devise-authy 1.7.0 → 2.3.1

checksums.yaml

@@ -1,15 +1,7 @@
 ---
-!binary "U0hBMQ==":
-  metadata.gz: !binary |-
-    OWMwMGEzZDEzMmE1YjVlZTM5MDEzYjE4NmRhNDJhN2M3M2E5OTJkOQ==
-  data.tar.gz: !binary |-
-    ODNmNmI0Yjc1ZjgzNTRjYmM3MDE2MDNkNmZiNTFhMTg0ZjFhYTI3ZQ==
+SHA256:
+  metadata.gz: 259b34a666d62e180d4ae64b3e2100c0bd21f9ee4c8b9346064551b3178cfb54
+  data.tar.gz: f83cb9da5873b5e811cba37b2150cbce44ce725d28244d8258f40f68983518ed
 SHA512:
-  metadata.gz: !binary |-
-    N2JlNjM5MzcyYmJmZmQ5MzM2OTA2YTQwMTVkNGVmNjU4NGFhN2MyNWZhYzMx
-    Y2M4ZTYxZDZhOWM1MmE2NTM0ZmYwMTcwNGUzYjhmOTI3ZWE1MDZkZmUwODRl
-    Y2MxNWQ3ZGM0MDBkZWYwNDNhYzA5NmVhODk1MzlhODdlMzBjNWE=
-  data.tar.gz: !binary |-
-    OTg1MWYxMTMyYTI0YmZkYjJkNjU0NWY2YmZmMTJmNjFmZmUwYTlmOGZhZmYy
-    NDBjNmI2ZDI4MzIwNWIyMTA1ODU0NmQyYmQ2NGE0MDc5ZDg5ZDFjOWZiOTk2
-    ZDdiZGYxN2RiODJhMGJjMmUxMTc2OTc2M2UyOWI2NDhiZTNlMmE=
+  metadata.gz: 869414ee49e8c36570335144e2bf02781811301c2c6fed0142dd27bbf028f5e08b8c16832afe515ed9703eee99f5e664b00b5598e1c6a26db0b63b3451e81b46
+  data.tar.gz: d066492cbf36871ec392a940f7927be61c7fee1c0b4a7db2b2279c608c2dcbbd3c054ea70d9543586542dc3f256b06eb9221431c1a812ad27c285fe17d1411ee

data/.github/workflows/build.yml

@@ -0,0 +1,32 @@
+name: build
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: [2.5, 2.6, 2.7, "3.0", 3.1, head]
+        gemfile: [rails_5_2, rails_6]
+        exclude:
+          - ruby: "3.0"
+            gemfile: rails_5_2
+          - ruby: 3.1
+            gemfile: rails_5_2
+          - ruby: head
+            gemfile: rails_5_2
+    continue-on-error: ${{ endsWith(matrix.ruby, 'head') }}
+    env:
+      BUNDLE_GEMFILE: gemfiles/${{ matrix.gemfile }}.gemfile
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up Ruby ${{ matrix.ruby }}
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+      - name: Install dependencies
+        run: bundle install
+      - name: Run tests
+        run: bundle exec rspec

data/.gitignore

@@ -0,0 +1,45 @@
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/spec/examples.txt
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalization:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+Gemfile.lock
+.ruby-version
+.ruby-gemset
+gemfiles/*.lock
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc
+
+**/*.sqlite
+**/*.log
+
+initializers/authy.rb
+.byebug_history
+
+.rspec_status

data/.rspec

@@ -1 +1,2 @@
 --color
+--require ./spec/spec_helper

data/Appraisals

@@ -0,0 +1,22 @@
+appraise "rails-5-2" do
+  gem "rails", "~> 5.2.0"
+  gem "sqlite3", "~> 1.3.13"
+
+  group :development, :test do
+    gem 'factory_girl_rails', :require => false
+    gem 'rspec-rails', "~>4.0.0.beta3", :require => false
+    gem 'database_cleaner', :require => false
+  end
+end if RUBY_VERSION.to_f < 3.0
+
+appraise "rails-6" do
+  gem "rails", "~> 6.0.0"
+  gem "sqlite3", "~> 1.4"
+  gem "net-smtp"
+
+  group :development, :test do
+    gem 'factory_girl_rails', :require => false
+    gem 'rspec-rails', "~>4.0.0.beta3", :require => false
+    gem 'database_cleaner', :require => false
+  end
+end if RUBY_VERSION.to_f >= 2.5

data/CHANGELOG.md

@@ -0,0 +1,152 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
+and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
+
+## [2.3.1] - 2022-05-30 Final release
+
+### Changed
+
+- Added deprecation notices to README and Gemspec
+
+## [2.3.0] - 2021-01-07
+
+### Fixed
+
+- Fixes calls to `I18n.t` with keyword arguments to support Ruby 3.0
+- Replaces Travis CI with GitHub Actions
+- Updates webmock development dependency
+- Removes sdoc from Gemfile
+
+## [2.2.1] - 2020-10-13
+
+### Fixed
+
+- If the app offers a QR code scan and user fails to verify authy installation, the QR code wasn't shown again. Fixed in (#149)
+
+## [2.2.0] - 2020-06-04
+
+### Fixed
+
+- Don't delete user in Authy if another user has the same authy_id (#144)
+
+## [2.1.0] - 2020-05-05
+
+### Added
+
+- Support for generic authenticator tokens (#141)
+
+### Fixed
+
+- Can remember device when enabling 2FA for the first time (#139)
+
+## [2.0.0] - 2020-04-28
+
+Releasing this as version 2 because there is a significant change in dependencies. Minimum version of Rails is now 5 and of Devise is now 4. Otherwise the gem should work as before.
+
+### Added
+
+- HTTP Only flag to remember_device cookie (#116 thanks @agronv)
+- Remembers device when user logs in with One Touch (#128 thanks @cplopez4)
+- Autocomplete attributes for HTML form (#130)
+
+### Changed
+
+- Mocked API calls in test suite (#123)
+- Full test suite refactor (#124)
+- Increased required version for Devise and Rails (#125)
+- Stopped calling `signed_in?` before it is needed (#126)
+
+### Fixes
+
+- Remembers user correctly when logging in with One Touch (#129)
+
+## [1.11.1] - 2019-02-02
+
+### Fixed
+
+- Using the version before loading it broke everything. :facepalm:
+
+## [1.11.0] - 2019-02-01
+
+### Fixed
+
+- Corrects for label in verify_authy view (#103 thanks @mstruebing)
+- Corrects heading in verify_authy view (#104 thanks @mstruebing)
+
+### Changed
+
+- Allows you to define paths for request_sms and request_phone_call (#108 thanks @dedene)
+
+### Added
+
+- Now sets a distinct user agent through the Authy gem (#110)
+
+## [1.10.0] - 2018-09-26
+
+### Changed
+
+- Moves OneTouch approval request copy to locale file.
+
+### Removed
+
+- Demo app now lives in its own repo
+
+## [1.9.0] - 2018-09-04
+
+### Fixed
+
+- Generated migration now includes version number for Rails 5
+
+### Changed
+
+- Removes Jeweler in favour of administering the gemspec by hand
+- Removes demo app files from gem package
+
+## [1.8.3] - 2018-07-05
+
+### Fixed
+
+- Fixes Ruby interpolation in HAML for onetouch (thanks @muan)
+- Records Authy authentication after install verification (thanks @nukturnal)
+- Forgets remember device cookie when disabling Authy (thanks @senekis)
+
+### Changed
+
+- Updated testing Rubies in CI
+
+## Older releases
+
+**_The following releases happened before the changelog was started. Some history will be added for clarity._**
+
+## [1.8.2] - 2017-12-22
+
+## [1.8.1] - 2016-12-06
+
+## [1.8.0] - 2016-10-25
+
+## [1.7.0] - 2015-12-22
+
+## [1.6.0] - 2015-01-07
+
+## [1.5.3] - 2014-06-11
+
+## [1.5.2] - 2014-06-11
+
+## [1.5.1] - 2014-04-24
+
+## [1.5.0] - 2014-01-07
+
+## [1.4.0] - 2013-12-17
+
+## [1.3.0] - 2013-11-16
+
+## [1.2.2] - 2013-09-04
+
+## [1.2.1] - 2013-04-22
+
+## [1.2.0] - 2013-04-22 [YANKED]
+
+## [1.0.0] - 2013-04-10

data/Gemfile

@@ -1,24 +1,3 @@
-source "https://rubygems.org"
+source 'https://rubygems.org'
 
-gem "devise"
-gem 'authy'
-
-group :development do
-  gem "rspec"
-  gem "yard"
-  gem "rdoc"
-  gem "bundler"
-  gem "jeweler", ">= 2.0.1"
-  gem "simplecov"
-  gem "sass-rails"
-  gem "jquery-rails"
-  gem "pry"
-end
-
-group :test do
-  gem "rails"
-  gem "sqlite3"
-  gem 'rspec-rails'
-  gem 'database_cleaner'
-  gem 'capybara'
-end
+gemspec

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2012-2020 Authy Inc
+Copyright (c) 2012-2021 Authy Inc
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md

@@ -1,27 +1,62 @@
-# Authy Devise
+🚨🚨🚨
 
-This is a [Devise](https://github.com/plataformatec/devise) extension to add Two-Factor Authentication with Authy to your rails application.
+**This library is no longer actively maintained.** The Authy API has been replaced with the [Twilio Verify API](https://www.twilio.com/docs/verify). Twilio will support the Authy API through November 1, 2022 for SMS/Voice. After this date, we’ll start to deprecate the service for SMS/Voice. Any requests sent to the API after May 1, 2023, will automatically receive an error.  Push and TOTP will continue to be supported through July 2023.
 
+[Learn more about migrating from Authy to Verify.](https://www.twilio.com/blog/migrate-authy-to-verify)
+
+Please visit the Twilio Docs for:
+* [Verify + Ruby (Rails) quickstart](https://www.twilio.com/docs/verify/quickstarts/ruby-rails)
+* [Twilio Ruby helper library](https://www.twilio.com/docs/libraries/ruby)
+* [Verify API reference](https://www.twilio.com/docs/verify/api)
+* **Coming soon**: Look out for a new Devise plugin to use Twilio Verify with Devise
+
+Please direct any questions to [Twilio Support](https://support.twilio.com/hc/en-us). Thank you!
+
+🚨🚨🚨
+
+---
+
+# Authy Devise [![Build Status](https://github.com/twilio/authy-devise/workflows/build/badge.svg)](https://github.com/twilio/authy-devise/actions)
+
+This is a [Devise](https://github.com/plataformatec/devise) extension to add [Two-Factor Authentication with Authy](https://www.twilio.com/docs/authy) to your Rails application.
+
+* [Pre-requisites](#pre-requisites)
+* [Demo](#demo)
+* [Getting started](#getting-started)
+  * [Configuring Models](#configuring-models)
+    * [With the generator](#with-the-generator)
+    * [Manually](#manually)
+    * [Final steps](#final-steps)
+* [Custom Views](#custom-views)
+  * [Request a phone call](#request-a-phone-call)
+* [Custom Redirect Paths (eg. using modules)](#custom-redirect-paths-eg-using-modules)
+* [I18n](#i18n)
+* [Session variables](#session-variables)
+* [OneTouch support](#onetouch-support)
+* [Generic authenticator token support](#generic-authenticator-token-support)
+* [Rails 5 CSRF protection](#rails-5-csrf-protection)
+* [Running Tests](#running-tests)
+* [Notice: Twilio Authy API’s Sandbox feature will stop working on Sep 30, 2021](#notice-twilio-authy-apis-sandbox-feature-will-stop-working-on-sep-30-2021)
+* [Copyright](#copyright)
 
 ## Pre-requisites
 
-Get an Authy API Key: [https://www.authy.com/signup](https://www.authy.com/signup)
+To use the Authy API you will need a Twilio Account, [sign up for a free Twilio account here](https://www.twilio.com/try-twilio).
+
+Create an [Authy Application in the Twilio console](https://www.twilio.com/console/authy/applications) and take note of the API key.
 
 ## Demo
 
-See [https://github.com/authy/authy-devise/tree/master/authy-devise-demo](https://github.com/authy/authy-devise/tree/master/authy-devise-demo)
+See [this repo for a full demo of using `authy-devise`](https://github.com/twilio/authy-devise-demo).
 
 ## Getting started
 
-First create an initializer in `config/initializers/authy.rb`
+First get your Authy API key from [the Twilio console](https://www.twilio.com/console/authy/applications). We recommend you store your API key as an environment variable.
 
-```ruby
-Authy.api_key = ENV['AUTHY_API_KEY'] || 'your_authy_api_key'
-Authy.api_uri = 'https://api.authy.com/'
+```bash
+$ export AUTHY_API_KEY=YOUR_AUTHY_API_KEY
 ```
 
-You can get the `AUTHY_API_KEY` at [https://www.authy.com/signup](https://www.authy.com/signup)
-
 Next add the gem to your Gemfile:
 
 ```ruby
@@ -40,40 +75,77 @@ Add `Devise Authy` to your App:
 
 ### Configuring Models
 
-Configure your Devise user model:
+You can add devise_authy to your user model in two ways.
+
+#### With the generator
+
+Run the following command:
+
+```bash
+rails g devise_authy [MODEL_NAME]
+```
+
+To support account locking (recommended), you must add `:authy_lockable` to the `devise :authy_authenticatable, ...` configuration in your model as this is not yet supported by the generator.
+
+#### Manually
+
+Add `:authy_authenticatable` and `:authy_lockable` to the `devise` options in your Devise user model:
+
+```ruby
+devise :authy_authenticatable, :authy_lockable, :database_authenticatable, :lockable
+```
 
-    rails g devise_authy [MODEL_NAME]
+(Note, `:authy_lockable` is optional but recommended. It should be used with Devise's own `:lockable` module).
 
-or add the following line to your `User` model
+Also add a new migration. For example, if you are adding to the `User` model, use this migration:
 
 ```ruby
-devise :authy_authenticatable, :database_authenticatable
+class DeviseAuthyAddToUsers < ActiveRecord::Migration[6.0]
+  def self.up
+    change_table :users do |t|
+      t.string    :authy_id
+      t.datetime  :last_sign_in_with_authy
+      t.boolean   :authy_enabled, :default => false
+    end
+
+    add_index :users, :authy_id
+  end
+
+  def self.down
+    change_table :users do |t|
+      t.remove :authy_id, :last_sign_in_with_authy, :authy_enabled
+    end
+  end
+end
+```
+
+#### Final steps
+
+For either method above, run the migrations:
+
+```bash
+rake db:migrate
 ```
 
-Change the default routes to point to something sane like:
+**[Optional]** Update the default routes to point to something like:
 
 ```ruby
 devise_for :users, :path_names => {
 	:verify_authy => "/verify-token",
 	:enable_authy => "/enable-two-factor",
-	:verify_authy_installation => "/verify-installation"
+	:verify_authy_installation => "/verify-installation",
+	:authy_onetouch_status => "/onetouch-status"
 }
 ```
 
-Then run the migrations:
-
-    rake db:migrate
-
-Now whenever a user wants to enable two-factor authentication they can go
-to:
+Now whenever a user wants to enable two-factor authentication they can go to:
 
     http://your-app/users/enable-two-factor
 
-And when the user log's in he will be redirected to:
+And when the user logs in they will be redirected to:
 
     http://your-app/users/verify-token
 
-
 ## Custom Views
 
 If you want to customise your views, you can modify the files that are located at:
@@ -82,6 +154,11 @@ If you want to customise your views, you can modify the files that are located a
     app/views/devise/devise_authy/verify_authy.html.erb
     app/views/devise/devise_authy/verify_authy_installation.html.erb
 
+### Request a phone call
+
+The default views come with a button to force a request for an SMS message. You can also add a button that will request a phone call instead. Simply add the helper method to your view:
+
+    <%= authy_request_phone_call_link %>
 
 ## Custom Redirect Paths (eg. using modules)
 
@@ -115,10 +192,9 @@ And tell the router to use this controller
 devise_for :users, controllers: {devise_authy: 'my_custom_module/devise_authy'}
 ```
 
-
 ## I18n
 
-The install generator also copy a `Devise Authy` i18n file which you can find at:
+The install generator also copies a `Devise Authy` i18n file which you can find at:
 
     config/locales/devise.authy.en.yml
 
@@ -134,22 +210,57 @@ session["#{resource_name}_authy_token_checked"]
 session["user_authy_token_checked"]
 ```
 
+## OneTouch support
 
-## Running Tests
+To enable [Authy push authentication](https://www.twilio.com/authy/features/push), you need to modify the Devise config file `config/initializers/devise.rb` and add configuration:
 
-To prepare the tests run the following commands:
-```bash
-$ cd spec/rails-app
-$ bundle install
-$ RAILS_ENV=test bundle exec rake db:migrate
+```
+config.authy_enable_onetouch = true
+```
+
+## Generic authenticator token support
+
+Authy supports other authenticator apps by providing a QR code that your users can scan.
+
+> **To use this feature, you need to enable it in your [Twilio Console](https://www.twilio.com/console/authy/applications)**
+
+Once you have enabled generic authenticator tokens, you can enable this in devise-authy by modifying the Devise config file `config/initializers/devise.rb` and adding the configuration:
+
+```
+config.authy_enable_qr_code = true
 ```
 
-Now on the project root run the following commands:
+This will display a QR code on the verification screen (you still need to take a user's phone number and country code). If you have implemented your own views, the QR code URL is available on the verification page as `@authy_qr_code`.
+
+## Rails 5 CSRF protection
+
+In Rails 5 `protect_from_forgery` is no longer prepended to the `before_action` chain. If you call `authenticate_user` before `protect_from_forgery` your request will result in a "Can't verify CSRF token authenticity" error.
+
+To remedy this, add `prepend: true` to your `protect_from_forgery` call, like in this example from the [Authy Devise demo app](https://github.com/twilio/authy-devise-demo):
+
+```ruby
+class ApplicationController < ActionController::Base
+  protect_from_forgery with: :exception, prepend: true
+end
+```
+
+## Running Tests
+
+Run the following command:
+
 ```bash
-$ bundle exec rspec spec/
+$ bundle exec rspec
 ```
 
+## Notice: Twilio Authy API’s Sandbox feature will stop working on Sep 30, 2021
+Twilio is discontinuing the Authy API’s Sandbox, a feature that allows customers to run continuous integration tests against a mock Authy API for free. The Sandbox is no longer being maintained, so we will be taking the final deprecation step of shutting it down on September 30, 2021. The rest of the Authy API product will continue working as-is.
+
+This repo previously used the sandbox API as part of the test suite, but that has been since removed.
+
+You will only be affected if you are using the sandbox API in your own application or test suite.
+
+For more information please read this article on [how we are discontinuing the Twilio Authy sandbox API](https://support.authy.com/hc/en-us/articles/1260803396889-Notice-Twilio-Authy-API-s-Sandbox-feature-will-stop-working-on-Sep-30-2021).
+
 ## Copyright
 
-Copyright (c) 2012-2020 Authy Inc. See LICENSE.txt for
-further details.
+Copyright (c) 2012-2021 Authy Inc. See LICENSE.txt for further details.

data/Rakefile

@@ -2,6 +2,7 @@
 
 require 'rubygems'
 require 'bundler'
+require 'bundler/gem_tasks'
 begin
   Bundler.setup(:default, :development)
 rescue Bundler::BundlerError => e
@@ -11,20 +12,6 @@ rescue Bundler::BundlerError => e
 end
 require 'rake'
 
-require 'jeweler'
-Jeweler::Tasks.new do |gem|
-  # gem is a Gem::Specification... see http://docs.rubygems.org/read/chapter/20 for more options
-  gem.name = "devise-authy"
-  gem.homepage = "https://github.com/authy/authy-devise"
-  gem.license = "MIT"
-  gem.summary = %Q{Authy plugin for Devise}
-  gem.description = %Q{Authy plugin for Devise}
-  gem.email = "support@authy.com"
-  gem.authors = ["Authy Inc."]
-  # dependencies defined in Gemfile
-end
-Jeweler::RubygemsDotOrgTasks.new
-
 require 'rspec/core'
 require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new(:spec) do |spec|