devise-otp 0.1.1

data/app/views/devise_otp/credentials/refresh.html.erb

@@ -0,0 +1,20 @@
+<h2><%= I18n.t('title', {:scope => 'devise.otp.credentials_refresh'}) %></h2>
+<p><%= I18n.t('explain', {:scope => 'devise.otp.credentials_refresh'}) %></p>
+
+<%= form_for(resource, :as => resource_name, :url => [:refresh, resource_name, :otp_credential], :html => { :method => :put }) do |f| %>
+
+  <%= devise_error_messages! %>
+
+    <div><%= f.label :email %><br />
+    <%= f.text_field :email, :disabled => :true%></div>
+
+    <div><%= f.label :password %><br />
+	<%= f.password_field :refresh_password, :autocomplete => :off, :autofocus => true %></div>
+
+  <%- if resource.otp_enabled? %>
+    <div><%= f.label :token, I18n.t(:token, {:scope => 'devise.otp.credentials_refresh'}) %></p><br />
+    <%= f.password_field :token, :autocomplete => :off%></div>
+  <% end %>
+
+	<div><%= f.submit I18n.t(:go_on, {:scope => 'devise.otp.credentials_refresh'}) %></div>
+<% end %>

data/app/views/devise_otp/credentials/show.html.erb

@@ -0,0 +1,23 @@
+<h2><%= I18n.t('title', {:scope => 'devise.otp.submit_token'}) %></h2>
+<p><%= I18n.t('explain', {:scope => 'devise.otp.submit_token'}) %></p>
+
+<%= form_for(resource, :as => resource_name, :url => [resource_name, :otp_credential], :html => { :method => :put }) do |f| %>
+
+	<%= f.hidden_field :challenge, {:value => @challenge} %>
+	<%= f.hidden_field :recovery, {:value => @recovery} %>
+
+  <%- if @recovery %>
+    <p><%= f.label :token, I18n.t('recovery_prompt', {:scope => 'devise.otp.submit_token'}) %><br />
+        <%= f.text_field :otp_recovery_counter, :autocomplete => :off, :disabled => true, :size => 4 %>
+        <% else %>
+            <p><%= f.label :token, I18n.t('prompt', {:scope => 'devise.otp.submit_token'}) %><br />
+        <% end %>
+
+        <%= f.text_field :token, :autocomplete => :off, :autofocus => true, :size => 6, :value => '' %>
+    </p>
+
+	<p><%= f.submit I18n.t('submit', {:scope => 'devise.otp.submit_token'}) %></p>
+    <%- if !@recovery && resource_class.recovery_tokens %>
+      <p><%= link_to I18n.t('recovery_link', {:scope => 'devise.otp.submit_token'}), otp_credential_path_for(resource_name, :challenge => @challenge, :recovery => true) %></p>
+    <% end %>
+ <% end %>

data/app/views/devise_otp/tokens/_token_secret.html.erb

@@ -0,0 +1,17 @@
+<h3><%= I18n.t('title', {:scope => 'devise.otp.token_secret'}) %></h3>
+<p><%= I18n.t('explain', {:scope => 'devise.otp.token_secret'}) %></p>
+
+<%= otp_authenticator_token_image(resource) %>
+
+<p><strong><%= I18n.t('manual_provisioning', {:scope => 'devise.otp.token_secret'}) %>:</strong>
+  <code><%= resource.otp_auth_secret %></code></p>
+
+<p><%= link_to I18n.t('reset_otp', {:scope => 'devise.otp.token_secret'}), @resource, :method => :delete %></p>
+<p><%= I18n.t('reset_explain', {:scope => 'devise.otp.token_secret'}) %>
+   <strong><%= I18n.t('reset_explain_warn', {:scope => 'devise.otp.token_secret'}) %></strong></p>
+
+<%- if recovery_enabled? %>
+  <h3><%= I18n.t('title', {:scope => 'devise.otp.tokens.recovery'}) %></h3>
+  <p><%= I18n.t('explain', {:scope => 'devise.otp.tokens.recovery'}) %></p>
+  <p><%= link_to I18n.t('codes_list', {:scope => 'devise.otp.tokens.recovery'}), recovery_otp_token_for(resource_name) %></p>
+<% end %>

data/app/views/devise_otp/tokens/recovery.html.erb

@@ -0,0 +1,21 @@
+<h2><%= I18n.t('title', {:scope => 'devise.otp.tokens.recovery'}) %></h2>
+<p><%= I18n.t('explain', {:scope => 'devise.otp.tokens.recovery'}) %></p>
+
+<table>
+  <caption>
+    <thead>
+        <tr>
+          <th><%= I18n.t('sequence', {:scope => 'devise.otp.tokens.recovery'}) %></th>
+          <th><%= I18n.t('code', {:scope => 'devise.otp.tokens.recovery'}) %></th>
+        </tr>
+    </thead>
+    <tbody>
+    <%- resource.next_otp_recovery_tokens.each do |seq, code| %>
+        <tr>
+          <td><%= seq %></td>
+          <td><%= code %></td>
+        </tr>
+    <% end %>
+    </tbody>
+  </caption>
+</table>

data/app/views/devise_otp/tokens/show.html.erb

@@ -0,0 +1,31 @@
+<h2><%= I18n.t('title', {:scope => 'devise.otp.tokens'}) %></h2>
+<p><%= I18n.t('caption', {:scope => 'devise.otp.tokens'}) %></p>
+
+<p><%= I18n.t('explain', {:scope => 'devise.otp.tokens'}) %></p>
+
+<%= form_for(resource, :as => resource_name, :url => [resource_name, :otp_token], :html => { :method => :put }) do |f| %>
+
+	<%= devise_error_messages! %>
+
+	<h3><%= I18n.t('enable_request', {:scope => 'devise.otp.tokens'}) %></h3>
+
+	<p><%= f.label :otp_enabled, I18n.t('status', {:scope => 'devise.otp.tokens'}) %><br />
+	<%= f.check_box :otp_enabled %></p>
+
+	<p><%= f.submit I18n.t('submit', {:scope => 'devise.otp.tokens'}) %></p>
+<% end %>
+
+<%- if resource.otp_enabled? %>
+  <%= render :partial => 'token_secret' if resource.otp_enabled? %>
+
+  <h3><%= I18n.t('title', {:scope => 'devise.otp.trusted_devices'}) %></h3>
+  <p><%= I18n.t('explain', {:scope => 'devise.otp.trusted_devices'}) %></p>
+  <%- if is_otp_trusted_device_for? resource  %>
+    <p><em><%= I18n.t('device_trusted', {:scope => 'devise.otp.trusted_devices'}) %></em></p>
+    <p><%= link_to I18n.t('trust_remove', {:scope => 'devise.otp.trusted_devices'}), persistence_otp_token_path_for(resource_name), :method => :post %></p>
+  <% else %>
+    <p><%= I18n.t('device_not_trusted', {:scope => 'devise.otp.trusted_devices'}) %></p>
+    <p><%= link_to I18n.t('trust_add', {:scope => 'devise.otp.trusted_devices'}), persistence_otp_token_path_for(resource_name) %></p>
+  <% end %>
+  <p><%= link_to I18n.t('trust_clear', {:scope => 'devise.otp.trusted_devices'}), persistence_otp_token_path_for(resource_name), :method => :delete %></p>
+<% end %>

data/config/locales/en.yml

@@ -0,0 +1,66 @@
+en:
+  devise:
+
+    otp:
+      submit_token:
+        title: 'Check Token'
+        explain: "You're getting this because you enabled two-factors authentication on your account"
+        prompt: 'Please enter your two-factors authentication token:'
+        recovery_prompt: 'Please enter your recovery code:'
+        submit: 'Submit Token'
+        recovery_link: "I don't have my device, I want to use a recovery code"
+
+      credentials:
+        token_invalid: 'The token you provided was invalid.'
+        token_blank: 'You need to type in the token you generated with your device.'
+        need_to_refresh_credentials: 'We need to check your credentials before you can change these settings.'
+        valid_refresh: 'Thank you, your credentials were accepted.'
+        invalid_refresh: 'Sorry, you provided the wrong credentials.'
+
+      credentials_refresh:
+        title: 'Please enter your password again.'
+        explain: 'In order to ensure this is  safe, please enter your password again.'
+        go_on: 'Continue...'
+        identity: 'Identity:'
+        token: 'Your two-factors authentication token'
+
+      token_secret:
+        title: 'Your token secret'
+        explain: 'Take a photo of this QR code with your mobile'
+        manual_provisioning: 'Manual provisioning code'
+        reset_otp: 'Reset your Two Factors Authentication status'
+        reset_explain: 'This will reset your credentials, and disable two-factors authentication.'
+        reset_explain_warn: 'You will need to enroll your mobile device again.'
+
+      tokens:
+        title: 'Two-factors Authentication:'
+        explain: 'Two factors does this and that and that also'
+        enable_request: 'Would you like to enable Two Factors Authenticator?'
+
+        status: 'Enable Two-Factors Authentication.'
+        submit: 'Continue...'
+
+        successfully_updated: 'Your two-factors authentication settings have been updated.'
+        successfully_reset_creds: 'Your two-factors credentials has been reset.'
+        successfully_set_persistence: 'Your device is now trusted.'
+        successfully_cleared_persistence: 'Your device has been removed from the list of trusted devices.'
+        successfully_reset_persistence: 'Your list of trusted devices has been cleared.'
+
+        need_to_refresh_credentials: 'We need to check your credentials before you can change these settings.'
+
+        recovery:
+          title: 'Your Emergency Recovery Codes'
+          explain: 'Take note or print these recovery codes. The will allow you to log back in in case your token device is lost, stolen, or unavailable.'
+          sequence: 'Sequence'
+          code: 'Recovery Code'
+          codes_list: 'Here is the list of your recovery codes'
+
+
+      trusted_devices:
+        title: 'Trusted Devices'
+        explain: 'Trusted Device are ....'
+        device_trusted: 'Your device is trusted.'
+        device_not_trusted: 'Your device is not trusted.'
+        trust_remove: 'Remove this device from the list of trusted devices'
+        trust_add: 'Trust this device'
+        trust_clear: 'Clear the list of trusted devices'

data/devise-otp.gemspec

@@ -0,0 +1,25 @@
+# -*- encoding: utf-8 -*-
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'devise-otp/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = "devise-otp"
+  gem.version       = Devise::Otp::VERSION
+  gem.authors       = ["Lele Forzani"]
+  gem.email         = ["lele@windmill.it"]
+  gem.description   = %q{Time Based OTP/rfc6238 compatible authentication for Devise}
+  gem.summary       = %q{Time Based OTP/rfc6238 compatible authentication for Devise}
+  gem.homepage      = "http://git.windmill.it/wm/devise-otp"
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.add_runtime_dependency 'rails',  '>= 3.2.6', '< 5'
+  gem.add_runtime_dependency 'devise', '~> 3.1.0'
+  gem.add_runtime_dependency 'rotp',   '>= 1.4.0'
+
+  gem.add_development_dependency "sqlite3"
+end

data/lib/devise-otp.rb

@@ -0,0 +1,76 @@
+require "devise-otp/version"
+
+# cherry pick active-support extensions
+#require 'active_record/connection_adapters/abstract/schema_definitions'
+require 'active_support/core_ext/integer'
+require 'active_support/core_ext/string'
+require 'active_support/ordered_hash'
+require 'active_support/concern'
+
+require 'devise'
+
+
+module Devise
+
+
+  #
+  #
+  #
+  mattr_accessor :otp_mandatory
+  @@otp_mandatory = false
+
+  #
+  #
+  #
+  mattr_accessor :otp_authentication_timeout
+  @@otp_authentication_timeout = 3.minutes
+
+  #
+  #
+  #
+  mattr_accessor :recovery_tokens
+  @@recovery_tokens = 5  ## false to disable
+
+  #
+  #
+  #
+ 	mattr_accessor :otp_drift_window
+ 	@@otp_drift_window = 3 # in seconds
+
+  #
+  # if the user wants to change Otp settings,
+  # ask the password (and the token) again if this time has passed since the last
+  # time the user has provided valid credentials
+  #
+  mattr_accessor :otp_credentials_refresh
+  @@otp_credentials_refresh = 15.minutes  # or like 15.minutes, false to disable
+
+  #
+  # the user identifier for the token is <email>/Application_name
+  #
+  mattr_accessor :otp_uri_application
+  @@otp_uri_application = Rails.application.class.parent_name
+
+  module Otp
+
+  end
+end
+
+module DeviseOtpAuthenticatable
+
+  autoload :Hooks,   'devise_otp_authenticatable/hooks'
+  autoload :Mapping, 'devise_otp_authenticatable/mapping'
+
+  module Controllers
+    autoload :Helpers,    'devise_otp_authenticatable/controllers/helpers'
+    autoload :UrlHelpers, 'devise_otp_authenticatable/controllers/url_helpers'
+  end
+end
+
+
+require 'devise_otp_authenticatable/routes'
+require 'devise_otp_authenticatable/engine'
+
+Devise.add_module :otp_authenticatable,
+                  :controller => :otp_tokens,
+                  :model => 'devise_otp_authenticatable/models/otp_authenticatable', :route => :otp

data/lib/devise-otp/version.rb

@@ -0,0 +1,5 @@
+module Devise
+  module Otp
+    VERSION = "0.1.1"
+  end
+end

data/lib/devise_otp_authenticatable/controllers/helpers.rb

@@ -0,0 +1,144 @@
+module DeviseOtpAuthenticatable
+
+  module Controllers
+    module Helpers
+
+
+      def authenticate_scope!
+        send(:"authenticate_#{resource_name}!", :force => true)
+        self.resource = send("current_#{resource_name}")
+      end
+
+      #
+      # similar to DeviseController#set_flash_message, but sets the scope inside
+      # the otp controller
+      #
+      def otp_set_flash_message(key, kind, options={})
+        options[:scope] ||= "devise.otp.#{controller_name}"
+        options[:default] = Array(options[:default]).unshift(kind.to_sym)
+        options[:resource_name] = resource_name
+        options = devise_i18n_options(options) if respond_to?(:devise_i18n_options, true)
+        message = I18n.t("#{options[:resource_name]}.#{kind}", options)
+        flash[key] = message if message.present?
+      end
+
+      def otp_t()
+
+      end
+
+
+      def recovery_enabled?
+        resource_class.recovery_tokens && (resource_class.recovery_tokens > 0)
+      end
+
+      #
+      # Sanity check for resource validity
+      #
+      def ensure_resource!
+        if resource.nil?
+          raise ArgumentError, "Should not happen"
+        end
+      end
+
+
+      # fixme do cookies and persistence need to be scoped? probably
+
+      #
+      # check if the resource needs a credentials refresh. IE, they need to be asked a password again to access
+      # this resource.
+      #
+      def needs_credentials_refresh?(resource)
+        return false unless resource.class.otp_credentials_refresh
+
+        (!session[otp_scoped_refresh_property].present? ||
+            (session[otp_scoped_refresh_property] < DateTime.now)).tap { |need| otp_set_refresh_return_url if need }
+      end
+
+      #
+      # credentials are refreshed
+      #
+      def otp_refresh_credentials_for(resource)
+        return false unless resource.class.otp_credentials_refresh
+        session[otp_scoped_refresh_property] = (Time.now + resource.class.otp_credentials_refresh)
+      end
+
+
+      #
+      # is the current browser trusted?
+      #
+      def is_otp_trusted_device_for?(resource)
+        if cookies[otp_scoped_persistence_cookie].present?
+          cookies.signed[otp_scoped_persistence_cookie] ==
+              [resource.class.serialize_into_cookie(resource), resource.otp_persistence_seed].tap do
+          end
+        else
+          false
+        end
+      end
+
+      #
+      # make the current browser trusted
+      #
+      def otp_set_trusted_device_for(resource)
+        cookies.signed[otp_scoped_persistence_cookie] = {
+            :httponly => true,
+            :expires => 30.days.from_now,
+            :value => [resource.class.serialize_into_cookie(resource), resource.otp_persistence_seed]
+        }
+      end
+
+      def otp_set_refresh_return_url
+        session[otp_scoped_refresh_return_url_property] = request.fullpath
+      end
+
+      def otp_fetch_refresh_return_url
+        session.delete(otp_scoped_refresh_return_url_property) { :root }
+
+      end
+
+      def otp_scoped_refresh_return_url_property
+        "otp_#{resource_name}refresh_return_url".to_sym
+      end
+
+      def otp_scoped_refresh_property
+        "otp_#{resource_name}refresh_after".to_sym
+      end
+
+      def otp_scoped_persistence_cookie
+        "otp_#{resource_name}_device_trusted"
+      end
+
+      #
+      # make the current browser NOT trusted
+      #
+      def otp_clear_trusted_device_for(resource)
+        cookies.delete(otp_scoped_persistence_cookie)
+      end
+
+
+      #
+      # clears the persistence list for this kind of resource
+      #
+      def otp_reset_persistence_for(resource)
+        otp_clear_trusted_device_for(resource)
+        resource.reset_otp_persistence!
+      end
+
+      #
+      # returns the URL for the QR Code to initialize the Authenticator device
+      #
+      def otp_authenticator_token_image(resource)
+        otp_authenticator_token_image_google(resource.otp_provisioning_uri)
+      end
+
+      private
+
+      def otp_authenticator_token_image_google(otp_url)
+        otp_url = Rack::Utils.escape(otp_url)
+        url = "https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl=#{otp_url}"
+        image_tag(url, :alt => 'OTP Url QRCode')
+      end
+
+    end
+  end
+end

data/lib/devise_otp_authenticatable/controllers/url_helpers.rb

@@ -0,0 +1,35 @@
+module DeviseOtpAuthenticatable
+  module Controllers
+
+    module UrlHelpers
+
+
+      def recovery_otp_token_for(resource_or_scope, opts = {})
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        send("recovery_#{scope}_otp_token_path", opts)
+      end
+
+
+      def refresh_otp_credential_path_for(resource_or_scope, opts = {})
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        send("refresh_#{scope}_otp_credential_path", opts)
+      end
+
+      def persistence_otp_token_path_for(resource_or_scope, opts = {})
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        send("persistence_#{scope}_otp_token_path", opts)
+      end
+
+      def otp_token_path_for(resource_or_scope, opts = {})
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        send("#{scope}_otp_token_path", opts)
+      end
+
+      def otp_credential_path_for(resource_or_scope, opts = {})
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        send("#{scope}_otp_credential_path", opts)
+      end
+
+    end
+  end
+end