devise-otp 0.1.1

data/test/dummy/db/migrate/20130131160351_devise_otp_add_to_users.rb

@@ -0,0 +1,28 @@
+class DeviseOtpAddToUsers < ActiveRecord::Migration
+  def self.up
+    change_table :users do |t|
+      t.string    :otp_auth_secret
+      t.string    :otp_recovery_secret
+      t.boolean   :otp_enabled,          :default => false, :null => false
+      t.boolean   :otp_mandatory,        :default => false, :null => false
+      t.datetime  :otp_enabled_on
+      t.integer   :otp_time_drift,       :default => 0, :null => false
+      t.integer   :otp_failed_attempts,  :default => 0, :null => false
+      t.integer   :otp_recovery_counter, :default => 0, :null => false
+      t.string    :otp_persistence_seed
+
+      t.string    :otp_session_challenge
+      t.datetime  :otp_challenge_expires
+    end
+
+    add_index :users, :otp_session_challenge,  :unique => true
+    add_index :users, :otp_challenge_expires
+  end
+  
+  def self.down
+    change_table :users do |t|
+      t.remove :otp_auth_secret, :otp_recovery_secret, :otp_enabled, :otp_mandatory, :otp_enabled_on, :otp_session_challenge,
+          :otp_challenge_expires, :otp_time_drift, :otp_failed_attempts, :otp_recovery_counter, :otp_persistence_seed
+    end
+  end
+end

data/test/dummy/public/404.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The page you were looking for doesn't exist (404)</title>
+  <style type="text/css">
+    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: 4em auto 0 auto;
+      border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/404.html -->
+  <div class="dialog">
+    <h1>The page you were looking for doesn't exist.</h1>
+    <p>You may have mistyped the address or the page may have moved.</p>
+  </div>
+</body>
+</html>

data/test/dummy/public/422.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The change you wanted was rejected (422)</title>
+  <style type="text/css">
+    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: 4em auto 0 auto;
+      border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/422.html -->
+  <div class="dialog">
+    <h1>The change you wanted was rejected.</h1>
+    <p>Maybe you tried to change something you didn't have access to.</p>
+  </div>
+</body>
+</html>

data/test/dummy/public/500.html

@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>We're sorry, but something went wrong (500)</title>
+  <style type="text/css">
+    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: 4em auto 0 auto;
+      border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/500.html -->
+  <div class="dialog">
+    <h1>We're sorry, but something went wrong.</h1>
+  </div>
+</body>
+</html>

data/test/dummy/script/rails

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# This command will automatically be run when you run "rails" with Rails 3 gems installed from the root of your application.
+
+APP_PATH = File.expand_path('../../config/application',  __FILE__)
+require File.expand_path('../../config/boot',  __FILE__)
+require 'rails/commands'

data/test/integration/refresh_test.rb

@@ -0,0 +1,92 @@
+require 'test_helper'
+require 'integration_tests_helper'
+
+class RefreshTest < ActionDispatch::IntegrationTest
+
+  def setup
+    @old_refresh = User.otp_credentials_refresh
+    User.otp_credentials_refresh = 1.second
+  end
+
+  def teardown
+    User.otp_credentials_refresh = @old_refresh
+    Capybara.reset_sessions!
+  end
+
+  test 'a user that just signed in should be able to access their OTP settings without refreshing' do
+    sign_user_in
+
+    visit user_otp_token_path
+    assert_equal user_otp_token_path, current_path
+  end
+
+  test 'a user should be prompted for credentials when the credentials_refresh time is expired' do
+
+    sign_user_in
+    visit user_otp_token_path
+    assert_equal user_otp_token_path, current_path
+
+    sleep(2)
+
+    visit user_otp_token_path
+    assert_equal refresh_user_otp_credential_path, current_path
+  end
+
+  test 'a user should be able to access their OTP settings after refreshing' do
+    sign_user_in
+    visit user_otp_token_path
+    assert_equal user_otp_token_path, current_path
+
+    sleep(2)
+
+    visit user_otp_token_path
+    assert_equal refresh_user_otp_credential_path, current_path
+
+    fill_in 'user_refresh_password', :with => '12345678'
+    click_button 'Continue...'
+    assert_equal user_otp_token_path, current_path
+
+  end
+
+  test 'a user should NOT be able to access their OTP settings unless refreshing' do
+    sign_user_in
+    visit user_otp_token_path
+    assert_equal user_otp_token_path, current_path
+
+    sleep(2)
+
+    visit user_otp_token_path
+    assert_equal refresh_user_otp_credential_path, current_path
+
+    fill_in 'user_refresh_password', :with => '12345670'
+    click_button 'Continue...'
+    assert_equal refresh_user_otp_credential_path, current_path
+  end
+
+  test 'user should be asked their OTP challenge in order to refresh, if they have OTP' do
+    enable_otp_and_sign_in_with_otp
+
+    sleep(2)
+    visit user_otp_token_path
+    assert_equal refresh_user_otp_credential_path, current_path
+
+    fill_in 'user_refresh_password', :with => '12345678'
+    click_button 'Continue...'
+
+    assert_equal refresh_user_otp_credential_path, current_path
+  end
+
+  test 'user should be finally be able to access their settings, if they provide both a password and a valid OTP token' do
+    user = enable_otp_and_sign_in_with_otp
+
+    sleep(2)
+    visit user_otp_token_path
+    assert_equal refresh_user_otp_credential_path, current_path
+
+    fill_in 'user_refresh_password', :with => '12345678'
+    fill_in 'user_token', :with => ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    click_button 'Continue...'
+
+    assert_equal user_otp_token_path, current_path
+  end
+end

data/test/integration/sign_in_test.rb

@@ -0,0 +1,77 @@
+require 'test_helper'
+require 'integration_tests_helper'
+
+class SignInTest < ActionDispatch::IntegrationTest
+
+  def teardown
+    Capybara.reset_sessions!
+  end
+
+  test 'a new user should be able to sign in without using their token' do
+    create_full_user
+
+    visit new_user_session_path
+    fill_in 'user_email', :with => 'user@email.invalid'
+    fill_in 'user_password', :with => '12345678'
+    click_button 'Sign in'
+
+    assert_equal root_path, current_path
+  end
+
+  test 'a new user, just signed in, should be able to sign in and enable their OTP authentication' do
+    user = sign_user_in
+
+    visit user_otp_token_path
+    assert !page.has_content?('Your token secret')
+
+    check 'user_otp_enabled'
+    click_button 'Continue...'
+
+    assert_equal user_otp_token_path, current_path
+
+    assert page.has_content?('Your token secret')
+    assert !user.otp_auth_secret.nil?
+    assert !user.otp_persistence_seed.nil?
+  end
+
+  test 'a new user should be able to sign in enable OTP and be prompted for their token' do
+    enable_otp_and_sign_in
+
+    assert_equal user_otp_credential_path, current_path
+  end
+
+  test 'fail token authentication' do
+    enable_otp_and_sign_in
+    assert_equal user_otp_credential_path, current_path
+
+    fill_in 'user_token', :with => '123456'
+    click_button 'Submit Token'
+
+    assert_equal new_user_session_path, current_path
+  end
+
+  test 'successful token authentication' do
+    user = enable_otp_and_sign_in
+
+    fill_in 'user_token', :with => ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    click_button 'Submit Token'
+
+    assert_equal root_path, current_path
+  end
+
+
+  test 'should fail if the the challenge times out' do
+    old_timeout = User.otp_authentication_timeout
+    User.otp_authentication_timeout = 1.second
+
+    user = enable_otp_and_sign_in
+
+    sleep(2)
+
+    fill_in 'user_token', :with => ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    click_button 'Submit Token'
+
+    User.otp_authentication_timeout = old_timeout
+    assert_equal new_user_session_path, current_path
+  end
+end

data/test/integration_tests_helper.rb

@@ -0,0 +1,48 @@
+class ActionDispatch::IntegrationTest
+
+  def warden
+    request.env['warden']
+  end
+  
+  def create_full_user
+    @user ||= begin
+      user = User.create!(
+        :email                 => 'user@email.invalid',
+        :password              => '12345678',
+        :password_confirmation => '12345678'
+      )
+      user
+    end
+  end
+
+  def enable_otp_and_sign_in_with_otp
+    enable_otp_and_sign_in.tap do |user|
+      fill_in 'user_token', :with => ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+      click_button 'Submit Token'
+    end
+  end
+
+
+  def enable_otp_and_sign_in
+    user = create_full_user
+    sign_user_in(user)
+    visit user_otp_token_path
+    check 'user_otp_enabled'
+    click_button 'Continue...'
+
+    Capybara.reset_sessions!
+
+    sign_user_in(user)
+    user
+  end
+
+  def sign_user_in(user = nil)
+    user ||= create_full_user
+    resource_name = user.class.name.underscore
+    visit send("new_#{resource_name}_session_path")
+    fill_in "#{resource_name}_email", :with => user.email
+    fill_in "#{resource_name}_password", :with => user.password
+    click_button 'Sign in'
+    user
+  end
+end

data/test/model_tests_helper.rb

@@ -0,0 +1,22 @@
+class ActiveSupport::TestCase
+
+  #
+  # Helpers for creating new users
+  #
+  def unique_identity
+    @@unique_identity_count ||= 0
+    @@unique_identity_count += 1
+    "user-#{@@unique_identity_count}@mail.invalid"
+  end
+
+  def valid_attributes(attributes={})
+    { :email => unique_identity,
+      :password => '12345678',
+      :password_confirmation => '12345678' }.update(attributes)
+  end
+
+  def new_user(attributes={})
+    User.new(valid_attributes(attributes)).save
+  end
+
+end

data/test/models/otp_authenticatable_test.rb

@@ -0,0 +1,116 @@
+require 'test_helper'
+require 'model_tests_helper'
+
+class OtpAuthenticatableTest < ActiveSupport::TestCase
+
+	def setup
+		new_user
+  end
+
+  test 'new users have a non-nil secret set' do
+ 		assert_not_nil User.first.otp_auth_secret
+ 	end
+
+  test 'new users have OTP disabled by default' do
+ 		assert !User.first.otp_enabled
+ 	end
+
+  test 'users should have an instance of TOTP/ROTP objects' do
+    u = User.first
+    assert u.time_based_otp.is_a? ROTP::TOTP
+    assert u.recovery_otp.is_a? ROTP::HOTP
+  end
+
+  test 'users should have their otp_auth_secret/persistence_seed set on creation' do
+    assert User.first.otp_auth_secret
+    assert User.first.otp_persistence_seed
+  end
+
+  test 'reset_otp_credentials should generate new secrets and disable OTP' do
+    u = User.first
+    u.update_attribute(:otp_enabled, true)
+    assert u.otp_enabled
+    otp_auth_secret = u.otp_auth_secret
+    otp_persistence_seed = u.otp_persistence_seed
+
+    u.reset_otp_credentials!
+    assert !(otp_auth_secret == u.otp_auth_secret)
+    assert !(otp_persistence_seed == u.otp_persistence_seed)
+    assert !u.otp_enabled
+  end
+
+  test 'reset_otp_persistence should generate new persistence_seed but NOT change the otp_auth_secret' do
+    u = User.first
+    u.update_attribute(:otp_enabled, true)
+    assert u.otp_enabled
+    otp_auth_secret = u.otp_auth_secret
+    otp_persistence_seed = u.otp_persistence_seed
+
+    u.reset_otp_persistence!
+    assert (otp_auth_secret == u.otp_auth_secret)
+    assert !(otp_persistence_seed == u.otp_persistence_seed)
+    assert u.otp_enabled
+  end
+
+  test 'generating a challenge, should retrieve the user later' do
+    u = User.first
+    u.update_attribute(:otp_enabled, true)
+    challenge = u.generate_otp_challenge!
+
+    w = User.find_valid_otp_challenge(challenge)
+    assert w.is_a? User
+    assert_equal w,u
+  end
+
+  test 'expiring the challenge, should retrieve nothing' do
+    u = User.first
+    u.update_attribute(:otp_enabled, true)
+    challenge = u.generate_otp_challenge!(1.second)
+    sleep(2)
+
+    w = User.find_valid_otp_challenge(challenge)
+    assert_nil w
+  end
+
+  test 'expired challenges should not be valid' do
+    u = User.first
+    u.update_attribute(:otp_enabled, true)
+    challenge = u.generate_otp_challenge!(1.second)
+    sleep(2)
+    assert_equal false, u.otp_challenge_valid?
+  end
+
+
+  test 'generated otp token should be valid for the user' do
+    u = User.first
+    u.update_attribute(:otp_enabled, true)
+
+    secret = u.otp_auth_secret
+    token = ROTP::TOTP.new(secret).now
+
+    assert_equal true, u.validate_otp_token(token)
+  end
+
+  test 'generated otp token, out of drift window, should be NOT valid for the user' do
+    u = User.first
+    u.update_attribute(:otp_enabled, true)
+
+    secret = u.otp_auth_secret
+
+    [3.minutes.from_now, 3.minutes.ago].each do |time|
+      token = ROTP::TOTP.new(secret).at(time)
+      assert_equal false, u.valid_otp_token?(token)
+    end
+  end
+
+  test 'recovery secrets should be valid, and valid only once' do
+    u = User.first
+    u.update_attribute(:otp_enabled, true)
+    recovery = u.next_otp_recovery_tokens
+
+    assert u.valid_otp_recovery_token? recovery.fetch(0)
+    assert_equal false, u.valid_otp_recovery_token?(recovery.fetch(0))
+    assert u.valid_otp_recovery_token? recovery.fetch(2)
+  end
+
+end