devise-otp 0.2.0 → 0.3.0

data/app/controllers/devise_otp/devise/credentials_controller.rb

@@ -0,0 +1,102 @@
+module DeviseOtp
+  module Devise
+    class CredentialsController < DeviseController
+      helper_method :new_session_path
+
+      prepend_before_action :authenticate_scope!, :only => [:get_refresh, :set_refresh]
+      prepend_before_action :require_no_authentication, :only => [ :show, :update ]
+
+      #
+      # show a request for the OTP token
+      #
+      def show
+        @challenge = params[:challenge]
+        @recovery =  (params[:recovery] == 'true') && recovery_enabled?
+
+        if @challenge.nil?
+          redirect_to :root
+        else
+          self.resource = resource_class.find_valid_otp_challenge(@challenge)
+          if resource.nil?
+            redirect_to :root
+          elsif @recovery
+            @recovery_count = resource.otp_recovery_counter
+            render :show
+          else
+            render :show
+          end
+        end
+      end
+
+      #
+      # signs the resource in, if the OTP token is valid and the user has a valid challenge
+      #
+      def update
+        resource = resource_class.find_valid_otp_challenge(params[resource_name][:challenge])
+        recovery = (params[resource_name][:recovery] == 'true') && recovery_enabled?
+        token = params[resource_name][:token]
+
+        if token.blank?
+          otp_set_flash_message(:alert, :token_blank)
+          redirect_to otp_credential_path_for(resource_name, :challenge => params[resource_name][:challenge],
+                                                             :recovery => recovery)
+        elsif resource.nil?
+          otp_set_flash_message(:alert, :otp_session_invalid)
+          redirect_to new_session_path(resource_name)
+        else
+          if resource.otp_challenge_valid? && resource.validate_otp_token(params[resource_name][:token], recovery)
+            set_flash_message(:success, :signed_in) if is_navigational_format?
+            sign_in(resource_name, resource)
+
+            otp_set_trusted_device_for(resource) if params[:enable_persistence] == "true"
+            otp_refresh_credentials_for(resource)
+            respond_with resource, :location => after_sign_in_path_for(resource)
+          else
+            otp_set_flash_message :alert, :token_invalid
+            redirect_to new_session_path(resource_name)
+          end
+        end
+      end
+
+      #
+      # displays the request for a credentials refresh
+      #
+      def get_refresh
+        ensure_resource!
+        render :refresh
+      end
+
+      #
+      # lets the user through is the refresh is valid
+      #
+      def set_refresh
+        ensure_resource!
+
+        if resource.valid_password?(params[resource_name][:refresh_password])
+          done_valid_refresh
+        else
+          failed_refresh
+        end
+      end
+
+      private
+
+      def done_valid_refresh
+        otp_refresh_credentials_for(resource)
+        otp_set_flash_message :success, :valid_refresh if is_navigational_format?
+
+        respond_with resource, :location => otp_fetch_refresh_return_url
+      end
+
+      def failed_refresh
+        otp_set_flash_message :alert, :invalid_refresh
+        render :refresh
+      end
+
+      def self.controller_path
+        "#{::Devise.otp_controller_path}/credentials"
+      end
+
+    end
+  end
+end

data/app/controllers/devise_otp/devise/tokens_controller.rb

@@ -0,0 +1,112 @@
+module DeviseOtp
+  module Devise
+    class TokensController < DeviseController
+      include ::Devise::Controllers::Helpers
+
+      prepend_before_action :ensure_credentials_refresh
+      prepend_before_action :authenticate_scope!
+
+      protect_from_forgery :except => [:clear_persistence, :delete_persistence]
+
+      #
+      # Displays the status of OTP authentication
+      #
+      def show
+        if resource.nil?
+          redirect_to stored_location_for(scope) || :root
+        else
+          render :show
+        end
+      end
+
+      #
+      # Updates the status of OTP authentication
+      #
+      def update
+        enabled = params[resource_name][:otp_enabled] == '1'
+        if (enabled ? resource.enable_otp! : resource.disable_otp!)
+          otp_set_flash_message :success, :successfully_updated
+        end
+
+        render :show
+      end
+
+      #
+      # Resets OTP authentication, generates new credentials, sets it to off
+      #
+      def destroy
+        if resource.reset_otp_credentials!
+          otp_set_flash_message :success, :successfully_reset_creds
+        end
+
+        redirect_to :action => :show
+      end
+
+      #
+      # makes the current browser persistent
+      #
+      def get_persistence
+        if otp_set_trusted_device_for(resource)
+          otp_set_flash_message :success, :successfully_set_persistence
+        end
+
+        redirect_to :action => :show
+      end
+
+      #
+      # clears persistence for the current browser
+      #
+      def clear_persistence
+        if otp_clear_trusted_device_for(resource)
+          otp_set_flash_message :success, :successfully_cleared_persistence
+        end
+
+        redirect_to :action => :show
+      end
+
+      #
+      # rehash the persistence secret, thus, making all the persistence cookies invalid
+      #
+      def delete_persistence
+        if otp_reset_persistence_for(resource)
+          otp_set_flash_message :notice, :successfully_reset_persistence
+        end
+
+        redirect_to :action => :show
+      end
+
+      #
+      #
+      #
+      def recovery
+        respond_to do |format|
+          format.html
+          format.js
+          format.text do
+            send_data render_to_string(template: "#{controller_path}/recovery_codes"), filename: "otp-recovery-codes.txt", format: "text"
+          end
+        end
+      end
+
+      private
+
+      def ensure_credentials_refresh
+        ensure_resource!
+
+        if needs_credentials_refresh?(resource)
+          otp_set_flash_message :notice, :need_to_refresh_credentials
+          redirect_to refresh_otp_credential_path_for(resource)
+        end
+      end
+
+      def scope
+        resource_name.to_sym
+      end
+
+      def self.controller_path
+        "#{::Devise.otp_controller_path}/tokens"
+      end
+
+    end
+  end
+end

data/app/views/devise/credentials/refresh.html.erb

@@ -0,0 +1,19 @@
+<h2><%= I18n.t('title', :scope => 'devise.otp.credentials_refresh') %></h2>
+<p><%= I18n.t('explain', :scope => 'devise.otp.credentials_refresh') %></p>
+
+<%= form_for(resource, :as => resource_name, :url => [:refresh, resource_name, :otp_credential], :html => { :method => :put, "data-turbo" => false }) do |f| %>
+
+  <%= render "devise/shared/error_messages", resource: resource %>
+
+  <div>
+    <%= f.label :email %><br />
+    <%= f.text_field :email, :disabled => :true%>
+  </div>
+
+  <div>
+    <%= f.label :password %><br />
+    <%= f.password_field :refresh_password, :autocomplete => :off, :autofocus => true %>
+  </div>
+
+  <div><%= f.submit I18n.t(:go_on, :scope => 'devise.otp.credentials_refresh') %></div>
+<% end %>

data/app/views/devise/credentials/show.html.erb

@@ -0,0 +1,31 @@
+<h2><%= I18n.t('title', :scope => 'devise.otp.submit_token') %></h2>
+<p><%= I18n.t('explain', :scope => 'devise.otp.submit_token') %></p>
+
+<%= form_for(resource, :as => resource_name, :url => [resource_name, :otp_credential], :html => { :method => :put, "data-turbo" => false }) do |f| %>
+
+  <%= f.hidden_field :challenge, {:value => @challenge} %>
+  <%= f.hidden_field :recovery, {:value => @recovery} %>
+
+  <% if @recovery %>
+    <p>
+      <%= f.label :token, I18n.t('recovery_prompt', :scope => 'devise.otp.submit_token') %><br />
+      <%= f.text_field :otp_recovery_counter, :autocomplete => :off, :disabled => true, :size => 4 %>
+    </p>
+  <% else %>
+    <p>
+      <%= f.label :token, I18n.t('prompt', :scope => 'devise.otp.submit_token') %><br />
+    </p>
+  <% end %>
+
+  <%= f.text_field :token, :autocomplete => :off, :autofocus => true, :size => 6, :value => '' %><br>
+
+  <%= label_tag :enable_persistence do %>
+    <%= check_box_tag :enable_persistence, true, false %> Remember this browser
+  <% end %>
+
+  <p><%= f.submit I18n.t('submit', :scope => 'devise.otp.submit_token') %></p>
+
+  <% if !@recovery && recovery_enabled? %>
+    <p><%= link_to I18n.t('recovery_link', :scope => 'devise.otp.submit_token'), otp_credential_path_for(resource_name, :challenge => @challenge, :recovery => true) %></p>
+  <% end %>
+<% end %>

data/app/views/devise/tokens/_token_secret.html.erb

@@ -0,0 +1,23 @@
+<h3><%= I18n.t('title', :scope => 'devise.otp.token_secret') %></h3>
+<p><%= I18n.t('explain', :scope => 'devise.otp.token_secret') %></p>
+
+<%= otp_authenticator_token_image(resource) %>
+
+<p>
+  <strong><%= I18n.t('manual_provisioning', :scope => 'devise.otp.token_secret') %>:</strong>
+  <code><%= resource.otp_auth_secret %></code>
+</p>
+
+<p><%= button_to I18n.t('reset_otp', :scope => 'devise.otp.token_secret'), @resource, :method => :delete, :data => { "turbo-method": "DELETE" } %></p>
+
+<p>
+  <%= I18n.t('reset_explain', :scope => 'devise.otp.token_secret') %>
+  <strong><%= I18n.t('reset_explain_warn', :scope => 'devise.otp.token_secret') %></strong>
+</p>
+
+<%- if recovery_enabled? %>
+  <h3><%= I18n.t('title', :scope => 'devise.otp.tokens.recovery') %></h3>
+  <p><%= I18n.t('explain', :scope => 'devise.otp.tokens.recovery') %></p>
+  <p><%= link_to I18n.t('codes_list', :scope => 'devise.otp.tokens.recovery'), recovery_otp_token_for(resource_name) %></p>
+  <p><%= link_to I18n.t('download_codes', :scope => 'devise.otp.tokens.recovery'), recovery_otp_token_for(resource_name, format: :text) %></p>
+<% end %>

data/app/views/devise/tokens/_trusted_devices.html.erb

@@ -0,0 +1,12 @@
+<h3><%= I18n.t('title', :scope => 'devise.otp.trusted_browsers') %></h3>
+<p><%= I18n.t('explain', :scope => 'devise.otp.trusted_browsers') %></p>
+
+<%- if is_otp_trusted_browser_for? resource %>
+  <p><em><%= I18n.t('browser_trusted', :scope => 'devise.otp.trusted_browsers') %></em></p>
+  <p><%= link_to I18n.t('trust_remove', :scope => 'devise.otp.trusted_browsers'), persistence_otp_token_path_for(resource_name), :method => :post, :data => { "turbo-method": "POST" } %></p>
+<% else %>
+  <p><%= I18n.t('browser_not_trusted', :scope => 'devise.otp.trusted_browsers') %></p>
+  <p><%= link_to I18n.t('trust_add', :scope => 'devise.otp.trusted_browsers'), persistence_otp_token_path_for(resource_name) %></p>
+<% end %>
+
+<p><%= button_to I18n.t('trust_clear', :scope => 'devise.otp.trusted_browsers'), persistence_otp_token_path_for(resource_name), :method => :delete, :data => { "turbo-method": "DELETE" } %></p>

data/app/views/devise/tokens/recovery.html.erb

@@ -0,0 +1,21 @@
+<h2><%= I18n.t('title', :scope => 'devise.otp.tokens.recovery') %></h2>
+<p><%= I18n.t('explain', :scope => 'devise.otp.tokens.recovery') %></p>
+
+<table>
+  <caption>
+    <thead>
+        <tr>
+          <th><%= I18n.t('sequence', :scope => 'devise.otp.tokens.recovery') %></th>
+          <th><%= I18n.t('code', :scope => 'devise.otp.tokens.recovery') %></th>
+        </tr>
+    </thead>
+    <tbody>
+      <%- resource.next_otp_recovery_tokens.each do |seq, code| %>
+        <tr>
+          <td><%= seq %></td>
+          <td><%= code %></td>
+        </tr>
+      <% end %>
+    </tbody>
+  </caption>
+</table>

data/app/views/devise/tokens/recovery_codes.text.erb

@@ -0,0 +1,3 @@
+<% resource.next_otp_recovery_tokens.each do |seq, code| %>
+<%= code %>
+<% end %>

data/app/views/devise/tokens/show.html.erb

@@ -0,0 +1,21 @@
+<h2><%= I18n.t('title', :scope => 'devise.otp.tokens') %></h2>
+<p><%= I18n.t('explain', :scope => 'devise.otp.tokens') %></p>
+
+<%= form_for(resource, :as => resource_name, :url => [resource_name, :otp_token], :html => { :method => :put, "data-turbo" => false }) do |f| %>
+
+  <%= render "devise/shared/error_messages", resource: resource %>
+
+  <h3><%= I18n.t('enable_request', :scope => 'devise.otp.tokens') %></h3>
+
+  <p>
+    <%= f.label :otp_enabled, I18n.t('status', :scope => 'devise.otp.tokens') %><br />
+    <%= f.check_box :otp_enabled %>
+  </p>
+
+  <p><%= f.submit I18n.t('submit', :scope => 'devise.otp.tokens') %></p>
+<% end %>
+
+<%- if resource.otp_enabled? %>
+  <%= render :partial => 'token_secret' if resource.otp_enabled? %>
+  <%= render :partial => 'trusted_devices' if trusted_devices_enabled? %>
+<% end %>

data/config/locales/en.yml

@@ -34,7 +34,7 @@ en:
 
       tokens:
         title: 'Two-factors Authentication:'
-        explain: 'Two factors does this and that and that also'
+        explain: 'Two factors authentication adds an additional layer of security to your account. When logging in you will be asked for a code that you can generate on a physical device, like your phone.'
         enable_request: 'Would you like to enable Two Factors Authenticator?'
 
         status: 'Enable Two-Factors Authentication.'
@@ -54,13 +54,13 @@ en:
           sequence: 'Sequence'
           code: 'Recovery Code'
           codes_list: 'Here is the list of your recovery codes'
+          download_codes: 'Download recovery codes'
 
-
-      trusted_devices:
-        title: 'Trusted Devices'
-        explain: 'Trusted Device are ....'
-        device_trusted: 'Your device is trusted.'
-        device_not_trusted: 'Your device is not trusted.'
-        trust_remove: 'Remove this device from the list of trusted devices'
-        trust_add: 'Trust this device'
-        trust_clear: 'Clear the list of trusted devices'
+      trusted_browsers:
+        title: 'Trusted Browsers'
+        explain: 'If you set your browser as trusted, you will not be asked to provide a Two-factor authentication token when logging in from that browser.'
+        browser_trusted: 'Your browser is trusted.'
+        browser_not_trusted: 'Your browser is not trusted.'
+        trust_remove: 'Remove this browser from the list of trusted browsers'
+        trust_add: 'Trust this browser'
+        trust_clear: 'Clear the list of trusted browsers'

data/devise-otp.gemspec

@@ -1,25 +1,30 @@
-# -*- encoding: utf-8 -*-
-lib = File.expand_path('../lib', __FILE__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'devise-otp/version'
+# frozen_string_literal: true
+
+require_relative 'lib/devise-otp/version'
 
 Gem::Specification.new do |gem|
   gem.name          = "devise-otp"
   gem.version       = Devise::Otp::VERSION
-  gem.authors       = ["Lele Forzani"]
-  gem.email         = ["lele@windmill.it"]
+  gem.authors       = ["Lele Forzani", "Josef Strzibny"]
+  gem.email         = ["lele@windmill.it", "strzibny@strzibny.name"]
   gem.description   = %q{Time Based OTP/rfc6238 compatible authentication for Devise}
   gem.summary       = %q{Time Based OTP/rfc6238 compatible authentication for Devise}
   gem.homepage      = "http://git.windmill.it/wm/devise-otp"
 
   gem.files         = `git ls-files`.split($/)
-  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
 
-  gem.add_runtime_dependency 'rails',  '>= 3.2.6', '< 5'
-  gem.add_runtime_dependency 'devise', '>= 3.1.0', '< 4.0.0'
+  gem.add_runtime_dependency 'rails',  '>= 7.0', '< 7.1'
+  gem.add_runtime_dependency 'devise', '>= 4.8.0', '< 4.9.0'
   gem.add_runtime_dependency 'rotp',   '>= 2.0.0'
 
+  gem.add_development_dependency "capybara"
+  gem.add_development_dependency "cuprite"
+  gem.add_development_dependency "minitest-reporters", ">= 0.5.0"
+  gem.add_development_dependency "puma"
+  gem.add_development_dependency "rdoc"
+  gem.add_development_dependency "shoulda"
+  gem.add_development_dependency "sprockets-rails"
   gem.add_development_dependency "sqlite3"
 end

data/docs/QR_CODES.md

@@ -0,0 +1,48 @@
+# QR code rendering
+
+By default, Devise OTP assumes that you use [Sprockets](https://github.com/rails/sprockets) to render assets and so will use the ([qrcode.js](/app/assets/javascripts/qrcode.js)) embeded library to render the QR code.
+
+To do that, add the the following line to your `application.js` file:
+
+    //= require devise-otp
+
+You can change this behavior by overriding the `otp_authenticator_token_image` method in your view helper to call `otp_authenticator_token_image_google`:
+
+```ruby
+def otp_authenticator_token_image(resource)
+  otp_authenticator_token_image_google(resource.otp_provisioning_uri)
+end
+```
+
+This will call [Google API](https://github.com/wmlele/devise-otp/tree/master/lib/devise_otp_authenticatable/controllers/helpers.rb#L160) to render the QR code.
+
+If your application is configured to use CSP policies, you'll need to authorize `chart.googleapis.com`. Here's an example with [secure_headers](https://github.com/github/secure_headers)):
+
+```ruby
+config.csp[:img_src] << 'chart.googleapis.com'
+```
+
+A third option consists in installing [jquery-qrcode]https://github.com/jeromeetienne/jquery-qrcode with Yarn or [shakapacker](https://github.com/shakacode/shakapacker) and overriding `otp_authenticator_token_image` to render some HTML :
+
+```ruby
+def otp_authenticator_token_image(resource)
+  tag(:span, data: { toggle: 'qrcode', otp_url: resource.otp_provisioning_uri, width: 192, height: 192, render: 'canvas' })
+end
+```
+The QR code is then rendered by `jquery-qrcode` by setting a JS listener in your `application.js` :
+
+```js
+  $(document).on('turbo:load', function() {
+    return $('[data-toggle=qrcode]').each(function() {
+      var data;
+      data = $(this).data();
+      return $(this).qrcode({
+        text: data['otpUrl'],
+        width: data['width'],
+        height: data['height'],
+        render: data['render']
+      });
+    });
+  });
+```
+This way you don't rely on external services to render the QR codes.

data/lib/devise-otp/version.rb

@@ -1,5 +1,5 @@
 module Devise
   module Otp
-    VERSION = "0.2.0"
+    VERSION = "0.3.0"
   end
 end

data/lib/devise-otp.rb

@@ -9,10 +9,8 @@ require 'active_support/concern'
 
 require 'devise'
 
-
 module Devise
 
-
   #
   #
   #
@@ -28,14 +26,21 @@ module Devise
   #
   #
   #
-  mattr_accessor :recovery_tokens
-  @@recovery_tokens = 5  ## false to disable
+  mattr_accessor :otp_recovery_tokens
+  @@otp_recovery_tokens = 10  ## false to disable
+
+  #
+  # If the user is given the chance to set his browser as trusted, how long will it stay trusted.
+  # set to nil/false to disable the ability to set a device as trusted
+  #
+  mattr_accessor :otp_trust_persistence
+  @@otp_trust_persistence = 30.days
 
   #
   #
   #
  	mattr_accessor :otp_drift_window
- 	@@otp_drift_window = 3 # in seconds
+ 	@@otp_drift_window = 3 # in minutes
 
   #
   # if the user wants to change Otp settings,
@@ -46,20 +51,24 @@ module Devise
   @@otp_credentials_refresh = 15.minutes  # or like 15.minutes, false to disable
 
   #
-  # the user identifier for the token is <email>/Application_name
+  # the name of the token issuer
   #
-  mattr_accessor :otp_uri_application
-  @@otp_uri_application = Rails.application.class.parent_name
+  mattr_accessor :otp_issuer
+  @@otp_issuer = Rails.application.class.module_parent_name
 
-  module Otp
 
+  #
+  # custom view path
+  #
+  mattr_accessor :otp_controller_path
+  @@otp_controller_path = "devise"
+
+  module Otp
   end
 end
 
 module DeviseOtpAuthenticatable
-
   autoload :Hooks,   'devise_otp_authenticatable/hooks'
-  autoload :Mapping, 'devise_otp_authenticatable/mapping'
 
   module Controllers
     autoload :Helpers,    'devise_otp_authenticatable/controllers/helpers'
@@ -67,10 +76,9 @@ module DeviseOtpAuthenticatable
   end
 end
 
-
 require 'devise_otp_authenticatable/routes'
 require 'devise_otp_authenticatable/engine'
 
 Devise.add_module :otp_authenticatable,
-                  :controller => :otp_tokens,
-                  :model => 'devise_otp_authenticatable/models/otp_authenticatable', :route => :otp
+                  :controller => :tokens,
+                  :model => 'devise_otp_authenticatable/models/otp_authenticatable', :route => :otp