devise-otp-rails5 0.2.4

data/lib/devise-otp/version.rb

@@ -0,0 +1,5 @@
+module Devise
+  module Otp
+    VERSION = "0.2.4"
+  end
+end

data/lib/devise_otp_authenticatable/controllers/helpers.rb

@@ -0,0 +1,168 @@
+module DeviseOtpAuthenticatable
+
+  module Controllers
+    module Helpers
+
+
+      def authenticate_scope!
+        send(:"authenticate_#{resource_name}!", :force => true)
+        self.resource = send("current_#{resource_name}")
+      end
+
+      #
+      # similar to DeviseController#set_flash_message, but sets the scope inside
+      # the otp controller
+      #
+      def otp_set_flash_message(key, kind, options={})
+        options[:scope] ||= "devise.otp.#{controller_name}"
+        options[:default] = Array(options[:default]).unshift(kind.to_sym)
+        options[:resource_name] = resource_name
+        options = devise_i18n_options(options) if respond_to?(:devise_i18n_options, true)
+        message = I18n.t("#{options[:resource_name]}.#{kind}", options)
+        flash[key] = message if message.present?
+      end
+
+      def otp_t()
+
+      end
+
+
+      def trusted_devices_enabled?
+        resource.class.otp_trust_persistence && (resource.class.otp_trust_persistence > 0)
+      end
+
+      def recovery_enabled?
+        resource_class.otp_recovery_tokens && (resource_class.otp_recovery_tokens > 0)
+      end
+
+      #
+      # Sanity check for resource validity
+      #
+      def ensure_resource!
+        if resource.nil?
+          raise ArgumentError, "Should not happen"
+        end
+      end
+
+
+      # fixme do cookies and persistence need to be scoped? probably
+
+      #
+      # check if the resource needs a credentials refresh. IE, they need to be asked a password again to access
+      # this resource.
+      #
+      def needs_credentials_refresh?(resource)
+        return false unless resource.class.otp_credentials_refresh
+
+        (!session[otp_scoped_refresh_property].present? ||
+            (session[otp_scoped_refresh_property] < DateTime.now)).tap { |need| otp_set_refresh_return_url if need }
+      end
+
+      #
+      # credentials are refreshed
+      #
+      def otp_refresh_credentials_for(resource)
+        return false unless resource.class.otp_credentials_refresh
+        session[otp_scoped_refresh_property] = (Time.now + resource.class.otp_credentials_refresh)
+      end
+
+
+      #
+      # is the current browser trusted?
+      #
+      def is_otp_trusted_device_for?(resource)
+        return false unless resource.class.otp_trust_persistence
+        if cookies[otp_scoped_persistence_cookie].present?
+          cookies.signed[otp_scoped_persistence_cookie] ==
+              [resource.to_key, resource.authenticatable_salt, resource.otp_persistence_seed]
+        else
+          false
+        end
+      end
+
+      #
+      # make the current browser trusted
+      #
+      def otp_set_trusted_device_for(resource)
+        return unless resource.class.otp_trust_persistence
+        cookies.signed[otp_scoped_persistence_cookie] = {
+            :httponly => true,
+            :expires => Time.now + resource.class.otp_trust_persistence,
+            :value => [resource.to_key, resource.authenticatable_salt, resource.otp_persistence_seed]
+        }
+      end
+
+      def otp_set_refresh_return_url
+        session[otp_scoped_refresh_return_url_property] = request.fullpath
+      end
+
+      def otp_fetch_refresh_return_url
+        session.delete(otp_scoped_refresh_return_url_property) { :root }
+
+      end
+
+      def otp_scoped_refresh_return_url_property
+        "otp_#{resource_name}refresh_return_url".to_sym
+      end
+
+      def otp_scoped_refresh_property
+        "otp_#{resource_name}refresh_after".to_sym
+      end
+
+      def otp_scoped_persistence_cookie
+        "otp_#{resource_name}_device_trusted"
+      end
+
+      #
+      # make the current browser NOT trusted
+      #
+      def otp_clear_trusted_device_for(resource)
+        cookies.delete(otp_scoped_persistence_cookie)
+      end
+
+
+      #
+      # clears the persistence list for this kind of resource
+      #
+      def otp_reset_persistence_for(resource)
+        otp_clear_trusted_device_for(resource)
+        resource.reset_otp_persistence!
+      end
+
+      #
+      # returns the URL for the QR Code to initialize the Authenticator device
+      #
+      def otp_authenticator_token_image(resource)
+        otp_authenticator_token_image_js(resource.otp_provisioning_uri)
+      end
+
+      private
+
+      def otp_authenticator_token_image_js(otp_url)
+
+        content_tag(:div, :class => 'qrcode-container') do
+          tag(:div, :id => 'qrcode', :class => 'qrcode') +
+          javascript_tag(%Q[
+
+            new QRCode("qrcode", {
+              text: "#{otp_url}",
+              width: 256,
+              height: 256,
+              colorDark : "#000000",
+              colorLight : "#ffffff",
+              correctLevel : QRCode.CorrectLevel.H
+            });
+          ]) + tag("/div")
+        end
+      end
+
+
+      def otp_authenticator_token_image_google(otp_url)
+        otp_url = Rack::Utils.escape(otp_url)
+        url = "https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl=#{otp_url}"
+        image_tag(url, :alt => 'OTP Url QRCode')
+      end
+
+    end
+  end
+end

data/lib/devise_otp_authenticatable/controllers/url_helpers.rb

@@ -0,0 +1,33 @@
+module DeviseOtpAuthenticatable
+  module Controllers
+
+    module UrlHelpers
+
+      def recovery_otp_token_for(resource_or_scope, opts = {})
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        send("recovery_#{scope}_otp_token_path", opts)
+      end
+
+      def refresh_otp_credential_path_for(resource_or_scope, opts = {})
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        send("refresh_#{scope}_otp_credential_path", opts)
+      end
+
+      def persistence_otp_token_path_for(resource_or_scope, opts = {})
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        send("persistence_#{scope}_otp_token_path", opts)
+      end
+
+      def otp_token_path_for(resource_or_scope, opts = {})
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        send("#{scope}_otp_token_path", opts)
+      end
+
+      def otp_credential_path_for(resource_or_scope, opts = {})
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        send("#{scope}_otp_credential_path", opts)
+      end
+
+    end
+  end
+end

data/lib/devise_otp_authenticatable/engine.rb

@@ -0,0 +1,23 @@
+module DeviseOtpAuthenticatable
+  class Engine < ::Rails::Engine
+
+    ActiveSupport.on_load(:action_controller) do
+      include DeviseOtpAuthenticatable::Controllers::UrlHelpers
+      include DeviseOtpAuthenticatable::Controllers::Helpers
+    end
+    ActiveSupport.on_load(:action_view) do
+      include DeviseOtpAuthenticatable::Controllers::UrlHelpers
+      include DeviseOtpAuthenticatable::Controllers::Helpers
+    end
+
+    # We use to_prepare instead of after_initialize here because Devise is a Rails engine;
+    config.to_prepare do
+      DeviseOtpAuthenticatable::Hooks.apply
+    end
+
+    # extend mapping with after_initialize because is not reloaded
+    config.after_initialize do
+      Devise::Mapping.send :include, DeviseOtpAuthenticatable::Mapping
+    end
+  end
+end

data/lib/devise_otp_authenticatable/hooks.rb

@@ -0,0 +1,13 @@
+module DeviseOtpAuthenticatable
+  module Hooks
+
+    autoload :Sessions, 'devise_otp_authenticatable/hooks/sessions.rb'
+
+    class << self
+      def apply
+        Devise::SessionsController.send(:include, Hooks::Sessions)
+      end
+    end
+
+  end
+end

data/lib/devise_otp_authenticatable/hooks/sessions.rb

@@ -0,0 +1,59 @@
+module DeviseOtpAuthenticatable::Hooks
+  module Sessions
+    extend ActiveSupport::Concern
+    include DeviseOtpAuthenticatable::Controllers::UrlHelpers
+
+    included do
+      alias_method_chain :create, :otp
+    end
+
+    #
+    # replaces Devise::SessionsController#create
+    #
+    def create_with_otp
+
+      resource = warden.authenticate!(auth_options)
+
+      devise_stored_location = stored_location_for(resource) # Grab the current stored location before it gets lost by warden.logout
+
+      otp_refresh_credentials_for(resource)
+
+      if otp_challenge_required_on?(resource)
+        challenge = resource.generate_otp_challenge!
+        warden.logout
+        store_location_for(resource, devise_stored_location) # restore the stored location
+        respond_with resource, :location => otp_credential_path_for(resource, {:challenge => challenge})
+      elsif otp_mandatory_on?(resource) # if mandatory, log in user but send him to the must activate otp
+        set_flash_message(:notice, :signed_in_but_otp) if is_navigational_format?
+        sign_in(resource_name, resource)
+        respond_with resource, :location => otp_token_path_for(resource)
+      else
+
+        set_flash_message(:notice, :signed_in) if is_navigational_format?
+        sign_in(resource_name, resource)
+        respond_with resource, :location => after_sign_in_path_for(resource)
+      end
+    end
+
+
+    private
+
+    #
+    # resource should be challenged for otp
+    #
+    def otp_challenge_required_on?(resource)
+      return false unless resource.respond_to?(:otp_enabled) && resource.respond_to?(:otp_auth_secret)
+      resource.otp_enabled && !is_otp_trusted_device_for?(resource)
+    end
+
+    #
+    # the resource -should- have otp turned on, but it isn't
+    #
+    def otp_mandatory_on?(resource)
+      return true if resource.class.otp_mandatory
+      return false unless resource.respond_to?(:otp_mandatory)
+
+      resource.otp_mandatory && !resource.otp_enabled
+    end
+  end
+end

data/lib/devise_otp_authenticatable/mapping.rb

@@ -0,0 +1,19 @@
+module DeviseOtpAuthenticatable
+
+  module Mapping
+
+    def self.included(base)
+      base.alias_method_chain :default_controllers, :otp
+    end
+
+    private
+    def default_controllers_with_otp(options)
+      options[:controllers] ||= {}
+
+      options[:controllers][:otp_tokens]      ||= "tokens"
+      options[:controllers][:otp_credentials] ||= "credentials"
+
+      default_controllers_without_otp(options)
+    end
+  end
+end

data/lib/devise_otp_authenticatable/models/otp_authenticatable.rb

@@ -0,0 +1,137 @@
+require 'rotp'
+
+module Devise::Models
+  module OtpAuthenticatable
+    extend ActiveSupport::Concern
+
+    included do
+      before_validation :generate_otp_auth_secret, :on => :create
+      before_validation :generate_otp_persistence_seed, :on => :create
+      scope :with_valid_otp_challenge, lambda { |time| where('otp_challenge_expires > ?', time) }
+    end
+
+    module ClassMethods
+      ::Devise::Models.config(self, :otp_authentication_timeout, :otp_drift_window, :otp_trust_persistence,
+                                    :otp_mandatory, :otp_credentials_refresh, :otp_issuer, :otp_recovery_tokens)
+
+      def find_valid_otp_challenge(challenge)
+        with_valid_otp_challenge(Time.now).where(:otp_session_challenge => challenge).first
+      end
+    end
+
+    def time_based_otp
+      @time_based_otp ||= ROTP::TOTP.new(otp_auth_secret, issuer: "#{self.class.otp_issuer || Rails.application.class.parent_name}")
+    end
+
+    def recovery_otp
+      @recovery_otp ||= ROTP::HOTP.new(otp_recovery_secret)
+    end
+
+    def otp_provisioning_uri
+      time_based_otp.provisioning_uri(otp_provisioning_identifier)
+    end
+
+    def otp_provisioning_identifier
+      email
+    end
+
+
+    def reset_otp_credentials
+      @time_based_otp = nil
+      @recovery_otp = nil
+      generate_otp_auth_secret
+      reset_otp_persistence
+      update_attributes!(:otp_enabled => false,
+             :otp_session_challenge => nil, :otp_challenge_expires => nil,
+             :otp_recovery_counter => 0)
+    end
+
+    def reset_otp_credentials!
+      reset_otp_credentials
+      save!
+    end
+
+    def reset_otp_persistence
+      generate_otp_persistence_seed
+    end
+
+    def reset_otp_persistence!
+      reset_otp_persistence
+      save!
+    end
+
+    def enable_otp!
+      if otp_persistence_seed.nil?
+        reset_otp_credentials!
+      end
+
+      update_attributes!(:otp_enabled => true, :otp_enabled_on => Time.now)
+    end
+
+    def disable_otp!
+      update_attributes!(:otp_enabled => false, :otp_enabled_on => nil)
+    end
+
+    def generate_otp_challenge!(expires = nil)
+      update_attributes!(:otp_session_challenge => SecureRandom.hex,
+             :otp_challenge_expires => DateTime.now + (expires || self.class.otp_authentication_timeout))
+      otp_session_challenge
+    end
+
+    def otp_challenge_valid?
+      (otp_challenge_expires.nil? || otp_challenge_expires > Time.now)
+    end
+
+
+    def validate_otp_token(token, recovery = false)
+      if recovery
+        validate_otp_recovery_token token
+      else
+        validate_otp_time_token token
+      end
+    end
+    alias_method :valid_otp_token?, :validate_otp_token
+
+    def validate_otp_time_token(token)
+      return false if token.blank?
+      validate_otp_token_with_drift(token)
+    end
+    alias_method :valid_otp_time_token?, :validate_otp_time_token
+
+    def next_otp_recovery_tokens(number = self.class.otp_recovery_tokens)
+      (otp_recovery_counter..otp_recovery_counter + number).inject({}) do |h, index|
+        h[index] = recovery_otp.at(index)
+        h
+      end
+    end
+
+    def validate_otp_recovery_token(token)
+      recovery_otp.verify(token, otp_recovery_counter).tap do
+        self.otp_recovery_counter += 1
+        save!
+      end
+    end
+    alias_method :valid_otp_recovery_token?, :validate_otp_recovery_token
+
+
+
+    private
+
+    def validate_otp_token_with_drift(token)
+
+      # should be centered around saved drift
+      (-self.class.otp_drift_window..self.class.otp_drift_window).any? {|drift|
+        (time_based_otp.verify(token, Time.now.ago(30 * drift))) }
+    end
+
+    def generate_otp_persistence_seed
+      self.otp_persistence_seed = SecureRandom.hex
+    end
+
+    def generate_otp_auth_secret
+      self.otp_auth_secret = ROTP::Base32.random_base32
+      self.otp_recovery_secret = ROTP::Base32.random_base32
+    end
+
+  end
+end