devise-multi-factor 3.1.5

data/Gemfile

@@ -0,0 +1,32 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in devise_ip_filter.gemspec
+gemspec
+
+rails_version = ENV["RAILS_VERSION"] || "default"
+
+rails = case rails_version
+        when "master"
+          {github: "rails/rails"}
+        when "default"
+          "~> 5.2"
+        else
+          "~> #{rails_version}"
+        end
+
+gem "rails", rails
+
+if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new('2.2.0')
+  gem "test-unit", "~> 3.0"
+end
+
+group :test, :development do
+  gem 'byebug'
+  gem 'lockbox'
+  gem 'sqlite3'
+end
+
+group :test do
+  gem 'rack_session_access'
+  gem 'ammeter'
+end

data/LICENSE

@@ -0,0 +1,19 @@
+Copyright (C) 2012 Dmitrii Golub
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,322 @@
+# Devise Multi Factor
+
+This is a fork of the gem [two_factor_authentication](https://github.com/Houdini/two_factor_authentication) by Houdini. The name has been changed to `devise-multi-factor` to avoid conflicts of both gems.
+This version uses [Lockbox](https://github.com/ankane/lockbox) to manage the encryption of the key.
+
+## Features
+
+* Support for 2 types of OTP codes
+    1. Codes delivered directly to the user
+    2. TOTP (Google Authenticator) codes based on a shared secret (HMAC)
+* Configurable OTP code digit length
+* Configurable max login attempts
+* Customizable logic to determine if a user needs two factor authentication
+* Configurable period where users won't be asked for 2FA again
+* TOTP secret key automatically encrypted in DB
+* Enroll form for TOTP using `:totp_enrollable` on your model
+
+## Configuration
+
+### Initial Setup
+
+In a Rails environment, require the gem in your Gemfile:
+
+    gem 'devise-multi-factor'
+
+Once that's done, run:
+
+    bundle install
+
+Note that Ruby 2.1 or greater is required.
+
+### Installation
+
+#### Automatic initial setup
+
+To set up the model and database migration file automatically, run the
+following command:
+
+    bundle exec rails g devise_multi_factor MODEL
+
+Where MODEL is your model name (e.g. User or Admin). This generator will add
+`:two_factor_authenticatable` to your model's Devise options and create a
+migration in `db/migrate/`, which will add the following columns to your table:
+
+- `:second_factor_attempts_count`
+- `:encrypted_otp_secret_key`
+- `:direct_otp`
+- `:direct_otp_sent_at`
+- `:totp_timestamp`
+
+#### Manual initial setup
+
+If you prefer to set up the model and migration manually, add the
+`:two_factor_authenticatable` option to your existing devise options, such as:
+
+```ruby
+devise :database_authenticatable, :registerable, :recoverable, :rememberable,
+       :trackable, :validatable, :two_factor_authenticatable
+```
+
+Then create your migration file using the Rails generator, such as:
+
+```
+rails g migration AddTwoFactorFieldsToUsers second_factor_attempts_count:integer encrypted_otp_secret_key:string direct_otp:string direct_otp_sent_at:datetime totp_timestamp:integer
+```
+
+#### Complete the setup
+
+Run the migration with:
+
+    bundle exec rake db:migrate
+
+Add the following line to your model to fully enable two-factor auth:
+
+    has_one_time_password
+
+Set config values in `config/initializers/devise.rb`:
+
+```ruby
+config.max_login_attempts = 3  # Maximum second factor attempts count.
+config.allowed_otp_drift_seconds = 30  # Allowed TOTP time drift between client and server.
+config.otp_length = 6  # TOTP code length
+config.direct_otp_valid_for = 5.minutes  # Time before direct OTP becomes invalid
+config.direct_otp_length = 6  # Direct OTP code length
+config.remember_otp_session_for_seconds = 30.days  # Time before browser has to perform 2fA again. Default is 0.
+config.otp_secret_encryption_key = ENV['OTP_SECRET_ENCRYPTION_KEY']
+config.second_factor_resource_id = 'id' # Field or method name used to set value for 2fA remember cookie
+config.delete_cookie_on_logout = false # Delete cookie when user signs out, to force 2fA again on login
+```
+The `otp_secret_encryption_key` must be a random key that is not stored in the
+DB, and is not checked in to your repo. It is recommended to store it in an
+environment variable, and you can generate it with `bundle exec rake secret`.
+
+Override the method in your model in order to send direct OTP codes. This is
+automatically called when a user logs in unless they have TOTP enabled (see
+below):
+
+```ruby
+def send_two_factor_authentication_code(code)
+  # Send code via SMS, etc.
+end
+```
+
+### Customisation and Usage
+
+By default, second factor authentication is required for each user. You can
+change that by overriding the following method in your model:
+
+```ruby
+def need_two_factor_authentication?(request)
+  request.ip != '127.0.0.1'
+end
+```
+
+In the example above, two factor authentication will not be required for local
+users.
+
+This gem is compatible with [Google Authenticator](https://support.google.com/accounts/answer/1066447?hl=en).
+To enable this a shared secret must be generated by invoking the following
+method on your model:
+
+```ruby
+user.generate_totp_secret
+```
+
+This must then be shared via a provisioning uri:
+
+```ruby
+user.provisioning_uri # This assumes a user model with an email attribute
+```
+
+This provisioning uri can then be turned in to a QR code if desired so that
+users may add the app to Google Authenticator easily.  Once this is done, they
+may retrieve a one-time password directly from the Google Authenticator app.
+
+#### Overriding the view
+
+The default view that shows the form can be overridden by adding a
+file named `show.html.erb` (or `show.html.haml` if you prefer HAML)
+inside `app/views/devise/two_factor_authentication/` and customizing it.
+Below is an example using ERB:
+
+
+```html
+<h2>Hi, you received a code by email, please enter it below, thanks!</h2>
+
+<%= form_tag([resource_name, :two_factor_authentication], :method => :put) do %>
+  <%= text_field_tag :code %>
+  <%= submit_tag "Log in!" %>
+<% end %>
+
+<%= link_to "Sign out", destroy_user_session_path, :method => :delete %>
+```
+
+#### Upgrading from version 1.X to 2.X
+
+The following database fields are new in version 2.
+
+- `direct_otp`
+- `direct_otp_sent_at`
+- `totp_timestamp`
+
+To add them, generate a migration such as:
+
+    $ rails g migration AddTwoFactorFieldsToUsers direct_otp:string direct_otp_sent_at:datetime totp_timestamp:timestamp
+
+The `otp_secret_key` is only required for users who use TOTP (Google Authenticator) codes,
+so unless it has been shared with the user it should be set to `nil`.  The
+following pseudo-code is an example of how this might be done:
+
+```ruby
+User.find_each do |user| do
+  if !uses_authenticator_app(user)
+    user.otp_secret_key = nil
+    user.save!
+  end
+end
+```
+
+#### Adding the TOTP encryption option to an existing app
+
+If you've already been using this gem, and want to start encrypting the OTP
+secret key in the database (recommended), you'll need to perform the following
+steps:
+
+1. Generate a migration to add the necessary columns to your model's table:
+
+   ```
+   rails g migration AddEncryptionFieldsToUsers encrypted_otp_secret_key:string
+   ```
+
+   Open your migration file (it will be in the `db/migrate` directory and will be
+   named something like `20151230163930_add_encryption_fields_to_users.rb`), and
+   add `unique: true` to the `add_index` line so that it looks like this:
+
+   ```ruby
+   add_index :users, :encrypted_otp_secret_key, unique: true
+   ```
+   Save the file.
+
+2. Run the migration: `bundle exec rake db:migrate`
+
+2. Update the gem: `bundle update two_factor_authentication`
+
+3. Add `encrypted: true` to `has_one_time_password` in your model.
+   For example: `has_one_time_password(encrypted: true)`
+
+4. Generate a migration to populate the new encryption fields:
+   ```
+   rails g migration PopulateEncryptedOtpFields
+   ```
+
+   Open the generated file, and replace its contents with the following:
+   ```ruby
+   class PopulateEncryptedOtpFields < ActiveRecord::Migration
+     def up
+       User.reset_column_information
+
+       User.find_each do |user|
+         user.otp_secret_key = user.read_attribute('otp_secret_key')
+         user.save!
+       end
+     end
+
+     def down
+       User.reset_column_information
+
+       User.find_each do |user|
+         user.otp_secret_key = ROTP::Base32.random_base32
+         user.save!
+       end
+     end
+   end
+   ```
+
+5. Generate a migration to remove the `:otp_secret_key` column:
+   ```
+   rails g migration RemoveOtpSecretKeyFromUsers otp_secret_key:string
+   ```
+
+6. Run the migrations: `bundle exec rake db:migrate`
+
+If, for some reason, you want to switch back to the old non-encrypted version,
+use these steps:
+
+1. Remove `(encrypted: true)` from `has_one_time_password`
+
+2. Roll back the last 3 migrations (assuming you haven't added any new ones
+after them):
+   ```
+   bundle exec rake db:rollback STEP=3
+   ```
+
+#### Critical Security Note! Add before_action to your user registration controllers
+
+You should have a file registrations_controller.rb in your controllers folder
+to overwrite/customize user registrations. It should include the lines below, for 2FA protection of user model updates, meaning that users can only access the users/edit page after confirming 2FA fully, not simply by logging in. Otherwise the entire 2FA system can be bypassed!
+
+   ```ruby
+   class RegistrationsController < Devise::RegistrationsController
+     before_action :two_factor_authenticate!, except: [:new, :create, :cancel]
+   end
+   ```
+
+
+### Example App
+(This gem is not 100% compatible with this example app)
+[TwoFactorAuthenticationExample](https://github.com/Houdini/TwoFactorAuthenticationExample)
+
+
+### Example user actions
+
+to use an ENV VAR for the 2FA encryption key:
+
+config.otp_secret_encryption_key = ENV['OTP_SECRET_ENCRYPTION_KEY']
+
+to set up TOTP for Google Authenticator for user:
+
+   ```
+   current_user.otp_secret_key =  current_user.generate_totp_secret
+   current_user.save!
+   ```
+
+( encrypted db fields are set upon user model save action,
+rails c access relies on setting env var: OTP_SECRET_ENCRYPTION_KEY )
+
+to check if user has input the correct code (from the QR display page)
+before saving the user model:
+
+   ```
+   current_user.authenticate_totp('123456')
+   ```
+
+additional note:
+
+   ```
+   current_user.otp_secret_key
+   ```
+
+This returns the OTP secret key in plaintext for the user (if you have set the env var) in the console
+the string used for generating the QR given to the user for their Google Auth is something like:
+
+otpauth://totp/LABEL?secret=p6wwetjnkjnrcmpd    (example secret used here)
+
+where LABEL should be something like "example.com (Username)", which shows up in their GA app to remind them the code is for example.com
+
+this returns true or false with an allowed_otp_drift_seconds 'grace period'
+
+to set TOTP to DISABLED for a user account:
+
+   ```
+   current_user.second_factor_attempts_count=nil
+   current_user.encrypted_otp_secret_key=nil
+   current_user.direct_otp=nil
+   current_user.direct_otp_sent_at=nil
+   current_user.totp_timestamp=nil
+   current_user.direct_otp=nil
+   current_user.otp_secret_key=nil
+   current_user.save! (if in ruby code instead of console)
+   current_user.direct_otp? => false
+   current_user.totp_enabled? => false
+   ```

data/Rakefile

@@ -0,0 +1,12 @@
+require "bundler/gem_tasks"
+
+APP_RAKEFILE = File.expand_path("../spec/rails_app/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+
+require 'rspec/core/rake_task'
+
+desc "Run all specs in spec directory (excluding plugin specs)"
+task :default => :spec
+
+# To test against a specific version of Rails
+# export RAILS_VERSION=3.2.0; bundle update; rake

data/app/controllers/devise/totp_controller.rb

@@ -0,0 +1,79 @@
+require 'devise/version'
+
+class Devise::TotpController < DeviseController
+  prepend_before_action :authenticate_scope!
+  before_action :two_factor_authenticate!
+
+  def new
+    @otp_secret = resource.generate_totp_secret
+    @otp_secret_signature = sign_otp_secret(@otp_secret)
+    render_enroll_form
+  end
+
+  def create
+    @otp_secret_signature = params[:otp_secret_signature]
+    @otp_secret = verify_otp_secret(@otp_secret_signature)
+    if resource.enroll_totp!(@otp_secret, params[:otp_attempt])
+      after_two_factor_enroll_success_for(resource)
+    else
+      flash.now[:error] = 'The authenticator code provided was invalid!'
+      render_enroll_form
+    end
+  rescue ActiveSupport::MessageVerifier::InvalidSignature
+    redirect_to send("new_#{resource_name}_two_factor_authentication_path"), flash: { error: 'There has been a problem in the configuration process, please try again.' }
+  end
+
+  def show
+  end
+
+  def destroy
+  end
+
+  private
+
+  def generate_qr_code(otp_secret)
+    return unless defined?(::RQRCode)
+
+    qr_code = RQRCode::QRCode
+      .new(resource.provisioning_uri(nil, otp_secret_key: @otp_secret, issuer: Devise.otp_issuer))
+      .as_png(resize_exactly_to: 246)
+      .to_data_url
+  end
+
+  def render_enroll_form
+    @qr_code = generate_qr_code(@otp_secret)
+    render :new
+  end
+
+  def verifier
+    ActiveSupport::MessageVerifier.new(Devise.secret_key, digest: 'SHA256')
+  end
+
+  def verify_otp_secret(otp_secret_signature)
+    data = verifier.verify(otp_secret_signature)
+    valid = data[Devise.second_factor_resource_id] == resource[Devise.second_factor_resource_id]
+    raise ActiveSupport::MessageVerifier::InvalidSignature unless valid
+
+    data['otp_secret']
+  end
+
+  def sign_otp_secret(otp_secret)
+    data = {
+      Devise.second_factor_resource_id => resource[Devise.second_factor_resource_id],
+      'otp_secret' => otp_secret,
+    }
+    verifier.generate(data)
+  end
+
+  def after_two_factor_enroll_success_for(resource)
+    redirect_to after_two_factor_enroll_success_path_for(resource), flash: { success: 'Multi-factor authentication successfully setup!' }
+  end
+
+  def after_two_factor_enroll_success_path_for(resource)
+    :root
+  end
+
+  def authenticate_scope!
+    self.resource = send("current_#{resource_name}")
+  end
+end