devise-otp 0.1.1

data/lib/devise_otp_authenticatable/engine.rb

@@ -0,0 +1,23 @@
+module DeviseOtpAuthenticatable
+  class Engine < ::Rails::Engine
+
+    ActiveSupport.on_load(:action_controller) do
+      include DeviseOtpAuthenticatable::Controllers::UrlHelpers
+      include DeviseOtpAuthenticatable::Controllers::Helpers
+    end
+    ActiveSupport.on_load(:action_view) do
+      include DeviseOtpAuthenticatable::Controllers::UrlHelpers
+      include DeviseOtpAuthenticatable::Controllers::Helpers
+    end
+
+    # We use to_prepare instead of after_initialize here because Devise is a Rails engine;
+    config.to_prepare do
+      DeviseOtpAuthenticatable::Hooks.apply
+    end
+
+    # extend mapping with after_initialize because is not reloaded
+    config.after_initialize do
+      Devise::Mapping.send :include, DeviseOtpAuthenticatable::Mapping
+    end
+  end
+end

data/lib/devise_otp_authenticatable/hooks.rb

@@ -0,0 +1,13 @@
+module DeviseOtpAuthenticatable
+  module Hooks
+
+    autoload :Sessions, 'devise_otp_authenticatable/hooks/sessions.rb'
+
+    class << self
+      def apply
+        Devise::SessionsController.send(:include, Hooks::Sessions)
+      end
+    end
+
+  end
+end

data/lib/devise_otp_authenticatable/hooks/sessions.rb

@@ -0,0 +1,57 @@
+module DeviseOtpAuthenticatable::Hooks
+  module Sessions
+    extend ActiveSupport::Concern
+    include DeviseOtpAuthenticatable::Controllers::UrlHelpers
+
+    included do
+      alias_method_chain :create, :otp
+    end
+
+    #
+    # replaces Devise::SessionsController#create
+    #
+    def create_with_otp
+
+      resource = warden.authenticate!(auth_options)
+
+      otp_refresh_credentials_for(resource)
+
+      if otp_challenge_required_on?(resource)
+        challenge = resource.generate_otp_challenge!
+        warden.logout
+        respond_with resource, :location => otp_credential_path_for(resource, {:challenge => challenge})
+
+      elsif otp_mandatory_on?(resource) # if mandatory, log in user but send him to the must activate otp
+        set_flash_message(:notice, :signed_in_but_otp) if is_navigational_format?
+        sign_in(resource_name, resource)
+        respond_with resource, :location => otp_token_path_for(resource)
+      else
+
+        set_flash_message(:notice, :signed_in) if is_navigational_format?
+        sign_in(resource_name, resource)
+        respond_with resource, :location => after_sign_in_path_for(resource)
+      end
+    end
+
+
+    private
+
+    #
+    # resource should be challenged for otp
+    #
+    def otp_challenge_required_on?(resource)
+      return false unless resource.respond_to?(:otp_enabled) && resource.respond_to?(:otp_auth_secret)
+      resource.otp_enabled && !is_otp_trusted_device_for?(resource)
+    end
+
+    #
+    # the resource -should- have otp turned on, but it isn't
+    #
+    def otp_mandatory_on?(resource)
+      return true if resource.class.otp_mandatory
+      return false unless resource.respond_to?(:otp_mandatory)
+
+      resource.otp_mandatory && !resource.otp_enabled
+    end
+  end
+end

data/lib/devise_otp_authenticatable/mapping.rb

@@ -0,0 +1,19 @@
+module DeviseOtpAuthenticatable
+
+  module Mapping
+
+    def self.included(base)
+      base.alias_method_chain :default_controllers, :otp
+    end
+
+    private
+    def default_controllers_with_otp(options)
+      options[:controllers] ||= {}
+
+      options[:controllers][:otp_tokens]      ||= "tokens"
+      options[:controllers][:otp_credentials] ||= "credentials"
+
+      default_controllers_without_otp(options)
+    end
+  end
+end

data/lib/devise_otp_authenticatable/models/otp_authenticatable.rb

@@ -0,0 +1,140 @@
+require 'rotp'
+
+module Devise::Models
+  module OtpAuthenticatable
+    extend ActiveSupport::Concern
+
+    included do
+      before_validation :generate_otp_auth_secret, :on => :create
+      before_validation :generate_otp_persistence_seed, :on => :create
+      scope :with_valid_otp_challenge, lambda { |time| where('otp_challenge_expires > ?', time) }
+    end
+
+    module ClassMethods
+      ::Devise::Models.config(self, :otp_authentication_timeout, :otp_drift_window,
+                                    :otp_mandatory, :otp_credentials_refresh, :otp_uri_application, :recovery_tokens)
+
+      def find_valid_otp_challenge(challenge)
+        with_valid_otp_challenge(Time.now).where(:otp_session_challenge => challenge).first
+      end
+    end
+
+    def time_based_otp
+      @time_based_otp ||= ROTP::TOTP.new(otp_auth_secret)
+    end
+
+    def recovery_otp
+      @recovery_otp ||= ROTP::HOTP.new(otp_recovery_secret)
+    end
+
+    def otp_provisioning_uri
+      time_based_otp.provisioning_uri(otp_provisioning_identifier)
+    end
+
+    def otp_provisioning_identifier
+      "#{email}/#{self.class.otp_uri_application || Rails.application.class.parent_name}"
+    end
+
+
+    def reset_otp_credentials
+      @time_based_otp = nil
+      @recovery_otp = nil
+      generate_otp_auth_secret
+      reset_otp_persistence
+      update_columns(:otp_enabled => false, :otp_time_drift => 0,
+                        :otp_session_challenge => nil, :otp_challenge_expires => nil,
+                        :otp_recovery_counter => 0)
+    end
+
+    def reset_otp_credentials!
+      reset_otp_credentials
+      save!
+    end
+
+
+    def reset_otp_persistence
+      generate_otp_persistence_seed
+    end
+
+    def reset_otp_persistence!
+      reset_otp_persistence
+      save!
+    end
+
+    def generate_otp_challenge!(expires = nil)
+      update_columns(:otp_session_challenge => SecureRandom.hex,
+                     :otp_challenge_expires => DateTime.now + (expires || self.class.otp_authentication_timeout))
+      otp_session_challenge
+    end
+
+    def otp_challenge_valid?
+      (otp_challenge_expires.nil? || otp_challenge_expires > Time.now)
+    end
+
+
+    def validate_otp_token(token, recovery = false)
+      if recovery
+        validate_otp_recovery_token token
+      else
+        validate_otp_time_token token
+      end
+    end
+    alias_method :valid_otp_token?, :validate_otp_token
+
+    def validate_otp_time_token(token)
+      if drift = validate_otp_token_with_drift(token)
+        update_column(:otp_time_drift, drift)
+        true
+      else
+        false
+      end
+    end
+    alias_method :valid_otp_time_token?, :validate_otp_time_token
+
+    def next_otp_recovery_tokens(number = 5)
+      (otp_recovery_counter..otp_recovery_counter + number).inject({}) do |h, index|
+        h[index] = recovery_otp.at(index)
+        h
+      end
+    end
+
+    def validate_otp_recovery_token(token)
+      token = token.to_i unless token.is_a?(Fixnum)
+      recovery_otp.verify(token, otp_recovery_counter).tap do
+        self.otp_recovery_counter += 1
+        save!
+      end
+    end
+    alias_method :valid_otp_recovery_token?, :validate_otp_recovery_token
+
+
+
+
+
+    private
+
+    #
+    # refactor me, I suck
+    #
+    def validate_otp_token_with_drift(token)
+      # valid_vals << ROTP::TOTP.new(otp_auth_secret).at(Time.now)
+      token = token.to_i unless token.is_a?(Fixnum)
+
+      # should be centered around saved drift
+      (-self.class.otp_drift_window..self.class.otp_drift_window).each do |drift|
+        return drift if(time_based_otp.verify(token, Time.now.ago(30 * drift)))
+      end
+      false
+    end
+
+    def generate_otp_persistence_seed
+      self.otp_persistence_seed = SecureRandom.hex
+    end
+
+    def generate_otp_auth_secret
+      self.otp_auth_secret = ROTP::Base32.random_base32
+      self.otp_recovery_secret = ROTP::Base32.random_base32
+    end
+
+  end
+end

data/lib/devise_otp_authenticatable/routes.rb

@@ -0,0 +1,30 @@
+module ActionDispatch::Routing
+  class Mapper
+
+
+    protected
+    #########
+
+    def devise_otp(mapping, controllers)
+
+      namespace :otp, :module => :devise_otp do
+        resource :token, :only => [:show, :update, :destroy],
+                 :path => mapping.path_names[:token], :controller => controllers[:otp_tokens] do
+
+          get  :persistence, :action => 'get_persistence'
+          post :persistence, :action => 'clear_persistence'
+          delete :persistence, :action => 'delete_persistence'
+
+          get  :recovery
+        end
+
+        resource :credential, :only => [:show, :update],
+                 :path => mapping.path_names[:credentials], :controller => controllers[:otp_credentials] do
+
+          get  :refresh, :action => 'get_refresh'
+          put :refresh, :action => 'set_refresh'
+        end
+      end
+    end
+  end
+end

data/lib/generators/active_record/devise_otp_generator.rb

@@ -0,0 +1,13 @@
+require 'rails/generators/active_record'
+
+module ActiveRecord
+  module Generators
+    class DeviseOtpGenerator < ActiveRecord::Generators::Base
+      source_root File.expand_path("../templates", __FILE__)
+
+      def copy_devise_migration
+        migration_template "migration.rb", "db/migrate/devise_otp_add_to_#{table_name}"
+      end
+    end
+  end
+end

data/lib/generators/active_record/templates/migration.rb

@@ -0,0 +1,28 @@
+class DeviseOtpAddTo<%= table_name.camelize %> < ActiveRecord::Migration
+  def self.up
+    change_table :<%= table_name %> do |t|
+      t.string    :otp_auth_secret
+      t.string    :otp_recovery_secret
+      t.boolean   :otp_enabled,          :default => false, :null => false
+      t.boolean   :otp_mandatory,        :default => false, :null => false
+      t.datetime  :otp_enabled_on
+      t.integer   :otp_time_drift,       :default => 0, :null => false
+      t.integer   :otp_failed_attempts,  :default => 0, :null => false
+      t.integer   :otp_recovery_counter, :default => 0, :null => false
+      t.string    :otp_persistence_seed
+
+      t.string    :otp_session_challenge
+      t.datetime  :otp_challenge_expires
+    end
+    add_index :<%= table_name %>, :otp_session_challenge,  :unique => true
+    add_index :<%= table_name %>, :otp_challenge_expires
+  end
+  
+  def self.down
+    change_table :<%= table_name %> do |t|
+      t.remove :otp_auth_secret, :otp_recovery_secret, :otp_enabled, :otp_mandatory, :otp_enabled_on, :otp_session_challenge,
+          :otp_challenge_expires, :otp_time_drift, :otp_failed_attempts, :otp_recovery_counter, :otp_persistence_seed
+
+    end
+  end
+end

data/lib/generators/devise_otp/devise_otp_generator.rb

@@ -0,0 +1,17 @@
+module DeviseOtp
+	module Generators
+		class DeviseOtpGenerator < Rails::Generators::NamedBase
+
+			namespace "devise_otp"
+
+			desc "Add :otp_authenticatable directive in the given model, plus accessors. Also generate migration for ActiveRecord"
+
+			def inject_devise_otp_content
+				path = File.join("app","models","#{file_path}.rb")
+				inject_into_file(path, "otp_authenticatable, :", :after => "devise :") if File.exists?(path)
+			end
+
+			hook_for :orm
+		end
+	end
+end

data/lib/generators/devise_otp/install_generator.rb

@@ -0,0 +1,31 @@
+module DeviseOtp
+  module Generators # :nodoc:
+    # Install Generator
+    class InstallGenerator < Rails::Generators::Base
+      source_root File.expand_path("../../templates", __FILE__)
+
+      desc "Install the devise OTP authentication extension"
+
+      def add_configs
+
+content = <<-CONTENT
+
+  # ==> Devise OTP Extension
+  # Configure OTP extension for devise
+
+  # How long should the user have to enter their token. To change the default, uncomment and change the below:
+  #config.otp_authentication_timeout = 3.minutes
+
+  # Change time drift settings for valid token values. To change the default, uncomment and change the below:
+  #config.otp_authentication_time_drift = 3
+CONTENT
+
+        inject_into_file "config/initializers/devise.rb", content, :before => /end[ |\n|]+\Z/
+      end
+
+      def copy_locale
+        copy_file "../../../config/locales/en.yml", "config/locales/devise.otp.en.yml"
+      end
+    end
+  end
+end

data/lib/generators/devise_otp/views_generator.rb

@@ -0,0 +1,19 @@
+require 'generators/devise/views_generator'
+
+module DeviseOtp
+  module Generators
+    class ViewsGenerator < Rails::Generators::Base
+      desc 'Copies all Devise OTP views to your application.'
+
+      argument :scope, :required => false, :default => nil,
+                       :desc => "The scope to copy views to"
+
+      include ::Devise::Generators::ViewPathTemplates
+      source_root File.expand_path("../../../../app/views/devise_otp", __FILE__)
+      def copy_views
+        view_directory :credentials, 'app/views/devise_otp/credentials'
+        view_directory :tokens, 'app/views/devise_otp/tokens'
+      end
+    end
+  end
+end

data/test/dummy/README.rdoc

@@ -0,0 +1,261 @@
+== Welcome to Rails
+
+Rails is a web-application framework that includes everything needed to create
+database-backed web applications according to the Model-View-Control pattern.
+
+This pattern splits the view (also called the presentation) into "dumb"
+templates that are primarily responsible for inserting pre-built data in between
+HTML tags. The model contains the "smart" domain objects (such as Account,
+Product, Person, Post) that holds all the business logic and knows how to
+persist themselves to a database. The controller handles the incoming requests
+(such as Save New Account, Update Product, Show Post) by manipulating the model
+and directing data to the view.
+
+In Rails, the model is handled by what's called an object-relational mapping
+layer entitled Active Record. This layer allows you to present the data from
+database rows as objects and embellish these data objects with business logic
+methods. You can read more about Active Record in
+link:files/vendor/rails/activerecord/README.html.
+
+The controller and view are handled by the Action Pack, which handles both
+layers by its two parts: Action View and Action Controller. These two layers
+are bundled in a single package due to their heavy interdependence. This is
+unlike the relationship between the Active Record and Action Pack that is much
+more separate. Each of these packages can be used independently outside of
+Rails. You can read more about Action Pack in
+link:files/vendor/rails/actionpack/README.html.
+
+
+== Getting Started
+
+1. At the command prompt, create a new Rails application:
+       <tt>rails new myapp</tt> (where <tt>myapp</tt> is the application name)
+
+2. Change directory to <tt>myapp</tt> and start the web server:
+       <tt>cd myapp; rails server</tt> (run with --help for options)
+
+3. Go to http://localhost:3000/ and you'll see:
+       "Welcome aboard: You're riding Ruby on Rails!"
+
+4. Follow the guidelines to start developing your application. You can find
+the following resources handy:
+
+* The Getting Started Guide: http://guides.rubyonrails.org/getting_started.html
+* Ruby on Rails Tutorial Book: http://www.railstutorial.org/
+
+
+== Debugging Rails
+
+Sometimes your application goes wrong. Fortunately there are a lot of tools that
+will help you debug it and get it back on the rails.
+
+First area to check is the application log files. Have "tail -f" commands
+running on the server.log and development.log. Rails will automatically display
+debugging and runtime information to these files. Debugging info will also be
+shown in the browser on requests from 127.0.0.1.
+
+You can also log your own messages directly into the log file from your code
+using the Ruby logger class from inside your controllers. Example:
+
+  class WeblogController < ActionController::Base
+    def destroy
+      @weblog = Weblog.find(params[:id])
+      @weblog.destroy
+      logger.info("#{Time.now} Destroyed Weblog ID ##{@weblog.id}!")
+    end
+  end
+
+The result will be a message in your log file along the lines of:
+
+  Mon Oct 08 14:22:29 +1000 2007 Destroyed Weblog ID #1!
+
+More information on how to use the logger is at http://www.ruby-doc.org/core/
+
+Also, Ruby documentation can be found at http://www.ruby-lang.org/. There are
+several books available online as well:
+
+* Programming Ruby: http://www.ruby-doc.org/docs/ProgrammingRuby/ (Pickaxe)
+* Learn to Program: http://pine.fm/LearnToProgram/ (a beginners guide)
+
+These two books will bring you up to speed on the Ruby language and also on
+programming in general.
+
+
+== Debugger
+
+Debugger support is available through the debugger command when you start your
+Mongrel or WEBrick server with --debugger. This means that you can break out of
+execution at any point in the code, investigate and change the model, and then,
+resume execution! You need to install ruby-debug to run the server in debugging
+mode. With gems, use <tt>sudo gem install ruby-debug</tt>. Example:
+
+  class WeblogController < ActionController::Base
+    def index
+      @posts = Post.all
+      debugger
+    end
+  end
+
+So the controller will accept the action, run the first line, then present you
+with a IRB prompt in the server window. Here you can do things like:
+
+  >> @posts.inspect
+  => "[#<Post:0x14a6be8
+          @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>,
+       #<Post:0x14a6620
+          @attributes={"title"=>"Rails", "body"=>"Only ten..", "id"=>"2"}>]"
+  >> @posts.first.title = "hello from a debugger"
+  => "hello from a debugger"
+
+...and even better, you can examine how your runtime objects actually work:
+
+  >> f = @posts.first
+  => #<Post:0x13630c4 @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>
+  >> f.
+  Display all 152 possibilities? (y or n)
+
+Finally, when you're ready to resume execution, you can enter "cont".
+
+
+== Console
+
+The console is a Ruby shell, which allows you to interact with your
+application's domain model. Here you'll have all parts of the application
+configured, just like it is when the application is running. You can inspect
+domain models, change values, and save to the database. Starting the script
+without arguments will launch it in the development environment.
+
+To start the console, run <tt>rails console</tt> from the application
+directory.
+
+Options:
+
+* Passing the <tt>-s, --sandbox</tt> argument will rollback any modifications
+  made to the database.
+* Passing an environment name as an argument will load the corresponding
+  environment. Example: <tt>rails console production</tt>.
+
+To reload your controllers and models after launching the console run
+<tt>reload!</tt>
+
+More information about irb can be found at:
+link:http://www.rubycentral.org/pickaxe/irb.html
+
+
+== dbconsole
+
+You can go to the command line of your database directly through <tt>rails
+dbconsole</tt>. You would be connected to the database with the credentials
+defined in database.yml. Starting the script without arguments will connect you
+to the development database. Passing an argument will connect you to a different
+database, like <tt>rails dbconsole production</tt>. Currently works for MySQL,
+PostgreSQL and SQLite 3.
+
+== Description of Contents
+
+The default directory structure of a generated Ruby on Rails application:
+
+  |-- app
+  |   |-- assets
+  |       |-- images
+  |       |-- javascripts
+  |       `-- stylesheets
+  |   |-- controllers
+  |   |-- helpers
+  |   |-- mailers
+  |   |-- models
+  |   `-- views
+  |       `-- layouts
+  |-- config
+  |   |-- environments
+  |   |-- initializers
+  |   `-- locales
+  |-- db
+  |-- doc
+  |-- lib
+  |   `-- tasks
+  |-- log
+  |-- public
+  |-- script
+  |-- test
+  |   |-- fixtures
+  |   |-- functional
+  |   |-- integration
+  |   |-- performance
+  |   `-- unit
+  |-- tmp
+  |   |-- cache
+  |   |-- pids
+  |   |-- sessions
+  |   `-- sockets
+  `-- vendor
+      |-- assets
+          `-- stylesheets
+      `-- plugins
+
+app
+  Holds all the code that's specific to this particular application.
+
+app/assets
+  Contains subdirectories for images, stylesheets, and JavaScript files.
+
+app/controllers
+  Holds controllers that should be named like weblogs_controller.rb for
+  automated URL mapping. All controllers should descend from
+  ApplicationController which itself descends from ActionController::Base.
+
+app/models
+  Holds models that should be named like post.rb. Models descend from
+  ActiveRecord::Base by default.
+
+app/views
+  Holds the template files for the view that should be named like
+  weblogs/index.html.erb for the WeblogsController#index action. All views use
+  eRuby syntax by default.
+
+app/views/layouts
+  Holds the template files for layouts to be used with views. This models the
+  common header/footer method of wrapping views. In your views, define a layout
+  using the <tt>layout :default</tt> and create a file named default.html.erb.
+  Inside default.html.erb, call <% yield %> to render the view using this
+  layout.
+
+app/helpers
+  Holds view helpers that should be named like weblogs_helper.rb. These are
+  generated for you automatically when using generators for controllers.
+  Helpers can be used to wrap functionality for your views into methods.
+
+config
+  Configuration files for the Rails environment, the routing map, the database,
+  and other dependencies.
+
+db
+  Contains the database schema in schema.rb. db/migrate contains all the
+  sequence of Migrations for your schema.
+
+doc
+  This directory is where your application documentation will be stored when
+  generated using <tt>rake doc:app</tt>
+
+lib
+  Application specific libraries. Basically, any kind of custom code that
+  doesn't belong under controllers, models, or helpers. This directory is in
+  the load path.
+
+public
+  The directory available for the web server. Also contains the dispatchers and the
+  default HTML files. This should be set as the DOCUMENT_ROOT of your web
+  server.
+
+script
+  Helper scripts for automation and generation.
+
+test
+  Unit and functional tests along with fixtures. When using the rails generate
+  command, template test files will be generated for you and placed in this
+  directory.
+
+vendor
+  External libraries that the application depends on. Also includes the plugins
+  subdirectory. If the app has frozen rails, those gems also go here, under
+  vendor/rails/. This directory is in the load path.