devise-multi-factor 3.1.8 → 3.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: aa5e1378455028fe0381e90e77d682e835adc7ca7dafb3bc87f7e17fbe0ed596
-  data.tar.gz: 6972266b9fac6577838115f5f9d45eb6014e3d5c94a5ccce7d962ae942224d0f
+  metadata.gz: b69e7dd9a398b8cfebfd6c3b1e17e4c94603f2097e56a54f78a5f4ce07ce9751
+  data.tar.gz: 76f657bc840dc7b9b3d48fb3fe66876194ba4481e6849aac1b8f28b3a22eae52
 SHA512:
-  metadata.gz: a5e3fdb1eebefe645b3f15a731dc8305959c56ec07efb2c819bbe4d8c48c54b67cf03a38669d99edae8e32e080b31218f8dffd63047988bb32e16f18844f0d35
-  data.tar.gz: d11d1f93a080665f9ff48e1aa14a7319ab4ac05f1a6389e955fe0431776d7bb698d53b274e49b94c75eea8517b8eeba1224146ea44254338529db64b9c1da8ed
+  metadata.gz: f1dc861603dd878a0caddf74a316f7c385e3d103a0049de7cf5d1f2baadb29c7b7c1a1c25fa2c42a865c01eac178d3bd92621a53b278f6ec4f6c1f3fa0ec11d2
+  data.tar.gz: 513a0cb006edb6613a7c3e0af9cf1ab8594ed2841429b09d7b34e538c2a8a2d614f001aa86c1b7a87ef8946afddfdbcae16beda276cd437d8c0ca61fa84b0741

data/app/controllers/devise/totp_controller.rb

@@ -16,11 +16,11 @@ class Devise::TotpController < DeviseController
     if resource.enroll_totp!(@otp_secret, params[:otp_attempt])
       after_two_factor_enroll_success_for(resource)
     else
-      flash.now[:error] = 'The authenticator code provided was invalid!'
-      render_enroll_form
+      flash.now[:error] = I18n.t('devise.totp_setup.invalid_code')
+      render_enroll_form(status: :unprocessable_entity)
     end
   rescue ActiveSupport::MessageVerifier::InvalidSignature
-    redirect_to send("new_#{resource_name}_two_factor_authentication_path"), flash: { error: 'There has been a problem in the configuration process, please try again.' }
+    redirect_to send("new_#{resource_name}_two_factor_authentication_path"), flash: { error: I18n.t('devise.totp_setup.invalid_signature') }
   end
 
   def show
@@ -40,9 +40,9 @@ class Devise::TotpController < DeviseController
       .to_data_url
   end
 
-  def render_enroll_form
+  def render_enroll_form(status: :ok)
     @qr_code = generate_qr_code(@otp_secret)
-    render :new
+    render :new, status: status
   end
 
   def verifier

data/app/controllers/devise/two_factor_authentication_controller.rb

@@ -45,9 +45,11 @@ class Devise::TwoFactorAuthenticationController < DeviseController
     expires_seconds = resource.class.remember_otp_session_for_seconds
 
     if expires_seconds && expires_seconds > 0
+      expires_at = expires_seconds.seconds.from_now
       cookies.signed[DeviseMultiFactor::REMEMBER_TFA_COOKIE_NAME] = {
-          value: "#{resource.class}-#{resource.public_send(Devise.second_factor_resource_id)}",
-          expires: expires_seconds.seconds.from_now
+        value: DeviseMultiFactor::RememberTFACookie.new
+          .generate_cookie_data(resource, expires_at: expires_at),
+        expires: expires_at,
       }
     end
   end

data/config/locales/en.yml

@@ -6,3 +6,6 @@ en:
       max_login_attempts_reached: "Access completely denied as you have reached your attempts limit"
       contact_administrator: "Please contact your system administrator."
       code_has_been_sent: "Your authentication code has been sent."
+    totp_setup:
+      invalid_code: "The authenticator code provided was invalid!"
+      invalid_signature: "There has been a problem in the configuration process, please try again."

data/lib/devise_multi_factor/hooks/two_factor_authenticatable.rb

@@ -1,8 +1,7 @@
 Warden::Manager.after_authentication do |resource, auth, options|
   if auth.env["action_dispatch.cookies"]
-    expected_cookie_value = "#{resource.class}-#{resource.public_send(Devise.second_factor_resource_id)}"
-    actual_cookie_value = auth.env["action_dispatch.cookies"].signed[DeviseMultiFactor::REMEMBER_TFA_COOKIE_NAME]
-    bypass_by_cookie = actual_cookie_value == expected_cookie_value
+    cookie_value = auth.env["action_dispatch.cookies"].signed[DeviseMultiFactor::REMEMBER_TFA_COOKIE_NAME]
+    bypass_by_cookie = DeviseMultiFactor::RememberTFACookie.new.valid_cookie_data?(resource, cookie_value)
   end
 
   if resource.respond_to?(:need_two_factor_authentication?) && !bypass_by_cookie

data/lib/devise_multi_factor/remember_tfa_cookie.rb

@@ -0,0 +1,39 @@
+module DeviseMultiFactor
+  class RememberTFACookie
+
+    def generate_cookie_data(resource, expires_at:)
+      { 'data' => generate_resource_data(resource) }
+        .merge('expires_at' => expires_at)
+        .to_json
+    end
+
+    def valid_cookie_data?(resource, cookie_data)
+      return false if cookie_data.nil?
+
+      parsed_data = JSON.parse(cookie_data)
+      expires_at = parse_time(parsed_data['expires_at'])
+      return false if expires_at.nil? || expires_at < Time.current
+
+      expected_data = generate_resource_data(resource)
+      parsed_data['data'] == expected_data
+    rescue JSON::ParserError
+      false
+    end
+
+    private
+
+    def generate_resource_data(resource)
+      {
+        'resource_name' => resource.class.to_s,
+        'resource_id' => resource.public_send(Devise.second_factor_resource_id),
+        'remember_tfa_token' => resource.try(:remember_tfa_token) || '',
+      }
+    end
+
+    def parse_time(time_str)
+      Time.parse(time_str)
+    rescue StandardError
+      nil
+    end
+  end
+end

data/lib/devise_multi_factor/version.rb

@@ -1,3 +1,3 @@
 module DeviseMultiFactor
-  VERSION = "3.1.8".freeze
+  VERSION = "3.2.0".freeze
 end

data/lib/devise_multi_factor.rb

@@ -52,5 +52,6 @@ Devise.add_module :totp_enrollable, model: 'devise_multi_factor/models/totp_enro
 
 require 'devise_multi_factor/orm/active_record' if defined?(ActiveRecord::Base)
 require 'devise_multi_factor/routes'
+require 'devise_multi_factor/remember_tfa_cookie'
 require 'devise_multi_factor/models/two_factor_authenticatable'
 require 'devise_multi_factor/rails'

data/spec/controllers/two_factor_authentication_controller_spec.rb

@@ -1,7 +1,7 @@
 require 'spec_helper'
 
 describe Devise::TwoFactorAuthenticationController, type: :controller do
-  describe 'is_fully_authenticated? helper' do
+  describe '#is_fully_authenticated?' do
     def post_code(code)
       if Rails::VERSION::MAJOR >= 5
         post :update, params: { code: code }

data/spec/features/two_factor_authenticatable_spec.rb

@@ -1,7 +1,7 @@
 require 'spec_helper'
 include AuthenticatedModelHelper
 
-feature "User of two factor authentication" do
+feature 'User of two factor authentication' do
   context 'sending two factor authentication code via SMS' do
     shared_examples 'sends and authenticates code' do |user, type|
       before do
@@ -48,62 +48,62 @@ feature "User of two factor authentication" do
     it_behaves_like 'sends and authenticates code', create_user, 'encrypted'
   end
 
-  scenario "must be logged in" do
+  scenario 'must be logged in' do
     visit user_two_factor_authentication_path
 
-    expect(page).to have_content("Welcome Home")
-    expect(page).to have_content("You are signed out")
+    expect(page).to have_content('Welcome Home')
+    expect(page).to have_content('You are signed out')
   end
 
-  context "when logged in" do
+  context 'when logged in' do
     let(:user) { create_user }
 
     background do
       login_as user
     end
 
-    scenario "is redirected to TFA when path requires authentication" do
-      visit dashboard_path + "?A=param%20a&B=param%20b"
+    scenario 'is redirected to TFA when path requires authentication' do
+      visit dashboard_path + '?A=param%20a&B=param%20b'
 
-      expect(page).to_not have_content("Your Personal Dashboard")
+      expect(page).to_not have_content('Your Personal Dashboard')
 
-      fill_in "code", with: SMSProvider.last_message.body
-      click_button "Submit"
+      fill_in 'code', with: SMSProvider.last_message.body
+      click_button 'Submit'
 
-      expect(page).to have_content("Your Personal Dashboard")
-      expect(page).to have_content("You are signed in as Marissa")
-      expect(page).to have_content("Param A is param a")
-      expect(page).to have_content("Param B is param b")
+      expect(page).to have_content('Your Personal Dashboard')
+      expect(page).to have_content('You are signed in as Marissa')
+      expect(page).to have_content('Param A is param a')
+      expect(page).to have_content('Param B is param b')
     end
 
-    scenario "is locked out after max failed attempts" do
+    scenario 'is locked out after max failed attempts' do
       visit user_two_factor_authentication_path
 
       max_attempts = User.max_login_attempts
 
       max_attempts.times do
-        fill_in "code", with: "incorrect#{rand(100)}"
-        click_button "Submit"
+        fill_in 'code', with: "incorrect#{rand(100)}"
+        click_button 'Submit'
 
-        within(".flash.alert") do
-          expect(page).to have_content("Attempt failed")
+        within('.flash.alert') do
+          expect(page).to have_content('Attempt failed')
         end
       end
 
-      expect(page).to have_content("Access completely denied")
-      expect(page).to have_content("You are signed out")
+      expect(page).to have_content('Access completely denied')
+      expect(page).to have_content('You are signed out')
     end
 
-    scenario "cannot retry authentication after max attempts" do
+    scenario 'cannot retry authentication after max attempts' do
       user.update_attribute(:second_factor_attempts_count, User.max_login_attempts)
 
       visit user_two_factor_authentication_path
 
-      expect(page).to have_content("Access completely denied")
-      expect(page).to have_content("You are signed out")
+      expect(page).to have_content('Access completely denied')
+      expect(page).to have_content('You are signed out')
     end
 
-    describe "rememberable TFA" do
+    describe 'rememberable TFA' do
       before do
         @original_remember_otp_session_for_seconds = User.remember_otp_session_for_seconds
         User.remember_otp_session_for_seconds = 30.days
@@ -120,11 +120,11 @@ feature "User of two factor authentication" do
 
         login_as user
         visit dashboard_path
-        expect(page).to have_content("Your Personal Dashboard")
-        expect(page).to have_content("You are signed in as Marissa")
+        expect(page).to have_content('Your Personal Dashboard')
+        expect(page).to have_content('You are signed in as Marissa')
       end
 
-      scenario "requires TFA code again after 30 days" do
+      scenario 'requires TFA code again after 30 days' do
         sms_sign_in
 
         logout
@@ -132,8 +132,8 @@ feature "User of two factor authentication" do
         Timecop.travel(30.days.from_now)
         login_as user
         visit dashboard_path
-        expect(page).to have_content("You are signed in as Marissa")
-        expect(page).to have_content("Enter the code that was sent to you")
+        expect(page).to have_content('You are signed in as Marissa')
+        expect(page).to have_content('Enter the code that was sent to you')
       end
 
       scenario 'TFA should be different for different users' do
@@ -172,7 +172,7 @@ feature "User of two factor authentication" do
         set_tfa_cookie(tfa_cookie1)
         login_as(user2)
         visit dashboard_path
-        expect(page).to have_content("Enter the code that was sent to you")
+        expect(page).to have_content('Enter the code that was sent to you')
       end
 
       scenario 'Delete cookie when user logs out if enabled' do
@@ -184,7 +184,7 @@ feature "User of two factor authentication" do
         login_as user
 
         visit dashboard_path
-        expect(page).to have_content("Enter the code that was sent to you")
+        expect(page).to have_content('Enter the code that was sent to you')
       end
     end
 

data/spec/lib/devise_multi_factor/tfa_remember_cookie_spec.rb

@@ -0,0 +1,135 @@
+require 'spec_helper'
+
+class MockUser
+  def id
+    15
+  end
+end
+
+class MockUserWithRememberTFAToken
+  def id
+    45
+  end
+
+  def remember_tfa_token
+    'generated_token'
+  end
+end
+
+describe DeviseMultiFactor::RememberTFACookie do
+  subject(:remember_tfa_cookie) { described_class.new }
+
+  describe '#generate_cookie_data' do
+    describe 'when resource does not define remember_tfa_token method' do
+      let(:resource) { MockUser.new }
+
+      it 'returns cookie value with expiration date' do
+        result = remember_tfa_cookie.generate_cookie_data(
+          resource,
+          expires_at: Time.utc(2022, 1, 17, 19, 28, 0),
+        )
+
+        expect(JSON.parse(result)).to eql(
+          'data' => {
+            'resource_name' => 'MockUser',
+            'resource_id' => 15,
+            'remember_tfa_token' => '',
+          },
+          'expires_at' => '2022-01-17T19:28:00.000Z',
+        )
+      end
+    end
+
+    describe 'when resource defines remember_tfa_token method' do
+      let(:resource) { MockUserWithRememberTFAToken.new }
+
+      it 'returns cookie value with expiration date and tfa remember token' do
+        result = remember_tfa_cookie.generate_cookie_data(
+          resource,
+          expires_at: Time.utc(2022, 1, 17, 19, 28, 0),
+        )
+
+        expect(JSON.parse(result)).to eql(
+          'data' => {
+            'resource_name' => 'MockUserWithRememberTFAToken',
+            'resource_id' => 45,
+            'remember_tfa_token' => 'generated_token',
+          },
+          'expires_at' => '2022-01-17T19:28:00.000Z',
+        )
+      end
+    end
+  end
+
+  describe '#valid_cookie_data?' do
+    let(:cookie_data) do
+      {
+        'data' => {
+          'resource_name' => resource_name,
+          'resource_id' => resource_id,
+          'remember_tfa_token' => remember_tfa_token,
+        },
+        'expires_at' => '2022-01-17T19:28:00.000Z',
+      }.to_json
+    end
+    let(:resource_name) { 'MockUserWithRememberTFAToken' }
+    let(:resource_id) { 45 }
+    let(:remember_tfa_token) { 'generated_token' }
+    let(:resource) { MockUserWithRememberTFAToken.new }
+
+    describe 'when cookie data has expired' do
+      it 'returns false' do
+        Timecop.freeze(Time.utc(2022, 1, 17, 19, 29, 0)) do
+          result = remember_tfa_cookie.valid_cookie_data?(resource, cookie_data)
+          expect(result).to be(false)
+        end
+      end
+    end
+
+    describe 'when cookie data has not expired' do
+      let(:date_before_expiration) { Time.utc(2022, 1, 17, 19, 27, 0) }
+
+      describe 'when resource class does not match' do
+        let(:resource_name) { 'MockUser' }
+
+        it 'returns false' do
+          Timecop.freeze(date_before_expiration) do
+            result = remember_tfa_cookie.valid_cookie_data?(resource, cookie_data)
+            expect(result).to be(false)
+          end
+        end
+      end
+
+      describe 'when resource id does not match' do
+        let(:resource_id) { 46 }
+
+        it 'returns false' do
+          Timecop.freeze(date_before_expiration) do
+            result = remember_tfa_cookie.valid_cookie_data?(resource, cookie_data)
+            expect(result).to be(false)
+          end
+        end
+      end
+
+      describe 'when remember tfa token does not match' do
+        let(:remember_tfa_token) { '' }
+
+        it 'returns false' do
+          Timecop.freeze(date_before_expiration) do
+            result = remember_tfa_cookie.valid_cookie_data?(resource, cookie_data)
+            expect(result).to be(false)
+          end
+        end
+      end
+
+      describe 'when all cookie data matches' do
+        it 'returns true' do
+          Timecop.freeze(date_before_expiration) do
+            result = remember_tfa_cookie.valid_cookie_data?(resource, cookie_data)
+            expect(result).to be(true)
+          end
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise-multi-factor
 version: !ruby/object:Gem::Version
-  version: 3.1.8
+  version: 3.2.0
 platform: ruby
 authors:
 - Dmitrii Golub
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-02-25 00:00:00.000000000 Z
+date: 2022-01-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -220,6 +220,7 @@ files:
 - lib/devise_multi_factor/models/two_factor_authenticatable.rb
 - lib/devise_multi_factor/orm/active_record.rb
 - lib/devise_multi_factor/rails.rb
+- lib/devise_multi_factor/remember_tfa_cookie.rb
 - lib/devise_multi_factor/routes.rb
 - lib/devise_multi_factor/schema.rb
 - lib/devise_multi_factor/version.rb
@@ -230,6 +231,7 @@ files:
 - spec/features/two_factor_authenticatable_spec.rb
 - spec/generators/active_record/devise_multi_factor_generator_spec.rb
 - spec/lib/devise_multi_factor/models/two_factor_authenticatable_spec.rb
+- spec/lib/devise_multi_factor/tfa_remember_cookie_spec.rb
 - spec/rails_app/.gitignore
 - spec/rails_app/README.md
 - spec/rails_app/Rakefile
@@ -308,7 +310,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.0.3.1
 signing_key: 
 specification_version: 4
 summary: Two factor authentication plugin for devise