devise-otp-rails5 0.2.4

data/app/controllers/devise_otp/credentials_controller.rb

@@ -0,0 +1,106 @@
+class DeviseOtp::CredentialsController < DeviseController
+  helper_method :new_session_path
+
+  prepend_before_action :authenticate_scope!, :only => [:get_refresh, :set_refresh]
+  prepend_before_action :require_no_authentication, :only => [ :show, :update ]
+
+  #
+  # show a request for the OTP token
+  #
+  def show
+    @challenge = params[:challenge]
+    @recovery =  (params[:recovery] == 'true') && recovery_enabled?
+
+    if @challenge.nil?
+      redirect_to :root
+
+    else
+      self.resource = resource_class.find_valid_otp_challenge(@challenge)
+      if resource.nil?
+        redirect_to :root
+      elsif @recovery
+        @recovery_count = resource.otp_recovery_counter
+        render :show
+      else
+        render :show
+      end
+    end
+  end
+
+  #
+  # signs the resource in, if the OTP token is valid and the user has a valid challenge
+  #
+  def update
+
+    resource = resource_class.find_valid_otp_challenge(params[resource_name][:challenge])
+    recovery = (params[resource_name][:recovery] == 'true') && recovery_enabled?
+    token = params[resource_name][:token]
+
+    if token.blank?
+      otp_set_flash_message(:alert, :token_blank)
+      redirect_to otp_credential_path_for(resource_name, :challenge => params[resource_name][:challenge],
+                                                         :recovery => recovery)
+    elsif resource.nil?
+      otp_set_flash_message(:alert, :otp_session_invalid)
+      redirect_to new_session_path(resource_name)
+    else
+      if resource.otp_challenge_valid? && resource.validate_otp_token(params[resource_name][:token], recovery)
+        set_flash_message(:success, :signed_in) if is_navigational_format?
+        sign_in(resource_name, resource)
+
+        otp_refresh_credentials_for(resource)
+        respond_with resource, :location => after_sign_in_path_for(resource)
+      else
+        otp_set_flash_message :alert, :token_invalid
+        redirect_to new_session_path(resource_name)
+      end
+    end
+  end
+
+
+  #
+  # displays the request for a credentials refresh
+  #
+  def get_refresh
+    ensure_resource!
+    render :refresh
+  end
+
+  #
+  # lets the user through is the refresh is valid
+  #
+  def set_refresh
+
+    ensure_resource!
+    # I am sure there's a much better way
+    if resource.valid_password?(params[resource_name][:refresh_password])
+      if resource.otp_enabled?
+        if resource.validate_otp_token(params[resource_name][:token])
+          done_valid_refresh
+        else
+          failed_refresh
+        end
+      else
+        done_valid_refresh
+      end
+    else
+      failed_refresh
+    end
+  end
+
+
+  private
+
+  def done_valid_refresh
+    otp_refresh_credentials_for(resource)
+    otp_set_flash_message :success, :valid_refresh if is_navigational_format?
+
+    respond_with resource, :location => otp_fetch_refresh_return_url
+  end
+
+  def failed_refresh
+    otp_set_flash_message :alert, :invalid_refresh
+    render :refresh
+  end
+
+end

data/app/controllers/devise_otp/tokens_controller.rb

@@ -0,0 +1,111 @@
+class DeviseOtp::TokensController < DeviseController
+  include Devise::Controllers::Helpers
+
+  prepend_before_action :ensure_credentials_refresh
+  prepend_before_action :authenticate_scope!
+
+  protect_from_forgery :except => [:clear_persistence, :delete_persistence]
+
+  #
+  # Displays the status of OTP authentication
+  #
+  def show
+   if resource.nil?
+      redirect_to stored_location_for(scope) || :root
+    else
+      render :show
+    end
+  end
+
+  #
+  # Updates the status of OTP authentication
+  #
+  def update
+
+    enabled =  (params[resource_name][:otp_enabled] == '1')
+    if (enabled ? resource.enable_otp! : resource.disable_otp!)
+
+      otp_set_flash_message :success, :successfully_updated
+    end
+    render :show
+  end
+
+  #
+  # Resets OTP authentication, generates new credentials, sets it to off
+  #
+  def destroy
+
+    if resource.reset_otp_credentials!
+      otp_set_flash_message :success, :successfully_reset_creds
+    end
+    render :show
+  end
+
+
+  #
+  # makes the current browser persistent
+  #
+  def get_persistence
+
+
+    if otp_set_trusted_device_for(resource)
+      otp_set_flash_message :success, :successfully_set_persistence
+    end
+    redirect_to :action => :show
+  end
+
+
+  #
+  # clears persistence for the current browser
+  #
+  def clear_persistence
+    if otp_clear_trusted_device_for(resource)
+      otp_set_flash_message :success, :successfully_cleared_persistence
+    end
+
+    redirect_to :action => :show
+  end
+
+
+  #
+  # rehash the persistence secret, thus, making all the persistence cookies invalid
+  #
+  def delete_persistence
+    if otp_reset_persistence_for(resource)
+      otp_set_flash_message :notice, :successfully_reset_persistence
+    end
+
+    redirect_to :action => :show
+  end
+
+  #
+  #
+  #
+  def recovery
+    respond_to do |format|
+      format.html
+      format.js
+      format.text do
+        send_data render_to_string(template: "devise_otp/tokens/recovery_codes.text.erb"), filename: "recovery-codes.txt"
+      end
+    end
+  end
+
+
+  private
+
+  def ensure_credentials_refresh
+
+    ensure_resource!
+    if needs_credentials_refresh?(resource)
+      otp_set_flash_message :notice, :need_to_refresh_credentials
+      redirect_to refresh_otp_credential_path_for(resource)
+    end
+  end
+
+  def scope
+    resource_name.to_sym
+  end
+
+
+end

data/app/views/devise_otp/credentials/refresh.html.erb

@@ -0,0 +1,20 @@
+<h2><%= I18n.t('title', {:scope => 'devise.otp.credentials_refresh'}) %></h2>
+<p><%= I18n.t('explain', {:scope => 'devise.otp.credentials_refresh'}) %></p>
+
+<%= form_for(resource, :as => resource_name, :url => [:refresh, resource_name, :otp_credential], :html => { :method => :put }) do |f| %>
+
+  <%= devise_error_messages! %>
+
+    <div><%= f.label :email %><br />
+    <%= f.text_field :email, :disabled => :true%></div>
+
+    <div><%= f.label :password %><br />
+	<%= f.password_field :refresh_password, :autocomplete => :off, :autofocus => true %></div>
+
+  <%- if resource.otp_enabled? %>
+    <div><%= f.label :token, I18n.t(:token, {:scope => 'devise.otp.credentials_refresh'}) %></p><br />
+    <%= f.password_field :token, :autocomplete => :off%></div>
+  <% end %>
+
+	<div><%= f.submit I18n.t(:go_on, {:scope => 'devise.otp.credentials_refresh'}) %></div>
+<% end %>

data/app/views/devise_otp/credentials/show.html.erb

@@ -0,0 +1,23 @@
+<h2><%= I18n.t('title', {:scope => 'devise.otp.submit_token'}) %></h2>
+<p><%= I18n.t('explain', {:scope => 'devise.otp.submit_token'}) %></p>
+
+<%= form_for(resource, :as => resource_name, :url => [resource_name, :otp_credential], :html => { :method => :put }) do |f| %>
+
+	<%= f.hidden_field :challenge, {:value => @challenge} %>
+	<%= f.hidden_field :recovery, {:value => @recovery} %>
+
+  <%- if @recovery %>
+    <p><%= f.label :token, I18n.t('recovery_prompt', {:scope => 'devise.otp.submit_token'}) %><br />
+        <%= f.text_field :otp_recovery_counter, :autocomplete => :off, :disabled => true, :size => 4 %>
+        <% else %>
+            <p><%= f.label :token, I18n.t('prompt', {:scope => 'devise.otp.submit_token'}) %><br />
+        <% end %>
+
+        <%= f.text_field :token, :autocomplete => :off, :autofocus => true, :size => 6, :value => '' %>
+    </p>
+
+	<p><%= f.submit I18n.t('submit', {:scope => 'devise.otp.submit_token'}) %></p>
+    <%- if !@recovery && recovery_enabled? %>
+      <p><%= link_to I18n.t('recovery_link', {:scope => 'devise.otp.submit_token'}), otp_credential_path_for(resource_name, :challenge => @challenge, :recovery => true) %></p>
+    <% end %>
+ <% end %>

data/app/views/devise_otp/tokens/_token_secret.html.erb

@@ -0,0 +1,19 @@
+<h3><%= I18n.t('title', {:scope => 'devise.otp.token_secret'}) %></h3>
+<p><%= I18n.t('explain', {:scope => 'devise.otp.token_secret'}) %></p>
+
+<%= otp_authenticator_token_image(resource) %>
+
+<p><strong><%= I18n.t('manual_provisioning', {:scope => 'devise.otp.token_secret'}) %>:</strong>
+  <code><%= resource.otp_auth_secret %></code></p>
+
+<p><%= link_to I18n.t('reset_otp', {:scope => 'devise.otp.token_secret'}), @resource, :method => :delete %></p>
+<p><%= I18n.t('reset_explain', {:scope => 'devise.otp.token_secret'}) %>
+   <strong><%= I18n.t('reset_explain_warn', {:scope => 'devise.otp.token_secret'}) %></strong></p>
+
+<%- if recovery_enabled? %>
+  <h3><%= I18n.t('title', {:scope => 'devise.otp.tokens.recovery'}) %></h3>
+  <p><%= I18n.t('explain', {:scope => 'devise.otp.tokens.recovery'}) %></p>
+  <p><%= link_to I18n.t('codes_list', {:scope => 'devise.otp.tokens.recovery'}), recovery_otp_token_for(resource_name) %></p>
+  <p><%= link_to I18n.t('download_codes', {:scope => 'devise.otp.tokens.recovery'}), recovery_otp_token_for(resource_name, format: :text) %></p>
+
+<% end %>

data/app/views/devise_otp/tokens/_trusted_devices.html.erb

@@ -0,0 +1,10 @@
+<h3><%= I18n.t('title', {:scope => 'devise.otp.trusted_devices'}) %></h3>
+<p><%= I18n.t('explain', {:scope => 'devise.otp.trusted_devices'}) %></p>
+<%- if is_otp_trusted_device_for? resource %>
+  <p><em><%= I18n.t('device_trusted', {:scope => 'devise.otp.trusted_devices'}) %></em></p>
+  <p><%= link_to I18n.t('trust_remove', {:scope => 'devise.otp.trusted_devices'}), persistence_otp_token_path_for(resource_name), :method => :post %></p>
+<% else %>
+  <p><%= I18n.t('device_not_trusted', {:scope => 'devise.otp.trusted_devices'}) %></p>
+  <p><%= link_to I18n.t('trust_add', {:scope => 'devise.otp.trusted_devices'}), persistence_otp_token_path_for(resource_name) %></p>
+<% end %>
+<p><%= link_to I18n.t('trust_clear', {:scope => 'devise.otp.trusted_devices'}), persistence_otp_token_path_for(resource_name), :method => :delete %></p>

data/app/views/devise_otp/tokens/recovery.html.erb

@@ -0,0 +1,21 @@
+<h2><%= I18n.t('title', {:scope => 'devise.otp.tokens.recovery'}) %></h2>
+<p><%= I18n.t('explain', {:scope => 'devise.otp.tokens.recovery'}) %></p>
+
+<table>
+  <caption>
+    <thead>
+        <tr>
+          <th><%= I18n.t('sequence', {:scope => 'devise.otp.tokens.recovery'}) %></th>
+          <th><%= I18n.t('code', {:scope => 'devise.otp.tokens.recovery'}) %></th>
+        </tr>
+    </thead>
+    <tbody>
+    <%- resource.next_otp_recovery_tokens.each do |seq, code| %>
+        <tr>
+          <td><%= seq %></td>
+          <td><%= code %></td>
+        </tr>
+    <% end %>
+    </tbody>
+  </caption>
+</table>

data/app/views/devise_otp/tokens/recovery_codes.text.erb

@@ -0,0 +1,3 @@
+<% resource.next_otp_recovery_tokens.each do |seq, code| %>
+<%= code %>
+<% end %>

data/app/views/devise_otp/tokens/show.html.erb

@@ -0,0 +1,19 @@
+<h2><%= I18n.t('title', {:scope => 'devise.otp.tokens'}) %></h2>
+<p><%= I18n.t('explain', {:scope => 'devise.otp.tokens'}) %></p>
+
+<%= form_for(resource, :as => resource_name, :url => [resource_name, :otp_token], :html => { :method => :put }) do |f| %>
+
+	<%= devise_error_messages! %>
+
+	<h3><%= I18n.t('enable_request', {:scope => 'devise.otp.tokens'}) %></h3>
+
+	<p><%= f.label :otp_enabled, I18n.t('status', {:scope => 'devise.otp.tokens'}) %><br />
+	<%= f.check_box :otp_enabled %></p>
+
+	<p><%= f.submit I18n.t('submit', {:scope => 'devise.otp.tokens'}) %></p>
+<% end %>
+
+<%- if resource.otp_enabled? %>
+  <%= render :partial => 'token_secret' if resource.otp_enabled? %>
+  <%= render :partial => 'trusted_devices' if trusted_devices_enabled? %>
+<% end %>

data/config/locales/en.yml

@@ -0,0 +1,66 @@
+en:
+  devise:
+
+    otp:
+      submit_token:
+        title: 'Check Token'
+        explain: "You're getting this because you enabled two-factors authentication on your account"
+        prompt: 'Please enter your two-factors authentication token:'
+        recovery_prompt: 'Please enter your recovery code:'
+        submit: 'Submit Token'
+        recovery_link: "I don't have my device, I want to use a recovery code"
+
+      credentials:
+        token_invalid: 'The token you provided was invalid.'
+        token_blank: 'You need to type in the token you generated with your device.'
+        need_to_refresh_credentials: 'We need to check your credentials before you can change these settings.'
+        valid_refresh: 'Thank you, your credentials were accepted.'
+        invalid_refresh: 'Sorry, you provided the wrong credentials.'
+
+      credentials_refresh:
+        title: 'Please enter your password again.'
+        explain: 'In order to ensure this is  safe, please enter your password again.'
+        go_on: 'Continue...'
+        identity: 'Identity:'
+        token: 'Your two-factors authentication token'
+
+      token_secret:
+        title: 'Your token secret'
+        explain: 'Take a photo of this QR code with your mobile'
+        manual_provisioning: 'Manual provisioning code'
+        reset_otp: 'Reset your Two Factors Authentication status'
+        reset_explain: 'This will reset your credentials, and disable two-factors authentication.'
+        reset_explain_warn: 'You will need to enroll your mobile device again.'
+
+      tokens:
+        title: 'Two-factors Authentication:'
+        explain: 'Two factors authentication adds adds an additional layer of security to your account. When logging in you will be asked for a code that you can generate on a physical device, like your phone.'
+        enable_request: 'Would you like to enable Two Factors Authenticator?'
+
+        status: 'Enable Two-Factors Authentication.'
+        submit: 'Continue...'
+
+        successfully_updated: 'Your two-factors authentication settings have been updated.'
+        successfully_reset_creds: 'Your two-factors credentials has been reset.'
+        successfully_set_persistence: 'Your device is now trusted.'
+        successfully_cleared_persistence: 'Your device has been removed from the list of trusted devices.'
+        successfully_reset_persistence: 'Your list of trusted devices has been cleared.'
+
+        need_to_refresh_credentials: 'We need to check your credentials before you can change these settings.'
+
+        recovery:
+          title: 'Your Emergency Recovery Codes'
+          explain: 'Take note or print these recovery codes. The will allow you to log back in in case your token device is lost, stolen, or unavailable.'
+          sequence: 'Sequence'
+          code: 'Recovery Code'
+          codes_list: 'Here is the list of your recovery codes'
+          download_codes: 'Download recovery codes'
+
+      trusted_devices:
+        title: 'Trusted Browsers'
+        explain: 'If you set your browser as trusted, you will not be asked to perform a 2-factors authentication when logging in from that browser, for a time of one month.'
+        device_trusted: 'Your browser is trusted.'
+        device_not_trusted: 'Your browser is not trusted.'
+        trust_remove: 'Remove this device from the list of trusted browsers'
+        trust_add: 'Trust this browser'
+        trust_clear: 'Clear the list of trusted browser'

data/devise-otp.gemspec

@@ -0,0 +1,25 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'devise-otp/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = "devise-otp-rails5"
+  gem.version       = Devise::Otp::VERSION
+  gem.authors       = ["Lele Forzani", "Josef Strzibny"]
+  gem.email         = ["strzibny@strzibny.name"]
+  gem.description   = %q{Time Based OTP/rfc6238 compatible authentication for Devise with Devise 4.2 and Rails 5 compatibility. Drop-in replacement for devise-otp.}
+  gem.summary       = %q{Time Based OTP/rfc6238 compatible authentication for Devise}
+  gem.homepage      = ""
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.add_runtime_dependency 'rails',  '>= 3.2.6', '< 5.1'
+  gem.add_runtime_dependency 'devise', '>= 3.1.0', '< 4.3.0'
+  gem.add_runtime_dependency 'rotp',   '>= 2.0.0'
+
+  gem.add_development_dependency "sqlite3"
+end

data/lib/devise-otp.rb

@@ -0,0 +1,83 @@
+require "devise-otp/version"
+
+# cherry pick active-support extensions
+#require 'active_record/connection_adapters/abstract/schema_definitions'
+require 'active_support/core_ext/integer'
+require 'active_support/core_ext/string'
+require 'active_support/ordered_hash'
+require 'active_support/concern'
+
+require 'devise'
+
+
+module Devise
+
+
+  #
+  #
+  #
+  mattr_accessor :otp_mandatory
+  @@otp_mandatory = false
+
+  #
+  #
+  #
+  mattr_accessor :otp_authentication_timeout
+  @@otp_authentication_timeout = 3.minutes
+
+  #
+  #
+  #
+  mattr_accessor :otp_recovery_tokens
+  @@otp_recovery_tokens = 10  ## false to disable
+
+  #
+  # If the user is given the chance to set his browser as trusted, how long will it stay trusted.
+  # set to nil/false to disable the ability to set a device as trusted
+  #
+  mattr_accessor :otp_trust_persistence
+  @@otp_trust_persistence = 30.days
+
+  #
+  #
+  #
+ 	mattr_accessor :otp_drift_window
+ 	@@otp_drift_window = 3 # in minutes
+
+  #
+  # if the user wants to change Otp settings,
+  # ask the password (and the token) again if this time has passed since the last
+  # time the user has provided valid credentials
+  #
+  mattr_accessor :otp_credentials_refresh
+  @@otp_credentials_refresh = 15.minutes  # or like 15.minutes, false to disable
+
+  #
+  # the name of the token issuer
+  #
+  mattr_accessor :otp_issuer
+  @@otp_issuer = Rails.application.class.parent_name
+
+  module Otp
+
+  end
+end
+
+module DeviseOtpAuthenticatable
+
+  autoload :Hooks,   'devise_otp_authenticatable/hooks'
+  autoload :Mapping, 'devise_otp_authenticatable/mapping'
+
+  module Controllers
+    autoload :Helpers,    'devise_otp_authenticatable/controllers/helpers'
+    autoload :UrlHelpers, 'devise_otp_authenticatable/controllers/url_helpers'
+  end
+end
+
+
+require 'devise_otp_authenticatable/routes'
+require 'devise_otp_authenticatable/engine'
+
+Devise.add_module :otp_authenticatable,
+                  :controller => :otp_tokens,
+                  :model => 'devise_otp_authenticatable/models/otp_authenticatable', :route => :otp