseAuthy
       end
     end
   end
-end
+end

data/lib/devise-authy/models/authy_lockable.rb

@@ -0,0 +1,43 @@
+module Devise
+
+  module Models
+
+    # Handles blocking a user access after a certain number of attempts.
+    # Requires proper configuration of the Devise::Models::Lockable module.
+    #
+    module AuthyLockable
+
+      extend ActiveSupport::Concern
+
+      # Public: Determine if this is a lockable resource, via Devise::Models::Lockable.
+      # Returns true
+      # Raises an error if the Devise::Models::Lockable module is not configured.
+      def lockable?
+        raise 'Devise lockable extension required' unless respond_to? :lock_access!
+        Devise.lock_strategy == :failed_attempts
+      end
+
+      # Public: Handle a failed 2FA attempt. If the resource is lockable via
+      # Devise::Models::Lockable module then enforce that setting.
+      #
+      # Returns true if the user is locked out.
+      def invalid_authy_attempt!
+        return false unless lockable?
+
+        self.failed_attempts ||= 0
+        self.failed_attempts += 1
+
+        if attempts_exceeded?
+          lock_access! unless access_locked?
+          true
+        else
+          save validate: false
+          false
+        end
+      end
+
+    end
+
+  end
+
+end

data/spec/controllers/devise_authy_controller_spec.rb

@@ -62,6 +62,46 @@ describe Devise::DeviseAuthyController do
       post :POST_verify_authy, :token => '5678900'
       response.should render_template('verify_authy')
     end
+
+    context 'User is lockable' do
+
+      let(:user) { create_lockable_user authy_id: 2 }
+
+      before do
+        controller.stub(:find_resource).and_return user
+        controller.instance_variable_set :@resource, user
+      end
+
+      it 'locks the account when failed_attempts exceeds maximum' do
+        request.session['user_id']               = user.id
+        request.session['user_password_checked'] = true
+
+        too_many_failed_attempts.times do
+          post :POST_verify_authy, token: invalid_authy_token
+        end
+
+        user.reload
+        expect(user.access_locked?).to be_true
+      end
+
+    end
+
+    context 'User is not lockable' do
+
+      it 'does not lock the account when failed_attempts exceeds maximum' do
+        request.session['user_id']               = @user.id
+        request.session['user_password_checked'] = true
+
+        too_many_failed_attempts.times do
+          post :POST_verify_authy, token: invalid_authy_token
+        end
+
+        @user.reload
+        expect(@user.locked_at).to be_nil
+      end
+
+    end
+
   end
 
   describe "GET #enable_authy" do

data/spec/features/authy_authenticatable_spec.rb

@@ -26,7 +26,6 @@ describe "Authy Autnenticatable", :type => :request do
     end
 
     it "Sign in should succeed" do
-      visit new_user_session_path
       fill_sign_in_form(@user.email, '12345678')
       current_path.should == user_verify_authy_path
       page.should have_content('Please enter your Authy token')
@@ -42,7 +41,6 @@ describe "Authy Autnenticatable", :type => :request do
     end
 
     it "Sign in shouldn't succeed" do
-      visit new_user_session_path
       fill_sign_in_form(@user.email, '12345678')
       current_path.should == user_verify_authy_path
       page.should have_content('Please enter your Authy token')
@@ -60,7 +58,6 @@ describe "Authy Autnenticatable", :type => :request do
       it "Should prompt for a token" do
         cookie_val = sign_cookie("remember_device", Time.now.to_i - 2.month.to_i)
         page.driver.browser.set_cookie("remember_device=#{cookie_val}")
-        visit new_user_session_path
         fill_sign_in_form(@user.email, '12345678')
         current_path.should == user_verify_authy_path
         page.should have_content('Please enter your Authy token')
@@ -69,7 +66,6 @@ describe "Authy Autnenticatable", :type => :request do
       it "Shouldn't prompt for a token" do
         cookie_val = sign_cookie("remember_device", Time.now.to_i)
         page.driver.browser.set_cookie("remember_device=#{cookie_val}")
-        visit new_user_session_path
         fill_sign_in_form(@user.email, '12345678')
         current_path.should == root_path
         page.should have_content("Signed in successfully.")
@@ -86,7 +82,6 @@ describe "Authy Autnenticatable", :type => :request do
     end
 
     it "Click link Request sms" do
-      visit new_user_session_path
       fill_sign_in_form(@user.email, '12345678')
       click_link 'Request SMS'
       page.should have_content("SMS token was sent")

data/spec/features/authy_lockable_spec.rb

@@ -0,0 +1,70 @@
+require 'spec_helper'
+
+feature 'Authy Lockable' do
+
+  context 'during verify code when Authy enabled' do
+
+    let(:user) do
+      u = create_lockable_user authy_id: 20, email: 'foo@bar.com'
+      u.update_attribute :authy_enabled, true
+      u
+    end
+
+    before :each do
+      fill_sign_in_form user.email, '12345678', '#new_lockable_user', new_lockable_user_session_path
+    end
+
+    scenario 'account locked when user enters invalid code too many times' do
+      Devise.maximum_attempts.times do |i|
+        fill_verify_token_form invalid_authy_token
+        assert_at lockable_user_verify_authy_path
+        expect(page).to have_content('Please enter your Authy token')
+        user.reload
+        assert_account_locked_for user, nil
+        expect(user.failed_attempts).to eq(i + 1)
+      end
+
+      fill_verify_token_form invalid_authy_token
+      user.reload
+      assert_at new_user_session_path
+      assert_account_locked_for user
+      visit root_path
+      assert_at new_user_session_path
+    end
+
+  end
+
+  context 'during verify Authy installation' do
+
+    let(:user) { create_lockable_user email: 'foo@bar.com' }
+
+    before do
+      fill_sign_in_form user.email, '12345678', '#new_lockable_user', new_lockable_user_session_path
+    end
+
+    scenario 'account locked when user enters invalid code too many times' do
+      visit lockable_user_enable_authy_path
+      fill_in 'authy-countries', with: '1'
+      fill_in 'authy-cellphone', with: '8001234567'
+      click_on 'Enable'
+
+      Devise.maximum_attempts.times do |i|
+        fill_in_verify_authy_installation_form invalid_authy_token
+        assert_at lockable_user_verify_authy_installation_path
+        expect(page).to have_content('Verify your account')
+        user.reload
+        assert_account_locked_for user, nil
+        expect(user.failed_attempts).to eq(i + 1)
+      end
+
+      fill_in_verify_authy_installation_form invalid_authy_token
+      user.reload
+      assert_at new_user_session_path
+      assert_account_locked_for user
+      visit root_path
+      assert_at new_user_session_path
+    end
+
+  end
+
+end

data/spec/models/authy_lockable_spec.rb

@@ -0,0 +1,81 @@
+require 'spec_helper'
+
+describe Devise::Models::AuthyLockable do
+
+  context 'model includes Devise::Models::Lockable' do
+
+    let(:user) { create_lockable_user authy_id: '20' }
+
+    context '#lockable?' do
+
+      it 'returns true if lock_strategy is :failed_attempts' do
+        expect(user.lockable?).to be_true
+      end
+
+      it 'returns false if lock_strategy is anything other than :failed attempts' do
+        Devise.lock_strategy = :none
+        expect(user.lockable?).to be_false
+        Devise.lock_strategy = :failed_attempts
+      end
+
+    end
+
+    context '#invalid_authy_attempt!' do
+
+      it 'resets failed_attempts to 0 if nil' do
+        user.update_attribute :failed_attempts, nil
+        user.invalid_authy_attempt!
+        expect(user.failed_attempts).to eq(1)
+      end
+
+      it 'updates failed_attempts' do
+        10.times { user.invalid_authy_attempt! }
+        expect(user.failed_attempts).to eq(10)
+      end
+
+      it 'respects the maximum attempts configuration for Devise::Models::Lockable' do
+        4.times { user.invalid_authy_attempt! }
+        expect(user.send :attempts_exceeded?).to be_true # protected method
+        expect(user.access_locked?).to be_true
+      end
+
+      it 'returns true if the account is locked' do
+        3.times { user.invalid_authy_attempt! }
+        expect(user.invalid_authy_attempt!).to be_true
+      end
+
+      it 'returns false if the account is not locked' do
+        expect(user.invalid_authy_attempt!).to be_false
+      end
+
+    end
+
+  end
+
+  context 'model misconfigured, includes AuthyLockable w/out Lockable' do
+
+    let(:user) do
+      u = create_user authy_id: '20'
+      u.extend Devise::Models::AuthyLockable
+      u
+    end
+
+    context '#lockable?' do
+
+      it 'raises an error' do
+        expect { user.lockable? }.to raise_error 'Devise lockable extension required'
+      end
+
+    end
+
+    context '#invalid_authy_attempt!' do
+
+      it 'raises an error' do
+        expect { user.invalid_authy_attempt! }.to raise_error 'Devise lockable extension required'
+      end
+
+    end
+
+  end
+
+end

data/spec/rails-app/app/controllers/welcome_controller.rb

@@ -1,6 +1,13 @@
 class WelcomeController < ApplicationController
-  before_filter :authenticate_user!
+  before_filter :authenticate_scope!
 
   def index
   end
+
+  def authenticate_scope!
+    scope = lockable_user_signed_in? ? 'lockable_user'
+                                     : 'user'
+    Rails.logger.debug "\nauthenticate_#{scope}!"
+    send "authenticate_#{scope}!", force: true
+  end
 end

data/spec/rails-app/app/models/lockable_user.rb

@@ -0,0 +1,7 @@
+# User for testing out the account locking on failure.
+#
+class LockableUser < User
+  devise :authy_authenticatable, :authy_lockable, :database_authenticatable,
+         :registerable, :recoverable, :rememberable, :trackable, :validatable,
+         :lockable
+end

data/spec/rails-app/config/initializers/devise.rb

@@ -141,7 +141,7 @@ Devise.setup do |config|
   # Defines which strategy will be used to lock an account.
   # :failed_attempts = Locks an account after a number of failed attempts to sign in.
   # :none            = No lock strategy. You should handle locking by yourself.
-  # config.lock_strategy = :failed_attempts
+  config.lock_strategy = :failed_attempts
 
   # Defines which key will be used when locking and unlocking an account
   # config.unlock_keys = [ :email ]
@@ -151,14 +151,14 @@ Devise.setup do |config|
   # :time  = Re-enables login after a certain amount of time (see :unlock_in below)
   # :both  = Enables both strategies
   # :none  = No unlock strategy. You should handle unlocking by yourself.
-  # config.unlock_strategy = :both
+  config.unlock_strategy = :time
 
   # Number of authentication tries before locking an account if lock_strategy
   # is failed attempts.
-  # config.maximum_attempts = 20
+  config.maximum_attempts = 3
 
   # Time interval to unlock the account if :time is enabled as unlock_strategy.
-  # config.unlock_in = 1.hour
+  config.unlock_in = 1.hour
 
   # ==> Configuration for :recoverable
   #

data/spec/rails-app/config/routes.rb

@@ -2,6 +2,7 @@ RailsApp::Application.routes.draw do
   get "welcome/index"
 
   devise_for :users
+  devise_for :lockable_users, class: 'LockableUser' # for testing authy_lockable
 
   root :to => 'welcome#index'
 end

data/spec/rails-app/db/migrate/20130419164907_devise_create_users.rb

@@ -26,9 +26,9 @@ class DeviseCreateUsers < ActiveRecord::Migration
       # t.string   :unconfirmed_email # Only if using reconfirmable
 
       ## Lockable
-      # t.integer  :failed_attempts, :default => 0 # Only if lock strategy is :failed_attempts
-      # t.string   :unlock_token # Only if unlock strategy is :email or :both
-      # t.datetime :locked_at
+      t.integer  :failed_attempts, :default => 0 # Only if lock strategy is :failed_attempts
+      t.string   :unlock_token # Only if unlock strategy is :email or :both
+      t.datetime :locked_at
 
       ## Token authenticatable
       # t.string :authentication_token

data/spec/rails-app/db/schema.rb

@@ -24,6 +24,9 @@ ActiveRecord::Schema.define(:version => 20130419164936) do
     t.datetime "last_sign_in_at"
     t.string   "current_sign_in_ip"
     t.string   "last_sign_in_ip"
+    t.integer  "failed_attempts",         :default => 0
+    t.string   "unlock_token"
+    t.datetime "locked_at"
     t.datetime "created_at",                                 :null => false
     t.datetime "updated_at",                                 :null => false
     t.string   "authy_id"

data/spec/support/helpers.rb

@@ -18,16 +18,61 @@ def create_user(attributes={})
   User.create!(valid_attributes(attributes))
 end
 
-def fill_sign_in_form(email, password)
-  visit new_user_session_path
-  within("#new_user") do
+def create_lockable_user(attributes={})
+  LockableUser.create!(valid_attributes(attributes))
+end
+
+def fill_sign_in_form(email, password, form_selector = nil, sign_in_path = nil)
+  form_selector ||= '#new_user'
+  sign_in_path  ||= new_user_session_path
+
+  visit sign_in_path
+  within(form_selector) do
     fill_in 'Email', :with => email
     fill_in 'Password', :with => password
   end
   click_on 'Sign in'
 end
 
+def fill_verify_token_form(token)
+  within('#devise_authy') { fill_in 'authy-token', with: token }
+  click_on 'Check Token'
+end
+
+def fill_in_verify_authy_installation_form(token)
+  fill_in 'authy-token', with: token
+  click_on 'Enable my account'
+end
+
 def sign_cookie(name, val)
   verifier = ActiveSupport::MessageVerifier.new(RailsApp::Application.config.secret_token)
   verifier.generate(val)
 end
+
+def too_many_failed_attempts
+  Devise.maximum_attempts + 1
+end
+
+def valid_authy_token
+  '0000000'
+end
+
+def invalid_authy_token
+  '999999'
+end
+
+def lock_user_account
+  too_many_failed_attempts.times { fill_verify_token_form invalid_authy_token }
+end
+
+def assert_at(path)
+  expect(current_path).to eq(path)
+end
+
+def assert_not_at(path)
+  expect(current_path).not_to eq(path)
+end
+
+def assert_account_locked_for(user, is_locked = true)
+  expect(user.access_locked?).to eq(is_locked)
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise-authy
 version: !ruby/object:Gem::Version
-  version: 1.5.3
+  version: 1.6.0
 platform: ruby
 authors:
 - Authy Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-06-11 00:00:00.000000000 Z
+date: 2015-01-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -209,12 +209,15 @@ files:
 - authy-devise-demo/app/helpers/welcome_helper.rb
 - authy-devise-demo/app/mailers/.gitkeep
 - authy-devise-demo/app/models/.gitkeep
+- authy-devise-demo/app/models/admin.rb
 - authy-devise-demo/app/models/user.rb
 - authy-devise-demo/app/views/devise/devise_authy/enable_authy.html.erb
 - authy-devise-demo/app/views/devise/devise_authy/verify_authy.html.erb
 - authy-devise-demo/app/views/devise/devise_authy/verify_authy_installation.html.erb
 - authy-devise-demo/app/views/layouts/application.html.erb
+- authy-devise-demo/app/views/welcome/admin_page.html.erb
 - authy-devise-demo/app/views/welcome/index.html.erb
+- authy-devise-demo/app/views/welcome/user_page.html.erb
 - authy-devise-demo/config.ru
 - authy-devise-demo/config/application.rb
 - authy-devise-demo/config/boot.rb
@@ -236,7 +239,8 @@ files:
 - authy-devise-demo/config/locales/en.yml
 - authy-devise-demo/config/routes.rb
 - authy-devise-demo/db/migrate/20130409234357_devise_create_users.rb
-- authy-devise-demo/db/migrate/20130409234434_devise_authy_add_to_users.rb
+- authy-devise-demo/db/migrate/20141202000744_devise_create_admins.rb
+- authy-devise-demo/db/migrate/20141202004246_devise_authy_add_to_admins.rb
 - authy-devise-demo/db/schema.rb
 - authy-devise-demo/db/seeds.rb
 - authy-devise-demo/lib/assets/.gitkeep
@@ -269,6 +273,7 @@ files:
 - lib/devise-authy/hooks/authy_authenticatable.rb
 - lib/devise-authy/mapping.rb
 - lib/devise-authy/models/authy_authenticatable.rb
+- lib/devise-authy/models/authy_lockable.rb
 - lib/devise-authy/rails.rb
 - lib/devise-authy/routes.rb
 - lib/generators/active_record/devise_authy_generator.rb
@@ -278,8 +283,10 @@ files:
 - spec/controllers/devise_authy_controller_spec.rb
 - spec/controllers/passwords_controller_spec.rb
 - spec/features/authy_authenticatable_spec.rb
+- spec/features/authy_lockable_spec.rb
 - spec/generators_spec.rb
-- spec/models/authy_authenticatable.rb
+- spec/models/authy_authenticatable_spec.rb
+- spec/models/authy_lockable_spec.rb
 - spec/orm/active_record.rb
 - spec/rails-app/Gemfile
 - spec/rails-app/Gemfile.lock
@@ -297,6 +304,7 @@ files:
 - spec/rails-app/app/helpers/welcome_helper.rb
 - spec/rails-app/app/mailers/.gitkeep
 - spec/rails-app/app/models/.gitkeep
+- spec/rails-app/app/models/lockable_user.rb
 - spec/rails-app/app/models/user.rb
 - spec/rails-app/app/views/devise/devise_authy/enable_authy.html.erb
 - spec/rails-app/app/views/devise/devise_authy/verify_authy.html.erb

data/authy-devise-demo/db/migrate/20130409234434_devise_authy_add_to_users.rb

@@ -1,18 +0,0 @@
-class DeviseAuthyAddToUsers < ActiveRecord::Migration
-  def self.up
-    change_table :users do |t|
-      t.string    :authy_id
-      t.datetime  :last_sign_in_with_authy
-      t.boolean   :authy_enabled, :default => false
-    end
-
-    add_index :users, :authy_id
-  end
-
-  def self.down
-    change_table :users do |t|
-      t.remove :authy_id, :last_sign_in_with_authy, :authy_enabled
-    end
-  end
-end
-