devise-otp-rails5 0.2.4

data/test/dummy/db/migrate/20130131160351_devise_otp_add_to_users.rb

@@ -0,0 +1,28 @@
+class DeviseOtpAddToUsers < ActiveRecord::Migration[5.0]
+  def self.up
+    change_table :users do |t|
+      t.string    :otp_auth_secret
+      t.string    :otp_recovery_secret
+      t.boolean   :otp_enabled,          :default => false, :null => false
+      t.boolean   :otp_mandatory,        :default => false, :null => false
+      t.datetime  :otp_enabled_on
+      t.integer   :otp_time_drift,       :default => 0, :null => false
+      t.integer   :otp_failed_attempts,  :default => 0, :null => false
+      t.integer   :otp_recovery_counter, :default => 0, :null => false
+      t.string    :otp_persistence_seed
+
+      t.string    :otp_session_challenge
+      t.datetime  :otp_challenge_expires
+    end
+
+    add_index :users, :otp_session_challenge,  :unique => true
+    add_index :users, :otp_challenge_expires
+  end
+
+  def self.down
+    change_table :users do |t|
+      t.remove :otp_auth_secret, :otp_recovery_secret, :otp_enabled, :otp_mandatory, :otp_enabled_on, :otp_session_challenge,
+          :otp_challenge_expires, :otp_time_drift, :otp_failed_attempts, :otp_recovery_counter, :otp_persistence_seed
+    end
+  end
+end

data/test/dummy/public/404.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The page you were looking for doesn't exist (404)</title>
+  <style type="text/css">
+    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: 4em auto 0 auto;
+      border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/404.html -->
+  <div class="dialog">
+    <h1>The page you were looking for doesn't exist.</h1>
+    <p>You may have mistyped the address or the page may have moved.</p>
+  </div>
+</body>
+</html>

data/test/dummy/public/422.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The change you wanted was rejected (422)</title>
+  <style type="text/css">
+    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: 4em auto 0 auto;
+      border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/422.html -->
+  <div class="dialog">
+    <h1>The change you wanted was rejected.</h1>
+    <p>Maybe you tried to change something you didn't have access to.</p>
+  </div>
+</body>
+</html>

data/test/dummy/public/500.html

@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>We're sorry, but something went wrong (500)</title>
+  <style type="text/css">
+    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: 4em auto 0 auto;
+      border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/500.html -->
+  <div class="dialog">
+    <h1>We're sorry, but something went wrong.</h1>
+  </div>
+</body>
+</html>

data/test/dummy/script/rails

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# This command will automatically be run when you run "rails" with Rails 3 gems installed from the root of your application.
+
+APP_PATH = File.expand_path('../../config/application',  __FILE__)
+require File.expand_path('../../config/boot',  __FILE__)
+require 'rails/commands'

data/test/integration/persistence_test.rb

@@ -0,0 +1,65 @@
+require 'test_helper'
+require 'integration_tests_helper'
+
+class PersistenceTest < ActionDispatch::IntegrationTest
+
+  def setup
+    @old_persistence = User.otp_trust_persistence
+    User.otp_trust_persistence = 3.seconds
+  end
+
+  def teardown
+    User.otp_trust_persistence = @old_persistence
+    Capybara.reset_sessions!
+  end
+
+  test 'a user should be requested the otp challenge every log in' do
+    # log in 1fa
+    user = enable_otp_and_sign_in
+    otp_challenge_for user
+
+    visit user_otp_token_path
+    assert_equal user_otp_token_path, current_path
+
+    sign_out
+    sign_user_in
+
+    assert_equal user_otp_credential_path, current_path
+  end
+
+  test 'a user should be able to set their browser as trusted' do
+    # log in 1fa
+    user = enable_otp_and_sign_in
+    otp_challenge_for user
+
+    visit user_otp_token_path
+    assert_equal user_otp_token_path, current_path
+
+    click_link('Trust this browser')
+    assert_text 'Your browser is trusted.'
+    sign_out
+
+    sign_user_in
+
+    assert_equal root_path, current_path
+  end
+
+  test 'trusted status should expire' do
+    # log in 1fa
+    user = enable_otp_and_sign_in
+    otp_challenge_for user
+
+    visit user_otp_token_path
+    assert_equal user_otp_token_path, current_path
+
+    click_link('Trust this browser')
+    assert_text 'Your browser is trusted.'
+    sign_out
+
+    sleep User.otp_trust_persistence.to_i + 1
+    sign_user_in
+
+    assert_equal user_otp_credential_path, current_path
+  end
+
+end

data/test/integration/refresh_test.rb

@@ -0,0 +1,106 @@
+require 'test_helper'
+require 'integration_tests_helper'
+
+class RefreshTest < ActionDispatch::IntegrationTest
+
+  def setup
+    @old_refresh = User.otp_credentials_refresh
+    User.otp_credentials_refresh = 1.second
+  end
+
+  def teardown
+    User.otp_credentials_refresh = @old_refresh
+    Capybara.reset_sessions!
+  end
+
+  test 'a user that just signed in should be able to access their OTP settings without refreshing' do
+    sign_user_in
+
+    visit user_otp_token_path
+    assert_equal user_otp_token_path, current_path
+  end
+
+  test 'a user should be prompted for credentials when the credentials_refresh time is expired' do
+
+    sign_user_in
+    visit user_otp_token_path
+    assert_equal user_otp_token_path, current_path
+
+    sleep(2)
+
+    visit user_otp_token_path
+    assert_equal refresh_user_otp_credential_path, current_path
+  end
+
+  test 'a user should be able to access their OTP settings after refreshing' do
+    sign_user_in
+    visit user_otp_token_path
+    assert_equal user_otp_token_path, current_path
+
+    sleep(2)
+
+    visit user_otp_token_path
+    assert_equal refresh_user_otp_credential_path, current_path
+
+    fill_in 'user_refresh_password', :with => '12345678'
+    click_button 'Continue...'
+    assert_equal user_otp_token_path, current_path
+
+  end
+
+  test 'a user should NOT be able to access their OTP settings unless refreshing' do
+    sign_user_in
+    visit user_otp_token_path
+    assert_equal user_otp_token_path, current_path
+
+    sleep(2)
+
+    visit user_otp_token_path
+    assert_equal refresh_user_otp_credential_path, current_path
+
+    fill_in 'user_refresh_password', :with => '12345670'
+    click_button 'Continue...'
+    assert_equal refresh_user_otp_credential_path, current_path
+  end
+
+  test 'user should be asked their OTP challenge in order to refresh, if they have OTP' do
+    enable_otp_and_sign_in_with_otp
+
+    sleep(2)
+    visit user_otp_token_path
+    assert_equal refresh_user_otp_credential_path, current_path
+
+    fill_in 'user_refresh_password', :with => '12345678'
+    click_button 'Continue...'
+
+    assert_equal refresh_user_otp_credential_path, current_path
+  end
+
+  test 'user should be finally be able to access their settings, if they provide both a password and a valid OTP token' do
+    user = enable_otp_and_sign_in_with_otp
+
+    sleep(2)
+    visit user_otp_token_path
+    assert_equal refresh_user_otp_credential_path, current_path
+
+    fill_in 'user_refresh_password', :with => '12345678'
+    fill_in 'user_token', :with => ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    click_button 'Continue...'
+
+    assert_equal user_otp_token_path, current_path
+  end
+
+  test 'and rejected when the token is blank or null' do
+    user = enable_otp_and_sign_in_with_otp
+
+    sleep(2)
+    visit user_otp_token_path
+    assert_equal refresh_user_otp_credential_path, current_path
+
+    fill_in 'user_refresh_password', :with => '12345678'
+    fill_in 'user_token', :with => ''
+    click_button 'Continue...'
+
+    assert_equal refresh_user_otp_credential_path, current_path
+  end
+end

data/test/integration/sign_in_test.rb

@@ -0,0 +1,87 @@
+require 'test_helper'
+require 'integration_tests_helper'
+
+class SignInTest < ActionDispatch::IntegrationTest
+
+  def teardown
+    Capybara.reset_sessions!
+  end
+
+  test 'a new user should be able to sign in without using their token' do
+    create_full_user
+
+    visit new_user_session_path
+    fill_in 'user_email', :with => 'user@email.invalid'
+    fill_in 'user_password', :with => '12345678'
+    page.has_content?('Log in') ? click_button('Log in') : click_button('Sign in')
+
+    assert_equal root_path, current_path
+  end
+
+  test 'a new user, just signed in, should be able to sign in and enable their OTP authentication' do
+    user = sign_user_in
+
+    visit user_otp_token_path
+    assert !page.has_content?('Your token secret')
+
+    check 'user_otp_enabled'
+    click_button 'Continue...'
+
+    assert_equal user_otp_token_path, current_path
+
+    assert page.has_content?('Your token secret')
+    assert !user.otp_auth_secret.nil?
+    assert !user.otp_persistence_seed.nil?
+  end
+
+  test 'a new user should be able to sign in enable OTP and be prompted for their token' do
+    enable_otp_and_sign_in
+
+    assert_equal user_otp_credential_path, current_path
+  end
+
+  test 'fail token authentication' do
+    enable_otp_and_sign_in
+    assert_equal user_otp_credential_path, current_path
+
+    fill_in 'user_token', :with => '123456'
+    click_button 'Submit Token'
+
+    assert_equal new_user_session_path, current_path
+  end
+
+  test 'fail blank token authentication' do
+    enable_otp_and_sign_in
+    assert_equal user_otp_credential_path, current_path
+
+    fill_in 'user_token', :with => ''
+    click_button 'Submit Token'
+
+    assert_equal user_otp_credential_path, current_path
+  end
+
+  test 'successful token authentication' do
+    user = enable_otp_and_sign_in
+
+    fill_in 'user_token', :with => ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    click_button 'Submit Token'
+
+    assert_equal root_path, current_path
+  end
+
+
+  test 'should fail if the the challenge times out' do
+    old_timeout = User.otp_authentication_timeout
+    User.otp_authentication_timeout = 1.second
+
+    user = enable_otp_and_sign_in
+
+    sleep(2)
+
+    fill_in 'user_token', :with => ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    click_button 'Submit Token'
+
+    User.otp_authentication_timeout = old_timeout
+    assert_equal new_user_session_path, current_path
+  end
+end

data/test/integration/token_test.rb

@@ -0,0 +1,34 @@
+require 'test_helper'
+require 'integration_tests_helper'
+
+class TokenTest < ActionDispatch::IntegrationTest
+
+
+  def teardown
+    Capybara.reset_sessions!
+  end
+
+  test 'disabling OTP after successfully enabling' do
+
+    # log in 1fa
+    user = enable_otp_and_sign_in
+    assert_equal user_otp_credential_path, current_path
+
+    # otp 2fa
+    fill_in 'user_token', :with => ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    click_button 'Submit Token'
+    assert_equal root_path, current_path
+
+    # disable OTP
+    disable_otp
+
+    # logout
+    sign_out
+
+    # log back in 1fa
+    sign_user_in(user)
+
+    assert_equal root_path, current_path
+
+  end
+end

data/test/integration_tests_helper.rb

@@ -0,0 +1,66 @@
+class ActionDispatch::IntegrationTest
+  include Warden::Test::Helpers
+
+  def warden
+    request.env['warden']
+  end
+  
+  def create_full_user
+    @user ||= begin
+      user = User.create!(
+        :email                 => 'user@email.invalid',
+        :password              => '12345678',
+        :password_confirmation => '12345678'
+      )
+      user
+    end
+  end
+
+  def enable_otp_and_sign_in_with_otp
+    enable_otp_and_sign_in.tap do |user|
+      fill_in 'user_token', :with => ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+      click_button 'Submit Token'
+    end
+  end
+
+
+  def enable_otp_and_sign_in
+    user = create_full_user
+    sign_user_in(user)
+    visit user_otp_token_path
+    check 'user_otp_enabled'
+    click_button 'Continue...'
+
+    Capybara.reset_sessions!
+
+    sign_user_in(user)
+    user
+  end
+
+  def otp_challenge_for(user)
+    fill_in 'user_token', :with => ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    click_button 'Submit Token'
+  end
+
+  def disable_otp
+    visit user_otp_token_path
+    uncheck 'user_otp_enabled'
+    click_button 'Continue...'
+  end
+
+  def sign_out
+    logout :user
+  end
+
+  def sign_user_in(user = nil)
+    user ||= create_full_user
+    resource_name = user.class.name.underscore
+    visit send("new_#{resource_name}_session_path")
+    fill_in "#{resource_name}_email", :with => user.email
+    fill_in "#{resource_name}_password", :with => user.password
+
+    page.has_content?('Log in') ? click_button('Log in') : click_button('Sign in')
+    user
+  end
+
+end