devise-authy 1.7.0 → 2.3.1

data/app/controllers/devise/devise_authy_controller.rb

@@ -1,19 +1,31 @@
 class Devise::DeviseAuthyController < DeviseController
-  prepend_before_filter :find_resource, :only => [
+  prepend_before_action :find_resource, :only => [
     :request_phone_call, :request_sms
   ]
-  prepend_before_filter :find_resource_and_require_password_checked, :only => [
-    :GET_verify_authy, :POST_verify_authy
+  prepend_before_action :find_resource_and_require_password_checked, :only => [
+    :GET_verify_authy, :POST_verify_authy, :GET_authy_onetouch_status
   ]
-  prepend_before_filter :authenticate_scope!, :only => [
-    :GET_enable_authy, :POST_enable_authy,
-    :GET_verify_authy_installation, :POST_verify_authy_installation,
-    :POST_disable_authy
+
+  prepend_before_action :check_resource_has_authy_id, :only => [
+    :GET_verify_authy_installation, :POST_verify_authy_installation
+  ]
+
+  prepend_before_action :check_resource_not_authy_enabled, :only => [
+    :GET_verify_authy_installation, :POST_verify_authy_installation
+  ]
+
+  prepend_before_action :authenticate_scope!, :only => [
+    :GET_enable_authy, :POST_enable_authy, :GET_verify_authy_installation,
+    :POST_verify_authy_installation, :POST_disable_authy
   ]
+
   include Devise::Controllers::Helpers
 
   def GET_verify_authy
-    @authy_id = @resource.authy_id
+    if resource_class.authy_enable_onetouch
+      approval_request = send_one_touch_request(@resource.authy_id)['approval_request']
+      @onetouch_uuid = approval_request['uuid'] if approval_request.present?
+    end
     render :verify_authy
   end
 
@@ -26,17 +38,9 @@ class Devise::DeviseAuthyController < DeviseController
     })
 
     if token.ok?
-      @resource.update_attribute(:last_sign_in_with_authy, DateTime.now)
-
-      session["#{resource_name}_authy_token_checked"] = true
-
-      remember_device if params[:remember_device].to_i == 1
-      if session.delete("#{resource_name}_remember_me") == true && @resource.respond_to?(:remember_me=)
-        @resource.remember_me = true
-      end
-      sign_in(resource_name, @resource)
-
-      set_flash_message(:notice, :signed_in) if is_navigational_format?
+      remember_device(@resource.id) if params[:remember_device].to_i == 1
+      remember_user
+      record_authy_authentication
       respond_with resource, :location => after_sign_in_path_for(@resource)
     else
       handle_invalid_token :verify_authy, :invalid_token
@@ -63,13 +67,11 @@ class Devise::DeviseAuthyController < DeviseController
     if @authy_user.ok?
       resource.authy_id = @authy_user.id
       if resource.save
-        set_flash_message(:notice, :enabled)
+        redirect_to [resource_name, :verify_authy_installation] and return
       else
         set_flash_message(:error, :not_enabled)
         redirect_to after_authy_enabled_path_for(resource) and return
       end
-
-      redirect_to [resource_name, :verify_authy_installation]
     else
       set_flash_message(:error, :not_enabled)
       render :enable_authy
@@ -78,21 +80,39 @@ class Devise::DeviseAuthyController < DeviseController
 
   # Disable 2FA
   def POST_disable_authy
-    response = Authy::API.delete_user(:id => resource.authy_id)
-
-    if response.ok?
-      resource.update_attribute(:authy_enabled, false)
-      resource.update_attribute(:authy_id, nil)
-
+    authy_id = resource.authy_id
+    resource.assign_attributes(:authy_enabled => false, :authy_id => nil)
+    resource.save(:validate => false)
+
+    other_resource = resource.class.find_by(:authy_id => authy_id)
+    if other_resource
+      # If another resource has the same authy_id, do not delete the user from
+      # the API.
+      forget_device
       set_flash_message(:notice, :disabled)
     else
-      set_flash_message(:error, :not_disabled)
+      response = Authy::API.delete_user(:id => authy_id)
+      if response.ok?
+        forget_device
+        set_flash_message(:notice, :disabled)
+      else
+        # If deleting the user from the API fails, set everything back to what
+        # it was before.
+        # I'm not sure this is a good idea, but it was existing behaviour.
+        # Could be changed in a major version bump.
+        resource.assign_attributes(:authy_enabled => true, :authy_id => authy_id)
+        resource.save(:validate => false)
+        set_flash_message(:error, :not_disabled)
+      end
     end
-
     redirect_to after_authy_disabled_path_for(resource)
   end
 
   def GET_verify_authy_installation
+    if resource_class.authy_enable_qr_code
+      response = Authy::API.request_qr_code(id: resource.authy_id)
+      @authy_qr_code = response.qr_code
+    end
     render :verify_authy_installation
   end
 
@@ -106,13 +126,37 @@ class Devise::DeviseAuthyController < DeviseController
     self.resource.authy_enabled = token.ok?
 
     if token.ok? && self.resource.save
+      remember_device(@resource.id) if params[:remember_device].to_i == 1
+      record_authy_authentication
       set_flash_message(:notice, :enabled)
       redirect_to after_authy_verified_path_for(resource)
     else
+      if resource_class.authy_enable_qr_code
+        response = Authy::API.request_qr_code(id: resource.authy_id)
+        @authy_qr_code = response.qr_code
+      end
       handle_invalid_token :verify_authy_installation, :not_enabled
     end
   end
 
+  def GET_authy_onetouch_status
+    response = Authy::OneTouch.approval_request_status(:uuid => params[:onetouch_uuid])
+    status = response.dig('approval_request', 'status')
+    case status
+    when 'pending'
+      head 202
+    when 'approved'
+      remember_device(@resource.id) if params[:remember_device].to_i == 1
+      remember_user
+      record_authy_authentication
+      render json: { redirect: after_sign_in_path_for(@resource) }
+    when 'denied'
+      head :unauthorized
+    else
+      head :internal_server_error
+    end
+  end
+
   def request_phone_call
     unless @resource
       render :json => { :sent => false, :message => "User couldn't be found." }
@@ -157,6 +201,16 @@ class Devise::DeviseAuthyController < DeviseController
     end
   end
 
+  def check_resource_has_authy_id
+    redirect_to [resource_name, :enable_authy] if !resource.authy_id
+  end
+
+  def check_resource_not_authy_enabled
+    if resource.authy_id && resource.authy_enabled
+      redirect_to after_authy_verified_path_for(resource)
+    end
+  end
+
   protected
 
   def after_authy_enabled_path_for(resource)
@@ -187,4 +241,10 @@ class Devise::DeviseAuthyController < DeviseController
   def after_account_is_locked
     sign_out_and_redirect @resource
   end
+
+  def remember_user
+    if session.delete("#{resource_name}_remember_me") == true && @resource.respond_to?(:remember_me=)
+      @resource.remember_me = true
+    end
+  end
 end

data/app/controllers/devise_authy/passwords_controller.rb

@@ -1,4 +1,22 @@
 class DeviseAuthy::PasswordsController < Devise::PasswordsController
+  ##
+  # In the passwords controller a user can update their password using a
+  # recovery token. If `Devise.sign_in_after_reset_password` is `true` then the
+  # user is signed in immediately with the
+  # `Devise::Controllers::SignInOut#sign_in` method. However, if the user has
+  # 2FA enabled they should enter their second factor before they are signed in.
+  #
+  # This method overrides `Devise::Controllers::SignInOut#sign_in` but only
+  # within the `Devise::PasswordsController`. If the user needs to verify 2FA
+  # then `sign_in` returns `true`. This short circuits the method before it can
+  # call `warden.set_user` and log the user in.
+  #
+  # The user is redirected to `after_resetting_password_path_for(user)` at which
+  # point, since the user is not logged in, redirects again to sign in.
+  #
+  # This doesn't retain the expected behaviour of
+  # `Devise.sign_in_after_reset_password`, but is forgivable because this
+  # shouldn't be an avenue to bypass 2FA.
   def sign_in(resource_or_scope, *args)
     resource = args.last || resource_or_scope
 

data/app/views/devise/enable_authy.html.erb

@@ -1,7 +1,7 @@
-<h2><%= I18n.t('authy_register_title', {:scope => 'devise'}) %></h2>
+<h2><%= I18n.t('authy_register_title', scope: 'devise') %></h2>
 
 <%= enable_authy_form do %>
   <%= text_field_tag :country_code, '', :autocomplete => :off, :placeholder => I18n.t('devise.country'), :id => "authy-countries"%>
   <%= text_field_tag :cellphone, '', :autocomplete => :off, :placeholder => I18n.t('devise.cellphone'), :id => "authy-cellphone"%>
-  <p><%= submit_tag I18n.t('enable_authy', {:scope => 'devise'}) %></p>
+  <p><%= submit_tag I18n.t('enable_authy', scope: 'devise') %></p>
 <% end %>

data/app/views/devise/enable_authy.html.haml

@@ -1,5 +1,5 @@
-%h2= I18n.t('authy_register_title', {:scope => 'devise'})
+%h2= I18n.t('authy_register_title', scope: 'devise')
 = enable_authy_form do
   = text_field_tag :country_code, '', :autocomplete => :off, :placeholder => I18n.t('devise.country'), :id => "authy-countries"
   = text_field_tag :cellphone, '', :autocomplete => :off, :placeholder => I18n.t('devise.cellphone'), :id => "authy-cellphone"
-  %p= submit_tag I18n.t('enable_authy', {:scope => 'devise'})
+  %p= submit_tag I18n.t('enable_authy', scope: 'devise')

data/app/views/devise/verify_authy.html.erb

@@ -1,14 +1,14 @@
 <h2>
-  <%= I18n.t('authy_register_title', {:scope => 'devise'}) %>
+  <%= I18n.t('submit_token_title', scope: 'devise') %>
 </h2>
 
 <%= verify_authy_form do %>
-  <legend><%= I18n.t('submit_token_title', {:scope => 'devise'}) %></legend>
-  <%= label_tag :token %>
-  <%= text_field_tag :token, "", :autocomplete => :off, :id => 'authy-token' %>
+  <legend><%= I18n.t('submit_token_title', scope: 'devise') %></legend>
+  <%= label_tag 'authy-token' %>
+  <%= text_field_tag :token, "", :autocomplete => "one-time-code", :inputmode => "numeric", :pattern => "[0-9]*", :id => 'authy-token' %>
   <label>
     <%= check_box_tag :remember_device %>
-    <span><%= I18n.t('remember_device', {:scope => 'devise'}) %></span>
+    <span><%= I18n.t('remember_device', scope: 'devise') %></span>
   </label>
 
   <!-- Help tooltip -->
@@ -17,5 +17,22 @@
   <!-- <%= link_to '?', '#', :id => 'authy-help' %> -->
 
   <%= authy_request_sms_link %>
-  <%= submit_tag I18n.t('submit_token', {:scope => 'devise'}), :class => 'btn' %>
+  <%= submit_tag I18n.t('submit_token', scope: 'devise'), :class => 'btn' %>
+<% end %>
+
+<% if @onetouch_uuid %>
+    <script>
+      (function(){
+        var onetouchInterval = setInterval(function(){
+          var onetouchRequest = new XMLHttpRequest();
+          var rememberDevice = document.getElementById("remember_device").checked ? '1' : '0';
+          onetouchRequest.addEventListener("load", function(){
+            if(this.status != 202) clearInterval(onetouchInterval);
+            if(this.status == 200) window.location = JSON.parse(this.responseText).redirect;
+          });
+          onetouchRequest.open("GET", "<%= polymorphic_path [resource_name, :authy_onetouch_status] %>?remember_device="+rememberDevice+"&onetouch_uuid=<%= @onetouch_uuid %>");
+          onetouchRequest.send();
+        }, 3000);
+      })();
+    </script>
 <% end %>

data/app/views/devise/verify_authy.html.haml

@@ -1,13 +1,13 @@
-%h2= I18n.t('authy_register_title', {:scope => 'devise'})
+%h2= I18n.t('authy_register_title', scope: 'devise')
 
 = verify_authy_form do
-  %legend= I18n.t('submit_token_title', {:scope => 'devise'})
+  %legend= I18n.t('submit_token_title', scope: 'devise')
   = hidden_field_tag :"#{resource_name}_id", @resource.id
-  = label_tag :token
-  = text_field_tag :token, "", :autocomplete => :off, :id => 'authy-token'
+  = label_tag 'authy-token'
+  = text_field_tag :token, "", :autocomplete => "one-time-code", :inputmode => "numeric", :pattern => "[0-9]*", :id => 'authy-token'
   %label
     = check_box_tag :remember_device
-    %span= I18n.t('remember_device', {:scope => 'devise'})
+    %span= I18n.t('remember_device', scope: 'devise')
 
   / Help Tooltip
   / You need to configure a help message.
@@ -15,4 +15,19 @@
   / = link_to '?', '#', :id => 'authy-help', :'data-message' => 'a message'
 
   = authy_request_sms_link
-  = submit_tag I18n.t('submit_token', {:scope => 'devise'}), :class => 'btn'
+  = submit_tag I18n.t('submit_token', scope: 'devise'), :class => 'btn'
+
+- if @onetouch_uuid
+  :javascript
+    (function(){
+      var onetouchInterval = setInterval(function(){
+        var onetouchRequest = new XMLHttpRequest();
+        var rememberDevice = document.getElementById("remember_device").checked ? '1' : '0';
+        onetouchRequest.addEventListener("load", function(){
+          if(this.status != 202) clearInterval(onetouchInterval);
+          if(this.status == 200) window.location = JSON.parse(this.responseText).redirect;
+        });
+        onetouchRequest.open("GET", "#{polymorphic_path [resource_name, :authy_onetouch_status]}?remember_device="+rememberDevice+"&onetouch_uuid=#{@onetouch_uuid}");
+        onetouchRequest.send();
+      }, 3000);
+    })();

data/app/views/devise/verify_authy_installation.html.erb

@@ -1,10 +1,18 @@
-<h2><%= I18n.t('authy_verify_installation_title', {:scope => 'devise'}) %></h2>
+<h2><%= I18n.t('authy_verify_installation_title', scope: 'devise') %></h2>
+
+<% if @authy_qr_code %>
+  <%= image_tag @authy_qr_code, :size => '256x256', :alt => I18n.t('authy_qr_code_alt', scope: 'devise') %>
+  <p><%= I18n.t('authy_qr_code_instructions', scope: 'devise') %></p>
+<% end %>
 
 <%= verify_authy_installation_form do %>
-  <legend><%= I18n.t('submit_token_title', {:scope => 'devise'}) %></legend>
+  <legend><%= I18n.t('submit_token_title', scope: 'devise') %></legend>
   <%= label_tag :token %>
-  <%= text_field_tag :token, "", :autocomplete => :off, :id => 'authy-token' %>
+  <%= text_field_tag :token, "", :autocomplete => "one-time-code", :inputmode => "numeric", :pattern => "[0-9]*", :id => 'authy-token' %>
+  <label>
+    <%= check_box_tag :remember_device %>
+    <span><%= I18n.t('remember_device', scope: 'devise') %></span>
+  </label>
   <%= authy_request_sms_link %>
-  <%= submit_tag I18n.t('enable_my_account', {:scope => 'devise'}), :class => 'btn' %>
-<% end %>
-
+  <%= submit_tag I18n.t('enable_my_account', scope: 'devise'), :class => 'btn' %>
+<% end %>

data/app/views/devise/verify_authy_installation.html.haml

@@ -1,8 +1,16 @@
-%h2= I18n.t('authy_verify_installation_title', {:scope => 'devise'})
+%h2= I18n.t('authy_verify_installation_title', scope: 'devise')
+
+- if @authy_qr_code
+  = image_tag @authy_qr_code, :size => '256x256', :alt => I18n.t('authy_qr_code_alt', scope: 'devise')
+  %p= I18n.t('authy_qr_code_instructions', scope: 'devise')
+
 = verify_authy_installation_form do
-  %legend= I18n.t('submit_token_title', {:scope => 'devise'})
+  %legend= I18n.t('submit_token_title', scope: 'devise')
   = label_tag :token
-  = text_field_tag :token, "", :autocomplete => :off, :id => 'authy-token'
+  = text_field_tag :token, "", :autocomplete => "one-time-code", :inputmode => "numeric", :pattern => "[0-9]*", :id => 'authy-token'
+  %label
+    = check_box_tag :remember_device
+    %span= I18n.t('remember_device', scope: 'devise')
   = authy_request_sms_link
-  = submit_tag I18n.t('enable_my_account', {:scope => 'devise'}), :class => 'btn'
+  = submit_tag I18n.t('enable_my_account', scope: 'devise'), :class => 'btn'
 

data/config/locales/en.yml

@@ -1,7 +1,7 @@
 en:
   devise:
-    submit_token: "Check Token"
-    submit_token_title: "Please enter your Authy token:"
+    submit_token: 'Check Token'
+    submit_token_title: 'Please enter your Authy token:'
     authy_register_title: 'Enable Two factor authentication'
     enable_authy: 'Enable'
     cellphone: 'Enter your cellphone'
@@ -9,10 +9,14 @@ en:
     request_sms: 'Request SMS'
     request_phone_call: 'Request phone call'
     remember_device: 'Remember Device'
+    request_to_login: 'Request to Login'
 
-    authy_verify_installation_title: "Verify your account"
+    authy_verify_installation_title: 'Verify your account'
     enable_my_account: 'Enable my account'
 
+    authy_qr_code_alt: 'QR code for scanning with your authenticator app.'
+    authy_qr_code_instructions: 'Scan this QR code with your authenticator application and enter the code below.'
+
     devise_authy:
       user:
         enabled: 'Two factor authentication was enabled'
@@ -20,5 +24,5 @@ en:
         disabled: 'Two factor authentication was disabled'
         not_disabled: 'Something went wrong while disabling two factor authentication'
         signed_in: 'Signed in with Authy successfully.'
-        already_enabled: "Two factor authentication is already enabled."
+        already_enabled: 'Two factor authentication is already enabled.'
         invalid_token: 'The entered token is invalid'

data/config.ru

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+require "rubygems"
+require "bundler"
+
+Bundler.require :default, :development
+
+Combustion.initialize! :all
+run Combustion::Application