devise-multi-factor 3.1.5

data/lib/devise_multi_factor/orm/active_record.rb

@@ -0,0 +1,14 @@
+require "active_record"
+
+module DeviseMultiFactor
+  module Orm
+    module ActiveRecord
+      module Schema
+        include DeviseMultiFactor::Schema
+      end
+    end
+  end
+end
+
+ActiveRecord::ConnectionAdapters::Table.send :include, DeviseMultiFactor::Orm::ActiveRecord::Schema
+ActiveRecord::ConnectionAdapters::TableDefinition.send :include, DeviseMultiFactor::Orm::ActiveRecord::Schema

data/lib/devise_multi_factor/rails.rb

@@ -0,0 +1,7 @@
+module DeviseMultiFactor
+  class Engine < ::Rails::Engine
+    ActiveSupport.on_load(:action_controller) do
+      include DeviseMultiFactor::Controllers::Helpers
+    end
+  end
+end

data/lib/devise_multi_factor/routes.rb

@@ -0,0 +1,15 @@
+module ActionDispatch::Routing
+  class Mapper
+    protected
+
+    def devise_two_factor_authentication(mapping, controllers)
+      resource :two_factor_authentication, only: [:show, :update, :resend_code], path: mapping.path_names[:two_factor_authentication], controller: controllers[:two_factor_authentication] do
+        collection { get 'resend_code' }
+      end
+    end
+
+    def devise_totp(mapping, controllers)
+      resource :totp, only: [:new, :create, :show, :destroy], path: mapping.path_names[:totp], controller: controllers[:totp]
+    end
+  end
+end

data/lib/devise_multi_factor/schema.rb

@@ -0,0 +1,23 @@
+module DeviseMultiFactor
+  module Schema
+    def second_factor_attempts_count
+      apply_devise_schema :second_factor_attempts_count, Integer, :default => 0
+    end
+
+    def encrypted_otp_secret_key
+      apply_devise_schema :encrypted_otp_secret_key, String
+    end
+
+    def direct_otp
+      apply_devise_schema :direct_otp, String
+    end
+
+    def direct_otp_sent_at
+      apply_devise_schema :direct_otp_sent_at, DateTime
+    end
+
+    def totp_timestamp
+      apply_devise_schema :totp_timestamp, Integer
+    end
+  end
+end

data/lib/devise_multi_factor/version.rb

@@ -0,0 +1,3 @@
+module DeviseMultiFactor
+  VERSION = "3.1.5".freeze
+end

data/lib/generators/active_record/devise_multi_factor_generator.rb

@@ -0,0 +1,13 @@
+require 'rails/generators/active_record'
+
+module ActiveRecord
+  module Generators
+    class DeviseMultiFactorGenerator < ActiveRecord::Generators::Base
+      source_root File.expand_path("../templates", __FILE__)
+
+      def copy_devise_multi_factor_migration
+        migration_template "migration.rb", "db/migrate/devise_multi_factor_add_to_#{table_name}.rb"
+      end
+    end
+  end
+end

data/lib/generators/active_record/templates/migration.rb

@@ -0,0 +1,11 @@
+class DeviseMultiFactorAddTo<%= table_name.camelize %> < ActiveRecord::Migration[6.1]
+  def change
+    change_table :<%= table_name %>, bulk: true do |t|
+      t.integer :second_factor_attempts_count, default: 0, null: false
+      t.string :encrypted_otp_secret_key
+      t.string :direct_otp
+      t.datetime :direct_otp_sent_at
+      t.integer :totp_timestamp
+    end
+  end
+end

data/lib/generators/devise_multi_factor/devise_multi_factor_generator.rb

@@ -0,0 +1,17 @@
+module TwoFactorAuthenticatable
+  module Generators
+    class DeviseMultiFactorGenerator < Rails::Generators::NamedBase
+      namespace "devise_multi_factor"
+
+      desc "Adds :two_factor_authenticable directive in the given model. It also generates an active record migration."
+
+      def inject_devise_multi_factor_content
+        path = File.join("app", "models", "#{file_path}.rb")
+        inject_into_file(path, "two_factor_authenticatable, :", :after => "devise :") if File.exists?(path)
+        inject_into_file(path, "totp_enrollable, :", :after => "devise :") if File.exists?(path)
+      end
+
+      hook_for :orm
+    end
+  end
+end

data/spec/controllers/two_factor_authentication_controller_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+
+describe Devise::TwoFactorAuthenticationController, type: :controller do
+  describe 'is_fully_authenticated? helper' do
+    def post_code(code)
+      if Rails::VERSION::MAJOR >= 5
+        post :update, params: { code: code }
+      else
+        post :update, code: code
+      end
+    end
+
+    before do
+      sign_in
+    end
+
+    context 'after user enters valid OTP code' do
+      it 'returns true' do
+        controller.current_user.send_new_otp
+        post_code controller.current_user.direct_otp
+        expect(subject.is_fully_authenticated?).to eq true
+      end
+    end
+
+    context 'when user has not entered any OTP yet' do
+      it 'returns false' do
+        get :show
+
+        expect(subject.is_fully_authenticated?).to eq false
+      end
+    end
+
+    context 'when user enters an invalid OTP' do
+      it 'returns false' do
+        post_code '12345'
+
+        expect(subject.is_fully_authenticated?).to eq false
+      end
+    end
+  end
+end

data/spec/features/two_factor_authenticatable_spec.rb

@@ -0,0 +1,237 @@
+require 'spec_helper'
+include AuthenticatedModelHelper
+
+feature "User of two factor authentication" do
+  context 'sending two factor authentication code via SMS' do
+    shared_examples 'sends and authenticates code' do |user, type|
+      before do
+        user.reload
+        if type == 'encrypted'
+          allow(User).to receive(:has_one_time_password)
+        end
+      end
+
+      it 'does not send an SMS before the user has signed in' do
+        expect(SMSProvider.messages).to be_empty
+      end
+
+      it 'sends code via SMS after sign in' do
+        visit new_user_session_path
+        complete_sign_in_form_for(user)
+
+        expect(page).to have_content 'Enter the code that was sent to you'
+
+        expect(SMSProvider.messages.size).to eq(1)
+        message = SMSProvider.last_message
+        expect(message.to).to eq(user.phone_number)
+        expect(message.body).to eq(user.reload.direct_otp)
+      end
+
+      it 'authenticates a valid OTP code' do
+        visit new_user_session_path
+        complete_sign_in_form_for(user)
+
+        expect(page).to have_content('You are signed in as Marissa')
+
+        fill_in 'code', with: SMSProvider.last_message.body
+        click_button 'Submit'
+
+        within('.flash.notice') do
+          expect(page).to have_content('Two factor authentication successful.')
+        end
+
+        expect(current_path).to eq root_path
+      end
+    end
+
+    it_behaves_like 'sends and authenticates code', create_user('not_encrypted')
+    it_behaves_like 'sends and authenticates code', create_user, 'encrypted'
+  end
+
+  scenario "must be logged in" do
+    visit user_two_factor_authentication_path
+
+    expect(page).to have_content("Welcome Home")
+    expect(page).to have_content("You are signed out")
+  end
+
+  context "when logged in" do
+    let(:user) { create_user }
+
+    background do
+      login_as user
+    end
+
+    scenario "is redirected to TFA when path requires authentication" do
+      visit dashboard_path + "?A=param%20a&B=param%20b"
+
+      expect(page).to_not have_content("Your Personal Dashboard")
+
+      fill_in "code", with: SMSProvider.last_message.body
+      click_button "Submit"
+
+      expect(page).to have_content("Your Personal Dashboard")
+      expect(page).to have_content("You are signed in as Marissa")
+      expect(page).to have_content("Param A is param a")
+      expect(page).to have_content("Param B is param b")
+    end
+
+    scenario "is locked out after max failed attempts" do
+      visit user_two_factor_authentication_path
+
+      max_attempts = User.max_login_attempts
+
+      max_attempts.times do
+        fill_in "code", with: "incorrect#{rand(100)}"
+        click_button "Submit"
+
+        within(".flash.alert") do
+          expect(page).to have_content("Attempt failed")
+        end
+      end
+
+      expect(page).to have_content("Access completely denied")
+      expect(page).to have_content("You are signed out")
+    end
+
+    scenario "cannot retry authentication after max attempts" do
+      user.update_attribute(:second_factor_attempts_count, User.max_login_attempts)
+
+      visit user_two_factor_authentication_path
+
+      expect(page).to have_content("Access completely denied")
+      expect(page).to have_content("You are signed out")
+    end
+
+    describe "rememberable TFA" do
+      before do
+        @original_remember_otp_session_for_seconds = User.remember_otp_session_for_seconds
+        User.remember_otp_session_for_seconds = 30.days
+      end
+
+      after do
+        User.remember_otp_session_for_seconds = @original_remember_otp_session_for_seconds
+      end
+
+      scenario "doesn't require TFA code again within 30 days" do
+        sms_sign_in
+
+        logout
+
+        login_as user
+        visit dashboard_path
+        expect(page).to have_content("Your Personal Dashboard")
+        expect(page).to have_content("You are signed in as Marissa")
+      end
+
+      scenario "requires TFA code again after 30 days" do
+        sms_sign_in
+
+        logout
+
+        Timecop.travel(30.days.from_now)
+        login_as user
+        visit dashboard_path
+        expect(page).to have_content("You are signed in as Marissa")
+        expect(page).to have_content("Enter the code that was sent to you")
+      end
+
+      scenario 'TFA should be different for different users' do
+        sms_sign_in
+
+        tfa_cookie1 = get_tfa_cookie()
+
+        logout
+        reset_session!
+
+        user2 = create_user()
+        login_as(user2)
+        sms_sign_in
+
+        tfa_cookie2 = get_tfa_cookie()
+
+        expect(tfa_cookie1).not_to eq tfa_cookie2
+      end
+
+      def sms_sign_in
+        SMSProvider.messages.clear()
+        visit user_two_factor_authentication_path
+        fill_in 'code', with: SMSProvider.last_message.body
+        click_button 'Submit'
+      end
+
+      scenario 'TFA should be unique for specific user' do
+        sms_sign_in
+
+        tfa_cookie1 = get_tfa_cookie()
+
+        logout
+        reset_session!
+
+        user2 = create_user()
+        set_tfa_cookie(tfa_cookie1)
+        login_as(user2)
+        visit dashboard_path
+        expect(page).to have_content("Enter the code that was sent to you")
+      end
+
+      scenario 'Delete cookie when user logs out if enabled' do
+        user.class.delete_cookie_on_logout = true
+
+        login_as user
+        logout
+
+        login_as user
+
+        visit dashboard_path
+        expect(page).to have_content("Enter the code that was sent to you")
+      end
+    end
+
+    it 'sets the warden session need_two_factor_authentication key to true' do
+      session_hash = { 'need_two_factor_authentication' => true }
+
+      expect(page.get_rack_session_key('warden.user.user.session')).to eq session_hash
+    end
+  end
+
+  describe 'signing in' do
+    let(:user) { create_user }
+    let(:admin) { create_admin }
+
+    scenario 'user signs is' do
+      visit new_user_session_path
+      complete_sign_in_form_for(user)
+
+      expect(page).to have_content('Signed in successfully.')
+    end
+
+    scenario 'admin signs in' do
+      visit new_admin_session_path
+      complete_sign_in_form_for(admin)
+
+      expect(page).to have_content('Signed in successfully.')
+    end
+  end
+
+  describe 'signing out' do
+    let(:user) { create_user }
+    let(:admin) { create_admin }
+
+    scenario 'user signs out' do
+      visit new_user_session_path
+      complete_sign_in_form_for(user)
+      visit destroy_user_session_path
+
+      expect(page).to have_content('Signed out successfully.')
+    end
+
+    scenario 'admin signs out' do
+      visit new_admin_session_path
+      complete_sign_in_form_for(admin)
+      visit destroy_admin_session_path
+
+      expect(page).to have_content('Signed out successfully.')
+    end
+  end
+end

data/spec/generators/active_record/devise_multi_factor_generator_spec.rb

@@ -0,0 +1,34 @@
+require 'spec_helper'
+
+require 'generators/active_record/devise_multi_factor_generator'
+
+describe ActiveRecord::Generators::DeviseMultiFactorGenerator, type: :generator do
+  destination File.expand_path('../../../../../tmp', __FILE__)
+
+  before do
+    prepare_destination
+  end
+
+  it 'runs all methods in the generator' do
+    gen = generator %w(users)
+    expect(gen).to receive(:copy_devise_multi_factor_migration)
+    gen.invoke_all
+  end
+
+  describe 'the generated files' do
+    before do
+      run_generator %w(users)
+    end
+
+    describe 'the migration' do
+      subject { migration_file('db/migrate/devise_multi_factor_add_to_users.rb') }
+
+      it { is_expected.to exist }
+      it { is_expected.to be_a_migration }
+      it { is_expected.to contain /def change/ }
+      it { is_expected.to contain /def change_table :user, bulk: true do |t|/ }
+      it { is_expected.to contain /t.integer :second_factor_attempts_count, default: 0, null: false/ }
+      it { is_expected.to contain /t.string :encrypted_otp_secret_key/ }
+    end
+  end
+end

data/spec/lib/devise_multi_factor/models/two_factor_authenticatable_spec.rb

@@ -0,0 +1,282 @@
+require 'spec_helper'
+include AuthenticatedModelHelper
+
+describe Devise::Models::TwoFactorAuthenticatable do
+  describe '#create_direct_otp' do
+    let(:instance) { build_guest_user }
+
+    it 'set direct_otp field' do
+      expect(instance.direct_otp).to be_nil
+      instance.create_direct_otp
+      expect(instance.direct_otp).not_to be_nil
+    end
+
+    it 'set direct_otp_send_at field to current time' do
+      Timecop.freeze() do
+        instance.create_direct_otp
+        expect(instance.direct_otp_sent_at).to eq(Time.now)
+      end
+    end
+
+    it 'honors .direct_otp_length' do
+      expect(instance.class).to receive(:direct_otp_length).and_return(10)
+      instance.create_direct_otp
+      expect(instance.direct_otp.length).to equal(10)
+
+      expect(instance.class).to receive(:direct_otp_length).and_return(6)
+      instance.create_direct_otp
+      expect(instance.direct_otp.length).to equal(6)
+    end
+
+    it "honors 'direct_otp_length' in options paramater" do
+      instance.create_direct_otp(length: 8)
+      expect(instance.direct_otp.length).to equal(8)
+      instance.create_direct_otp(length: 10)
+      expect(instance.direct_otp.length).to equal(10)
+    end
+  end
+
+  describe '#authenticate_direct_otp' do
+    let(:instance) { build_guest_user }
+    it 'fails if no direct_otp has been set' do
+      expect(instance.authenticate_direct_otp('12345')).to eq(false)
+    end
+
+    context 'after generating an OTP' do
+      before :each do
+        instance.create_direct_otp
+      end
+
+      it 'accepts correct OTP' do
+        Timecop.freeze(Time.now + instance.class.direct_otp_valid_for - 1.second)
+        expect(instance.authenticate_direct_otp(instance.direct_otp)).to eq(true)
+      end
+
+      it 'rejects invalid OTP' do
+        Timecop.freeze(Time.now + instance.class.direct_otp_valid_for - 1.second)
+        expect(instance.authenticate_direct_otp('12340')).to eq(false)
+      end
+
+      it 'rejects expired OTP' do
+        Timecop.freeze(Time.now + instance.class.direct_otp_valid_for + 1.second)
+        expect(instance.authenticate_direct_otp(instance.direct_otp)).to eq(false)
+      end
+
+      it 'prevents code re-use' do
+        expect(instance.authenticate_direct_otp(instance.direct_otp)).to eq(true)
+        expect(instance.authenticate_direct_otp(instance.direct_otp)).to eq(false)
+      end
+    end
+  end
+
+  describe '#authenticate_totp' do
+    shared_examples 'authenticate_totp' do |instance|
+      before :each do
+        instance.otp_secret_key = '2z6hxkdwi3uvrnpn'
+        instance.totp_timestamp = nil
+        @totp_helper = TotpHelper.new(instance.otp_secret_key, instance.class.otp_length)
+      end
+
+      def do_invoke(code, user)
+        user.authenticate_totp(code)
+      end
+
+      it 'authenticates a recently created code' do
+        code = @totp_helper.totp_code
+        expect(do_invoke(code, instance)).to eq(true)
+      end
+
+      it 'authenticates a code entered with a space' do
+        code = @totp_helper.totp_code.insert(3, ' ')
+        expect(do_invoke(code, instance)).to eq(true)
+      end
+
+      it 'does not authenticate an old code' do
+        code = @totp_helper.totp_code(1.minutes.ago.to_i)
+        expect(do_invoke(code, instance)).to eq(false)
+      end
+
+      it 'prevents code reuse' do
+        code = @totp_helper.totp_code
+        expect(do_invoke(code, instance)).to eq(true)
+        expect(do_invoke(code, instance)).to eq(false)
+      end
+    end
+
+    it_behaves_like 'authenticate_totp', GuestUser.new
+    it_behaves_like 'authenticate_totp', EncryptedUser.new
+  end
+
+  describe '#send_two_factor_authentication_code' do
+    let(:instance) { build_guest_user }
+
+    it 'raises an error by default' do
+      expect { instance.send_two_factor_authentication_code(123) }.
+        to raise_error(NotImplementedError)
+    end
+
+    it 'is overrideable' do
+      def instance.send_two_factor_authentication_code(code)
+        'Code sent'
+      end
+      expect(instance.send_two_factor_authentication_code(123)).to eq('Code sent')
+    end
+  end
+
+  describe '#provisioning_uri' do
+
+    shared_examples 'provisioning_uri' do |instance|
+      it 'fails until generate_totp_secret is called' do
+        expect { instance.provisioning_uri }.to raise_error(Exception)
+      end
+
+      describe 'with secret set' do
+        before do
+          instance.email = 'houdini@example.com'
+          instance.otp_secret_key = instance.generate_totp_secret
+        end
+
+        it "returns uri with user's email" do
+          expect(instance.provisioning_uri).
+            to match(%r{otpauth://totp/houdini%40example.com\?secret=\w{32}})
+        end
+
+        it 'returns uri with issuer option' do
+          expect(instance.provisioning_uri('houdini')).
+            to match(%r{otpauth://totp/houdini\?secret=\w{32}$})
+        end
+
+        it 'returns uri with issuer option' do
+          require 'cgi'
+          uri = URI.parse(instance.provisioning_uri('houdini', issuer: 'Magic'))
+          params = CGI.parse(uri.query)
+
+          expect(uri.scheme).to eq('otpauth')
+          expect(uri.host).to eq('totp')
+          expect(uri.path).to eq('/Magic:houdini')
+          expect(params['issuer'].shift).to eq('Magic')
+          expect(params['secret'].shift).to match(/\w{32}/)
+        end
+      end
+    end
+
+    it_behaves_like 'provisioning_uri', GuestUser.new
+    it_behaves_like 'provisioning_uri', EncryptedUser.new
+  end
+
+  describe '#generate_totp_secret' do
+    shared_examples 'generate_totp_secret' do |klass|
+      let(:instance) { klass.new }
+
+      it 'returns a 32 character string' do
+        secret = instance.generate_totp_secret
+
+        expect(secret).to match(/\w{32}/)
+      end
+    end
+
+    it_behaves_like 'generate_totp_secret', GuestUser
+    it_behaves_like 'generate_totp_secret', EncryptedUser
+  end
+
+  describe '#enroll_totp!' do
+    shared_examples 'enroll_totp!' do |klass|
+      let(:instance) { klass.new }
+      let(:secret) { instance.generate_totp_secret }
+      let(:totp_helper) { TotpHelper.new(secret, instance.class.otp_length) }
+
+      describe 'when given correct code' do
+        it 'populates otp_secret_key column' do
+          instance.enroll_totp!(secret, totp_helper.totp_code)
+
+          expect(instance.otp_secret_key).to match(secret)
+        end
+
+        it 'updates the encrypted_otp_secret_key and otp totp_timestamp' do
+          allow(instance).to receive(:update_columns).and_return(true)
+          allow_any_instance_of(ROTP::TOTP).to receive(:verify).and_return(15445051)
+
+          instance.enroll_totp!(secret, totp_helper.totp_code)
+
+          expect(instance).to have_received(:update_columns)
+            .with(totp_timestamp: 15445051, otp_secret_key: secret)
+        end
+
+        it 'returns true' do
+          expect(instance.enroll_totp!(secret, totp_helper.totp_code)).to be true
+        end
+      end
+
+      describe 'when given incorrect code' do
+        it 'does not populate otp_secret_key' do
+          instance.enroll_totp!(secret, '123')
+          expect(instance.otp_secret_key).to be_nil
+        end
+
+        it 'returns false' do
+          expect(instance.enroll_totp!(secret, '123')).to be false
+        end
+      end
+    end
+
+    it_behaves_like 'enroll_totp!', GuestUser
+    it_behaves_like 'enroll_totp!', EncryptedUser
+  end
+
+  describe '#max_login_attempts' do
+    let(:instance) { build_guest_user }
+
+    before do
+      @original_max_login_attempts = GuestUser.max_login_attempts
+      GuestUser.max_login_attempts = 3
+    end
+
+    after { GuestUser.max_login_attempts = @original_max_login_attempts }
+
+    it 'returns class setting' do
+      expect(instance.max_login_attempts).to eq(3)
+    end
+
+    it 'returns false as boolean' do
+      instance.second_factor_attempts_count = nil
+      expect(instance.max_login_attempts?).to be_falsey
+      instance.second_factor_attempts_count = 0
+      expect(instance.max_login_attempts?).to be_falsey
+      instance.second_factor_attempts_count = 1
+      expect(instance.max_login_attempts?).to be_falsey
+      instance.second_factor_attempts_count = 2
+      expect(instance.max_login_attempts?).to be_falsey
+    end
+
+    it 'returns true as boolean after too many attempts' do
+      instance.second_factor_attempts_count = 3
+      expect(instance.max_login_attempts?).to be_truthy
+      instance.second_factor_attempts_count = 4
+      expect(instance.max_login_attempts?).to be_truthy
+    end
+  end
+
+  describe '.has_one_time_password' do
+    context 'when encrypted: true option is passed' do
+      let(:instance) { EncryptedUser.new }
+
+      it 'encrypts otp_secret_key' do
+        instance.otp_secret_key = '2z6hxkdwi3uvrnpn'
+
+        expect(instance.encrypted_otp_secret_key).to match(/.{44}/)
+      end
+
+      it 'does not encrypt a nil otp_secret_key' do
+        instance.otp_secret_key = nil
+
+        expect(instance.encrypted_otp_secret_key).to be_nil
+      end
+
+      it 'does not encrypt an empty otp_secret_key' do
+        instance.otp_secret_key = ''
+
+        expect(instance.encrypted_otp_secret_key).to eq ''
+      end
+    end
+  end
+end