devise-multi-factor 3.1.5

data/app/controllers/devise/two_factor_authentication_controller.rb

@@ -0,0 +1,84 @@
+require 'devise/version'
+
+class Devise::TwoFactorAuthenticationController < DeviseController
+  prepend_before_action :authenticate_scope!
+  before_action :prepare_and_validate, :handle_two_factor_authentication
+
+  def show
+  end
+
+  def update
+    render :show and return if params[:code].nil?
+
+    if resource.authenticate_otp(params[:code])
+      after_two_factor_success_for(resource)
+    else
+      after_two_factor_fail_for(resource)
+    end
+  end
+
+  def resend_code
+    resource.send_new_otp
+    redirect_to send("#{resource_name}_two_factor_authentication_path"), notice: I18n.t('devise.two_factor_authentication.code_has_been_sent')
+  end
+
+  private
+
+  def after_two_factor_success_for(resource)
+    set_remember_two_factor_cookie(resource)
+
+    warden.session(resource_name)[DeviseMultiFactor::NEED_AUTHENTICATION] = false
+    # For compatability with devise versions below v4.2.0
+    # https://github.com/plataformatec/devise/commit/2044fffa25d781fcbaf090e7728b48b65c854ccb
+    if respond_to?(:bypass_sign_in)
+      bypass_sign_in(resource, scope: resource_name)
+    else
+      sign_in(resource_name, resource, bypass: true)
+    end
+    set_flash_message :notice, :success
+    resource.update_attribute(:second_factor_attempts_count, 0)
+
+    redirect_to after_two_factor_success_path_for(resource)
+  end
+
+  def set_remember_two_factor_cookie(resource)
+    expires_seconds = resource.class.remember_otp_session_for_seconds
+
+    if expires_seconds && expires_seconds > 0
+      cookies.signed[DeviseMultiFactor::REMEMBER_TFA_COOKIE_NAME] = {
+          value: "#{resource.class}-#{resource.public_send(Devise.second_factor_resource_id)}",
+          expires: expires_seconds.seconds.from_now
+      }
+    end
+  end
+
+  def after_two_factor_success_path_for(resource)
+    stored_location_for(resource_name) || :root
+  end
+
+  def after_two_factor_fail_for(resource)
+    resource.second_factor_attempts_count += 1
+    resource.save
+    set_flash_message :alert, :attempt_failed, now: true
+
+    if resource.max_login_attempts?
+      sign_out(resource)
+      render :max_login_attempts_reached
+    else
+      render :show
+    end
+  end
+
+  def authenticate_scope!
+    self.resource = send("current_#{resource_name}")
+  end
+
+  def prepare_and_validate
+    redirect_to :root and return if resource.nil?
+    @limit = resource.max_login_attempts
+    if resource.max_login_attempts?
+      sign_out(resource)
+      render :max_login_attempts_reached and return
+    end
+  end
+end

data/app/views/devise/two_factor_authentication/max_login_attempts_reached.html.erb

@@ -0,0 +1,3 @@
+<h2><%= I18n.t("devise.two_factor_authentication.max_login_attempts_reached") %> = <%= @limit %>.</h2>
+<p><%= I18n.t("devise.two_factor_authentication.contact_administrator") %></p>
+

data/app/views/devise/two_factor_authentication/new.html.erb

@@ -0,0 +1,14 @@
+Two Factor Authentication Setup
+
+<p><%= flash[:error] %></p>
+
+<%= image_tag(@qr_code) if @qr_code.present? %>
+
+<p>Authenticator Secret: <%= @otp_secret %>
+
+<%= form_for resource, url: send("#{resource_name}_two_factor_authentication_path"), method: :post do |f| %>
+  <label>Authenticator Code:</label>
+  <%= hidden_field_tag :otp_secret_signature, @otp_secret_signature %>
+  <%= text_field_tag :otp_attempt, '' %>
+  <%= f.submit %>
+<% end %>

data/app/views/devise/two_factor_authentication/show.html.erb

@@ -0,0 +1,19 @@
+<% if resource.direct_otp %>
+<h2>Enter the code that was sent to you</h2>
+<% else %>
+<h2>Enter the code from your authenticator app</h2>
+<% end %>
+
+<p><%= flash[:notice] %></p>
+
+<%= form_tag([resource_name, :two_factor_authentication], :method => :put) do %>
+  <%= text_field_tag :code, '', autofocus: true %>
+  <%= submit_tag "Submit" %>
+<% end %>
+
+<% if resource.direct_otp %>
+  <%= link_to "Resend Code", send("resend_code_#{resource_name}_two_factor_authentication_path"), action: :get %>
+<% else %>
+<%= link_to "Send me a code instead", send("resend_code_#{resource_name}_two_factor_authentication_path"), action: :get %>
+<% end %>
+<%= link_to "Sign out", send("destroy_#{resource_name}_session_path"), :method => :delete %>

data/config/locales/de.yml

@@ -0,0 +1,8 @@
+de:
+  devise:
+    two_factor_authentication:
+      success: "Ihre Zwei-Faktor-Authentifizierung war erfolgreich."
+      attempt_failed: "Authentifizierungsversuch fehlgeschlagen."
+      max_login_attempts_reached: "Ihr Zugang wurde ganz verweigert, da Sie Ihr Versuchslimit erreicht haben."
+      contact_administrator: "Kontaktieren Sie bitte einen Ihrer Administratoren."
+      code_has_been_sent: "Ihr Einmal-Passwort wurde verschickt."

data/config/locales/en.yml

@@ -0,0 +1,8 @@
+en:
+  devise:
+    two_factor_authentication:
+      success: "Two factor authentication successful."
+      attempt_failed: "Attempt failed."
+      max_login_attempts_reached: "Access completely denied as you have reached your attempts limit"
+      contact_administrator: "Please contact your system administrator."
+      code_has_been_sent: "Your authentication code has been sent."

data/config/locales/es.yml

@@ -0,0 +1,8 @@
+es:
+  devise:
+    two_factor_authentication:
+      success: "Autenticación multi-factor realizada exitosamente."
+      attempt_failed: "La autenticación ha fallado."
+      max_login_attempts_reached: "Has llegado al límite de intentos fallidos, acceso denegado."
+      contact_administrator: "Contacte a su administrador de sistema."
+      code_has_been_sent: "El código de autenticación ha sido enviado."

data/config/locales/fr.yml

@@ -0,0 +1,8 @@
+fr:
+  devise:
+    two_factor_authentication:
+      success: "Validation en deux étapes effectuée avec succès."
+      attempt_failed: "La connexion a échoué."
+      max_login_attempts_reached: "Limite de tentatives atteinte, accès refusé."
+      contact_administrator: "Merci de contacter votre administrateur système."
+      code_has_been_sent: "Votre code de validation envoyé."

data/config/locales/ru.yml

@@ -0,0 +1,8 @@
+ru:
+  devise:
+    two_factor_authentication:
+      success: "Двухфакторная авторизация успешно пройдена."
+      attempt_failed: "Неверный код."
+      max_login_attempts_reached: "Доступ заблокирован. Превышено число попыток авторизации"
+      contact_administrator: "Пожалуйста, свяжитесь с системным администратором."
+      code_has_been_sent: "Ваш персональный код был отправлен."

data/devise-multi-factor.gemspec

@@ -0,0 +1,40 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "devise_multi_factor/version"
+
+Gem::Specification.new do |s|
+  s.name        = "devise-multi-factor"
+  s.version     = DeviseMultiFactor::VERSION.dup
+  s.authors     = ["Dmitrii Golub", "Alex Santos"]
+  s.email       = ["hello@alexcsantos.com"]
+  s.homepage    = "https://github.com/Colex/devise_multi_factor"
+  s.summary     = %q{Two factor authentication plugin for devise}
+  s.description = <<-EOF
+    ### Features ###
+    * control sms code pattern
+    * configure max login attempts
+    * per user level control if he really need two factor authentication
+    * your own sms logic
+  EOF
+
+  s.rubyforge_project = "devise_multi_factor"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  s.add_runtime_dependency 'rails', '>= 3.1.1'
+  s.add_runtime_dependency 'devise'
+  s.add_runtime_dependency 'randexp'
+  s.add_runtime_dependency 'rotp', '>= 4.0.0'
+  s.add_runtime_dependency 'encryptor'
+
+  s.add_development_dependency 'bundler'
+  s.add_development_dependency 'rake'
+  s.add_development_dependency 'rspec-rails', '>= 3.0.1'
+  s.add_development_dependency 'capybara', '~> 2.5'
+  s.add_development_dependency 'pry'
+  s.add_development_dependency 'rubocop'
+  s.add_development_dependency 'timecop'
+end

data/lib/devise-multi-factor.rb

@@ -0,0 +1 @@
+require 'devise_multi_factor'

data/lib/devise_multi_factor.rb

@@ -0,0 +1,56 @@
+require 'devise_multi_factor/version'
+require 'devise'
+require 'active_support/concern'
+require "active_model"
+require "active_support/core_ext/class/attribute_accessors"
+require "cgi"
+
+module Devise
+  mattr_accessor :max_login_attempts
+  @@max_login_attempts = 3
+
+  mattr_accessor :allowed_otp_drift_seconds
+  @@allowed_otp_drift_seconds = 30
+
+  mattr_accessor :otp_issuer
+  @@otp_issuer = nil
+
+  mattr_accessor :otp_length
+  @@otp_length = 6
+
+  mattr_accessor :direct_otp_length
+  @@direct_otp_length = 6
+
+  mattr_accessor :direct_otp_valid_for
+  @@direct_otp_valid_for = 5.minutes
+
+  mattr_accessor :remember_otp_session_for_seconds
+  @@remember_otp_session_for_seconds = 0
+
+  mattr_accessor :otp_secret_encryption_key
+  @@otp_secret_encryption_key = nil
+
+  mattr_accessor :second_factor_resource_id
+  @@second_factor_resource_id = 'id'
+
+  mattr_accessor :delete_cookie_on_logout
+  @@delete_cookie_on_logout = false
+end
+
+module DeviseMultiFactor
+  NEED_AUTHENTICATION = 'need_two_factor_authentication'
+  REMEMBER_TFA_COOKIE_NAME = "remember_tfa"
+
+  autoload :Schema, 'devise_multi_factor/schema'
+  module Controllers
+    autoload :Helpers, 'devise_multi_factor/controllers/helpers'
+  end
+end
+
+Devise.add_module :two_factor_authenticatable, :model => 'devise_multi_factor/models/two_factor_authenticatable', :controller => :two_factor_authentication, :route => :two_factor_authentication
+Devise.add_module :totp_enrollable, model: 'devise_multi_factor/models/totp_enrollable', controller: :totp, route: :totp
+
+require 'devise_multi_factor/orm/active_record' if defined?(ActiveRecord::Base)
+require 'devise_multi_factor/routes'
+require 'devise_multi_factor/models/two_factor_authenticatable'
+require 'devise_multi_factor/rails'

data/lib/devise_multi_factor/controllers/helpers.rb

@@ -0,0 +1,57 @@
+module DeviseMultiFactor
+  module Controllers
+    module Helpers
+      extend ActiveSupport::Concern
+
+      included do
+        before_action :handle_two_factor_authentication
+      end
+
+      private
+
+      def two_factor_authenticate!
+        Devise.mappings.keys.flatten.any? do |scope|
+          if signed_in?(scope) and warden.session(scope)[DeviseMultiFactor::NEED_AUTHENTICATION]
+            handle_failed_second_factor(scope)
+          end
+        end
+      end
+
+      def handle_two_factor_authentication
+        unless devise_controller?
+          two_factor_authenticate!
+        end
+      end
+
+      def handle_failed_second_factor(scope)
+        if request.format.present?
+          if request.format.html?
+            session["#{scope}_return_to"] = request.original_fullpath if request.get?
+            redirect_to two_factor_authentication_path_for(scope)
+          elsif request.format.json?
+            session["#{scope}_return_to"] = root_path(format: :html)
+            render json: { redirect_to: two_factor_authentication_path_for(scope) }, status: :unauthorized
+          end
+        else
+          head :unauthorized
+        end
+      end
+
+      def two_factor_authentication_path_for(resource_or_scope = nil)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        change_path = "#{scope}_two_factor_authentication_path"
+        send(change_path)
+      end
+    end
+  end
+end
+
+module Devise
+  module Controllers
+    module Helpers
+      def is_fully_authenticated?
+        !session["warden.user.user.session"].try(:[], DeviseMultiFactor::NEED_AUTHENTICATION)
+      end
+    end
+  end
+end

data/lib/devise_multi_factor/hooks/two_factor_authenticatable.rb

@@ -0,0 +1,17 @@
+Warden::Manager.after_authentication do |resource, auth, options|
+  if auth.env["action_dispatch.cookies"]
+    expected_cookie_value = "#{resource.class}-#{resource.public_send(Devise.second_factor_resource_id)}"
+    actual_cookie_value = auth.env["action_dispatch.cookies"].signed[DeviseMultiFactor::REMEMBER_TFA_COOKIE_NAME]
+    bypass_by_cookie = actual_cookie_value == expected_cookie_value
+  end
+
+  if resource.respond_to?(:need_two_factor_authentication?) && !bypass_by_cookie
+    if auth.session(options[:scope])[DeviseMultiFactor::NEED_AUTHENTICATION] = resource.need_two_factor_authentication?(auth.request)
+      resource.send_new_otp if resource.send_new_otp_after_login?
+    end
+  end
+end
+
+Warden::Manager.before_logout do |resource, auth, _options|
+  auth.cookies.delete DeviseMultiFactor::REMEMBER_TFA_COOKIE_NAME if Devise.delete_cookie_on_logout
+end

data/lib/devise_multi_factor/models/totp_enrollable.rb

@@ -0,0 +1,7 @@
+module Devise
+  module Models
+    module TotpEnrollable
+      extend ActiveSupport::Concern
+    end
+  end
+end

data/lib/devise_multi_factor/models/two_factor_authenticatable.rb

@@ -0,0 +1,142 @@
+require 'devise_multi_factor/hooks/two_factor_authenticatable'
+require 'rotp'
+
+module Devise
+  module Models
+    module TwoFactorAuthenticatable
+      extend ActiveSupport::Concern
+
+      module ClassMethods
+        def has_one_time_password(options = {})
+          include InstanceMethodsOnActivation
+
+          encrypt_options = {
+            key: otp_secret_encryption_key,
+            encrypted_attribute: 'encrypted_otp_secret_key',
+          }.compact
+          encrypt_options = encrypt_options.merge(options[:encrypt]) if options[:encrypt].is_a?(Hash)
+          encrypts(:otp_secret_key, encrypt_options || {})
+        end
+
+        def generate_totp_secret
+          # ROTP gem since version 5 to version 5.1
+          # at version 5.1 ROTP gem reinstates.
+          # Details: https://github.com/mdp/rotp/blob/master/CHANGELOG.md#510
+          ROTP::Base32.try(:random) || ROTP::Base32.random_base32
+        end
+
+        ::Devise::Models.config(
+          self, :max_login_attempts, :allowed_otp_drift_seconds, :otp_issuer, :otp_length,
+          :remember_otp_session_for_seconds, :otp_secret_encryption_key,
+          :direct_otp_length, :direct_otp_valid_for, :totp_timestamp, :delete_cookie_on_logout
+        )
+      end
+
+      module InstanceMethodsOnActivation
+        def authenticate_otp(code, options = {})
+          return true if direct_otp && authenticate_direct_otp(code)
+          return true if totp_enabled? && authenticate_totp(code, options)
+          false
+        end
+
+        def authenticate_direct_otp(code)
+          return false if direct_otp.nil? || direct_otp != code || direct_otp_expired?
+
+          clear_direct_otp
+          true
+        end
+
+        def authenticate_totp(code, options = {})
+          totp_secret = options[:otp_secret_key] || otp_secret_key
+          digits = options[:otp_length] || self.class.otp_length
+          drift = options[:drift] || self.class.allowed_otp_drift_seconds
+          raise "authenticate_totp called with no otp_secret_key set" if totp_secret.nil?
+
+          totp = ROTP::TOTP.new(totp_secret, digits: digits)
+          new_timestamp = totp.verify(
+            without_spaces(code),
+            drift_ahead: drift, drift_behind: drift, after: totp_timestamp
+          )
+          return false unless new_timestamp
+
+          self.totp_timestamp = new_timestamp
+          true
+        end
+
+        def provisioning_uri(account = nil, options = {})
+          totp_secret = options[:otp_secret_key] || otp_secret_key
+          options[:digits] ||= options[:otp_length] || self.class.otp_length
+          raise "provisioning_uri called with no otp_secret_key set" if totp_secret.nil?
+          account ||= email if respond_to?(:email)
+          ROTP::TOTP.new(totp_secret, options).provisioning_uri(account)
+        end
+
+        def enroll_totp!(otp_secret_key, code)
+          return false unless authenticate_totp(code, { otp_secret_key: otp_secret_key })
+
+          update_columns(totp_timestamp: totp_timestamp, otp_secret_key: otp_secret_key)
+        end
+
+        def need_two_factor_authentication?(request)
+          totp_enabled?
+        end
+
+        def send_new_otp(options = {})
+          create_direct_otp options
+          send_two_factor_authentication_code(direct_otp)
+        end
+
+        def send_new_otp_after_login?
+          !totp_enabled?
+        end
+
+        def send_two_factor_authentication_code(code)
+          raise NotImplementedError.new("No default implementation - please define in your class.")
+        end
+
+        def max_login_attempts?
+          second_factor_attempts_count.to_i >= max_login_attempts.to_i
+        end
+
+        def max_login_attempts
+          self.class.max_login_attempts
+        end
+
+        def totp_enabled?
+          respond_to?(:otp_secret_key) && !otp_secret_key.nil?
+        end
+
+        def generate_totp_secret
+          self.class.generate_totp_secret
+        end
+
+        def create_direct_otp(options = {})
+          # Create a new random OTP and store it in the database
+          digits = options[:length] || self.class.direct_otp_length || 6
+          update_columns(
+            direct_otp: random_base10(digits),
+            direct_otp_sent_at: Time.now.utc
+          )
+        end
+
+        private
+
+        def without_spaces(code)
+          code.gsub(/[[:space:]]/, '')
+        end
+
+        def random_base10(digits)
+          SecureRandom.random_number(10**digits).to_s.rjust(digits, '0')
+        end
+
+        def direct_otp_expired?
+          Time.now.utc > direct_otp_sent_at + self.class.direct_otp_valid_for
+        end
+
+        def clear_direct_otp
+          update_columns(direct_otp: nil, direct_otp_sent_at: nil)
+        end
+      end
+    end
+  end
+end