devise-otp 0.2.0 → 0.3.0

data/lib/devise_otp_authenticatable/controllers/helpers.rb

@@ -1,9 +1,7 @@
 module DeviseOtpAuthenticatable
-
   module Controllers
     module Helpers
 
-
       def authenticate_scope!
         send(:"authenticate_#{resource_name}!", :force => true)
         self.resource = send("current_#{resource_name}")
@@ -18,17 +16,19 @@ module DeviseOtpAuthenticatable
         options[:default] = Array(options[:default]).unshift(kind.to_sym)
         options[:resource_name] = resource_name
         options = devise_i18n_options(options) if respond_to?(:devise_i18n_options, true)
-        message = I18n.t("#{options[:resource_name]}.#{kind}", options)
+        message = I18n.t("#{options[:resource_name]}.#{kind}", **options)
         flash[key] = message if message.present?
       end
 
       def otp_t()
-
       end
 
+      def trusted_devices_enabled?
+        resource.class.otp_trust_persistence && (resource.class.otp_trust_persistence > 0)
+      end
 
       def recovery_enabled?
-        resource_class.recovery_tokens && (resource_class.recovery_tokens > 0)
+        resource_class.otp_recovery_tokens && (resource_class.otp_recovery_tokens > 0)
       end
 
       #
@@ -40,9 +40,7 @@ module DeviseOtpAuthenticatable
         end
       end
 
-
       # fixme do cookies and persistence need to be scoped? probably
-
       #
       # check if the resource needs a credentials refresh. IE, they need to be asked a password again to access
       # this resource.
@@ -62,15 +60,14 @@ module DeviseOtpAuthenticatable
         session[otp_scoped_refresh_property] = (Time.now + resource.class.otp_credentials_refresh)
       end
 
-
       #
       # is the current browser trusted?
       #
-      def is_otp_trusted_device_for?(resource)
+      def is_otp_trusted_browser_for?(resource)
+        return false unless resource.class.otp_trust_persistence
         if cookies[otp_scoped_persistence_cookie].present?
           cookies.signed[otp_scoped_persistence_cookie] ==
-              [resource.class.serialize_into_cookie(resource), resource.otp_persistence_seed].tap do
-          end
+              [resource.to_key, resource.authenticatable_salt, resource.otp_persistence_seed]
         else
           false
         end
@@ -80,10 +77,11 @@ module DeviseOtpAuthenticatable
       # make the current browser trusted
       #
       def otp_set_trusted_device_for(resource)
+        return unless resource.class.otp_trust_persistence
         cookies.signed[otp_scoped_persistence_cookie] = {
             :httponly => true,
-            :expires => 30.days.from_now,
-            :value => [resource.class.serialize_into_cookie(resource), resource.otp_persistence_seed]
+            :expires => Time.now + resource.class.otp_trust_persistence,
+            :value => [resource.to_key, resource.authenticatable_salt, resource.otp_persistence_seed]
         }
       end
 
@@ -115,7 +113,6 @@ module DeviseOtpAuthenticatable
         cookies.delete(otp_scoped_persistence_cookie)
       end
 
-
       #
       # clears the persistence list for this kind of resource
       #
@@ -128,11 +125,27 @@ module DeviseOtpAuthenticatable
       # returns the URL for the QR Code to initialize the Authenticator device
       #
       def otp_authenticator_token_image(resource)
-        otp_authenticator_token_image_google(resource.otp_provisioning_uri)
+        otp_authenticator_token_image_js(resource.otp_provisioning_uri)
       end
 
       private
 
+      def otp_authenticator_token_image_js(otp_url)
+        content_tag(:div, :class => 'qrcode-container') do
+          tag(:div, :id => 'qrcode', :class => 'qrcode') +
+          javascript_tag(%Q[
+            new QRCode("qrcode", {
+              text: "#{otp_url}",
+              width: 256,
+              height: 256,
+              colorDark : "#000000",
+              colorLight : "#ffffff",
+              correctLevel : QRCode.CorrectLevel.H
+            });
+          ]) + tag("/div")
+        end
+      end
+
       def otp_authenticator_token_image_google(otp_url)
         otp_url = Rack::Utils.escape(otp_url)
         url = "https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl=#{otp_url}"
@@ -141,4 +154,4 @@ module DeviseOtpAuthenticatable
 
     end
   end
-end
+end

data/lib/devise_otp_authenticatable/controllers/url_helpers.rb

@@ -1,35 +1,32 @@
 module DeviseOtpAuthenticatable
   module Controllers
-
     module UrlHelpers
 
-
       def recovery_otp_token_for(resource_or_scope, opts = {})
-        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        scope = ::Devise::Mapping.find_scope!(resource_or_scope)
         send("recovery_#{scope}_otp_token_path", opts)
       end
 
-
       def refresh_otp_credential_path_for(resource_or_scope, opts = {})
-        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        scope = ::Devise::Mapping.find_scope!(resource_or_scope)
         send("refresh_#{scope}_otp_credential_path", opts)
       end
 
       def persistence_otp_token_path_for(resource_or_scope, opts = {})
-        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        scope = ::Devise::Mapping.find_scope!(resource_or_scope)
         send("persistence_#{scope}_otp_token_path", opts)
       end
 
       def otp_token_path_for(resource_or_scope, opts = {})
-        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        scope = ::Devise::Mapping.find_scope!(resource_or_scope)
         send("#{scope}_otp_token_path", opts)
       end
 
       def otp_credential_path_for(resource_or_scope, opts = {})
-        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        scope = ::Devise::Mapping.find_scope!(resource_or_scope)
         send("#{scope}_otp_credential_path", opts)
       end
 
     end
   end
-end
+end

data/lib/devise_otp_authenticatable/engine.rb

@@ -1,23 +1,32 @@
 module DeviseOtpAuthenticatable
   class Engine < ::Rails::Engine
 
-    ActiveSupport.on_load(:action_controller) do
-      include DeviseOtpAuthenticatable::Controllers::UrlHelpers
-      include DeviseOtpAuthenticatable::Controllers::Helpers
-    end
-    ActiveSupport.on_load(:action_view) do
-      include DeviseOtpAuthenticatable::Controllers::UrlHelpers
-      include DeviseOtpAuthenticatable::Controllers::Helpers
-    end
-
     # We use to_prepare instead of after_initialize here because Devise is a Rails engine;
     config.to_prepare do
       DeviseOtpAuthenticatable::Hooks.apply
     end
 
-    # extend mapping with after_initialize because is not reloaded
-    config.after_initialize do
-      Devise::Mapping.send :include, DeviseOtpAuthenticatable::Mapping
+    initializer "devise-otp", group: :all do |app|
+      ActiveSupport.on_load(:devise_controller) do
+        include DeviseOtpAuthenticatable::Controllers::UrlHelpers
+        include DeviseOtpAuthenticatable::Controllers::Helpers
+      end
+
+      ActiveSupport.on_load(:action_view) do
+        include DeviseOtpAuthenticatable::Controllers::UrlHelpers
+        include DeviseOtpAuthenticatable::Controllers::Helpers
+      end
+
+      # See: https://guides.rubyonrails.org/engines.html#separate-assets-and-precompiling
+      # check if Rails api mode
+      if app.config.respond_to?(:assets)
+        if defined?(Sprockets) && Sprockets::VERSION >= "4"
+          app.config.assets.precompile << "devise-otp.js"
+        else
+          # use a proc instead of a string
+          app.config.assets.precompile << proc { |path| path == "devise-otp.js" }
+        end
+      end
     end
   end
-end
+end

data/lib/devise_otp_authenticatable/hooks/sessions.rb

@@ -4,36 +4,36 @@ module DeviseOtpAuthenticatable::Hooks
     include DeviseOtpAuthenticatable::Controllers::UrlHelpers
 
     included do
-      alias_method_chain :create, :otp
+      alias_method  :create, :create_with_otp
     end
 
     #
     # replaces Devise::SessionsController#create
     #
     def create_with_otp
-
       resource = warden.authenticate!(auth_options)
 
+      devise_stored_location = stored_location_for(resource) # Grab the current stored location before it gets lost by warden.logout
+      store_location_for(resource, devise_stored_location) # Restore it since #stored_location_for removes it
+
       otp_refresh_credentials_for(resource)
 
       if otp_challenge_required_on?(resource)
         challenge = resource.generate_otp_challenge!
         warden.logout
+        store_location_for(resource, devise_stored_location) # restore the stored location
         respond_with resource, :location => otp_credential_path_for(resource, {:challenge => challenge})
-
       elsif otp_mandatory_on?(resource) # if mandatory, log in user but send him to the must activate otp
         set_flash_message(:notice, :signed_in_but_otp) if is_navigational_format?
         sign_in(resource_name, resource)
         respond_with resource, :location => otp_token_path_for(resource)
       else
-
         set_flash_message(:notice, :signed_in) if is_navigational_format?
         sign_in(resource_name, resource)
         respond_with resource, :location => after_sign_in_path_for(resource)
       end
     end
 
-
     private
 
     #
@@ -41,7 +41,8 @@ module DeviseOtpAuthenticatable::Hooks
     #
     def otp_challenge_required_on?(resource)
       return false unless resource.respond_to?(:otp_enabled) && resource.respond_to?(:otp_auth_secret)
-      resource.otp_enabled && !is_otp_trusted_device_for?(resource)
+
+      resource.otp_enabled && !is_otp_trusted_browser_for?(resource)
     end
 
     #
@@ -54,4 +55,4 @@ module DeviseOtpAuthenticatable::Hooks
       resource.otp_mandatory && !resource.otp_enabled
     end
   end
-end
+end

data/lib/devise_otp_authenticatable/hooks.rb

@@ -5,7 +5,7 @@ module DeviseOtpAuthenticatable
 
     class << self
       def apply
-        Devise::SessionsController.send(:include, Hooks::Sessions)
+        ::Devise::SessionsController.send(:include, Hooks::Sessions)
       end
     end
 

data/lib/devise_otp_authenticatable/models/otp_authenticatable.rb

@@ -11,8 +11,9 @@ module Devise::Models
     end
 
     module ClassMethods
-      ::Devise::Models.config(self, :otp_authentication_timeout, :otp_drift_window,
-                                    :otp_mandatory, :otp_credentials_refresh, :otp_uri_application, :recovery_tokens)
+      ::Devise::Models.config(self, :otp_authentication_timeout, :otp_drift_window, :otp_trust_persistence,
+                                    :otp_mandatory, :otp_credentials_refresh, :otp_issuer, :otp_recovery_tokens,
+                                    :otp_controller_path)
 
       def find_valid_otp_challenge(challenge)
         with_valid_otp_challenge(Time.now).where(:otp_session_challenge => challenge).first
@@ -20,7 +21,7 @@ module Devise::Models
     end
 
     def time_based_otp
-      @time_based_otp ||= ROTP::TOTP.new(otp_auth_secret)
+      @time_based_otp ||= ROTP::TOTP.new(otp_auth_secret, issuer: "#{self.class.otp_issuer || Rails.application.class.module_parent_name}")
     end
 
     def recovery_otp
@@ -32,7 +33,7 @@ module Devise::Models
     end
 
     def otp_provisioning_identifier
-      "#{email}/#{self.class.otp_uri_application || Rails.application.class.parent_name}"
+      email
     end
 
 
@@ -41,9 +42,9 @@ module Devise::Models
       @recovery_otp = nil
       generate_otp_auth_secret
       reset_otp_persistence
-      update_columns(:otp_enabled => false, :otp_time_drift => 0,
-                        :otp_session_challenge => nil, :otp_challenge_expires => nil,
-                        :otp_recovery_counter => 0)
+      update!(:otp_enabled => false,
+             :otp_session_challenge => nil, :otp_challenge_expires => nil,
+             :otp_recovery_counter => 0)
     end
 
     def reset_otp_credentials!
@@ -51,7 +52,6 @@ module Devise::Models
       save!
     end
 
-
     def reset_otp_persistence
       generate_otp_persistence_seed
     end
@@ -61,9 +61,21 @@ module Devise::Models
       save!
     end
 
+    def enable_otp!
+      if otp_persistence_seed.nil?
+        reset_otp_credentials!
+      end
+
+      update!(:otp_enabled => true, :otp_enabled_on => Time.now)
+    end
+
+    def disable_otp!
+      update!(:otp_enabled => false, :otp_enabled_on => nil)
+    end
+
     def generate_otp_challenge!(expires = nil)
-      update_columns(:otp_session_challenge => SecureRandom.hex,
-                     :otp_challenge_expires => DateTime.now + (expires || self.class.otp_authentication_timeout))
+      update!(:otp_session_challenge => SecureRandom.hex,
+             :otp_challenge_expires => DateTime.now + (expires || self.class.otp_authentication_timeout))
       otp_session_challenge
     end
 
@@ -82,16 +94,12 @@ module Devise::Models
     alias_method :valid_otp_token?, :validate_otp_token
 
     def validate_otp_time_token(token)
-      if drift = validate_otp_token_with_drift(token)
-        update_column(:otp_time_drift, drift)
-        true
-      else
-        false
-      end
+      return false if token.blank?
+      validate_otp_token_with_drift(token)
     end
     alias_method :valid_otp_time_token?, :validate_otp_time_token
 
-    def next_otp_recovery_tokens(number = 5)
+    def next_otp_recovery_tokens(number = self.class.otp_recovery_tokens)
       (otp_recovery_counter..otp_recovery_counter + number).inject({}) do |h, index|
         h[index] = recovery_otp.at(index)
         h
@@ -108,21 +116,13 @@ module Devise::Models
 
 
 
-
-
     private
 
-    #
-    # refactor me, I suck
-    #
     def validate_otp_token_with_drift(token)
-      # valid_vals << ROTP::TOTP.new(otp_auth_secret).at(Time.now)
 
       # should be centered around saved drift
-      (-self.class.otp_drift_window..self.class.otp_drift_window).each do |drift|
-        return drift if(time_based_otp.verify(token, Time.now.ago(30 * drift)))
-      end
-      false
+      (-self.class.otp_drift_window..self.class.otp_drift_window).any? {|drift|
+        (time_based_otp.verify(token, at: Time.now.ago(30 * drift))) }
     end
 
     def generate_otp_persistence_seed
@@ -135,4 +135,4 @@ module Devise::Models
     end
 
   end
-end
+end

data/lib/devise_otp_authenticatable/routes.rb

@@ -1,30 +1,29 @@
 module ActionDispatch::Routing
   class Mapper
 
-
     protected
-    #########
 
     def devise_otp(mapping, controllers)
-
       namespace :otp, :module => :devise_otp do
         resource :token, :only => [:show, :update, :destroy],
-                 :path => mapping.path_names[:token], :controller => controllers[:otp_tokens] do
+                 :path => mapping.path_names[:token], :controller => controllers[:tokens] do
 
-          get  :persistence, :action => 'get_persistence'
-          post :persistence, :action => 'clear_persistence'
-          delete :persistence, :action => 'delete_persistence'
+          if Devise.otp_trust_persistence
+            get  :persistence, :action => 'get_persistence'
+            post :persistence, :action => 'clear_persistence'
+            delete :persistence, :action => 'delete_persistence'
+          end
 
           get  :recovery
         end
 
         resource :credential, :only => [:show, :update],
-                 :path => mapping.path_names[:credentials], :controller => controllers[:otp_credentials] do
+                 :path => mapping.path_names[:credentials], :controller => controllers[:credentials] do
 
-          get  :refresh, :action => 'get_refresh'
+          get :refresh, :action => 'get_refresh'
           put :refresh, :action => 'set_refresh'
         end
       end
     end
   end
-end
+end

data/lib/generators/active_record/devise_otp_generator.rb

@@ -6,7 +6,7 @@ module ActiveRecord
       source_root File.expand_path("../templates", __FILE__)
 
       def copy_devise_migration
-        migration_template "migration.rb", "db/migrate/devise_otp_add_to_#{table_name}"
+        migration_template "migration.rb", "db/migrate/devise_otp_add_to_#{table_name}.rb"
       end
     end
   end

data/lib/generators/active_record/templates/migration.rb

@@ -6,7 +6,6 @@ class DeviseOtpAddTo<%= table_name.camelize %> < ActiveRecord::Migration
       t.boolean   :otp_enabled,          :default => false, :null => false
       t.boolean   :otp_mandatory,        :default => false, :null => false
       t.datetime  :otp_enabled_on
-      t.integer   :otp_time_drift,       :default => 0, :null => false
       t.integer   :otp_failed_attempts,  :default => 0, :null => false
       t.integer   :otp_recovery_counter, :default => 0, :null => false
       t.string    :otp_persistence_seed
@@ -21,7 +20,7 @@ class DeviseOtpAddTo<%= table_name.camelize %> < ActiveRecord::Migration
   def self.down
     change_table :<%= table_name %> do |t|
       t.remove :otp_auth_secret, :otp_recovery_secret, :otp_enabled, :otp_mandatory, :otp_enabled_on, :otp_session_challenge,
-          :otp_challenge_expires, :otp_time_drift, :otp_failed_attempts, :otp_recovery_counter, :otp_persistence_seed
+          :otp_challenge_expires, :otp_failed_attempts, :otp_recovery_counter, :otp_persistence_seed
 
     end
   end

data/lib/generators/devise_otp/install_generator.rb

@@ -13,11 +13,36 @@ content = <<-CONTENT
   # ==> Devise OTP Extension
   # Configure OTP extension for devise
 
-  # How long should the user have to enter their token. To change the default, uncomment and change the below:
-  #config.otp_authentication_timeout = 3.minutes
+  # OTP is mandatory, users are going to be asked to
+  # enroll OTP the next time they sign in, before they can successfully complete the session establishment.
+  # This is the global value, can also be set on each user.
+  #config.otp_mandatory = false
+
+  # Drift: a window which provides allowance for drift between a user's token device clock
+  # (and therefore their OTP tokens) and the authentication server's clock.
+  # Expressed in minutes centered at the current time. (Note: it's a number, *NOT* 3.minutes )
+  #config.otp_drift_window = 3
+
+  # Users that have logged in longer than this time ago, are going to be asked their password
+  # (and an OTP challenge, if enabled) before they can see or change their otp informations.
+  #config.otp_credentials_refresh = 15.minutes
+
+  # Users are given a list of one-time recovery tokens, for emergency access
+  # set to false to disable giving recovery tokens.
+  #config.otp_recovery_tokens = 10
+
+  # The user is allowed to set his browser as "trusted", no more OTP challenges will be
+  # asked for that browser, for a limited time.
+  # set to false to disable setting the browser as trusted
+  #config.otp_trust_persistence = 1.month
+
+  # The name of the token issuer, to be added to the provisioning
+  # url. Display will vary based on token application. (defaults to the Rails application class)
+  #config.otp_issuer = 'my_application'
+
+  # Custom view path for Devise OTP controllers
+  #config.otp_controller_path = 'devise'
 
-  # Change time drift settings for valid token values. To change the default, uncomment and change the below:
-  #config.otp_authentication_time_drift = 3
 CONTENT
 
         inject_into_file "config/initializers/devise.rb", content, :before => /end[ |\n|]+\Z/
@@ -28,4 +53,4 @@ CONTENT
       end
     end
   end
-end
+end

data/lib/generators/devise_otp/views_generator.rb

@@ -9,10 +9,9 @@ module DeviseOtp
                        :desc => "The scope to copy views to"
 
       include ::Devise::Generators::ViewPathTemplates
-      source_root File.expand_path("../../../../app/views/devise_otp", __FILE__)
+      source_root File.expand_path("../../../../app/views", __FILE__)
       def copy_views
-        view_directory :credentials, 'app/views/devise_otp/credentials'
-        view_directory :tokens, 'app/views/devise_otp/tokens'
+        view_directory :devise, 'app/views/devise'
       end
     end
   end

data/test/dummy/app/assets/config/manifest.js

@@ -0,0 +1,2 @@
+//= link_directory ../javascripts .js
+//= link_directory ../stylesheets .css

data/test/dummy/app/assets/javascripts/application.js

@@ -11,3 +11,4 @@
 // GO AFTER THE REQUIRES BELOW.
 //
 //= require_tree .
+//= require devise-otp

data/test/dummy/app/controllers/application_controller.rb

@@ -1,4 +1,4 @@
 class ApplicationController < ActionController::Base
   protect_from_forgery
-  before_filter :authenticate_user!
+  before_action :authenticate_user!
 end

data/test/dummy/app/controllers/posts_controller.rb

@@ -1,4 +1,6 @@
 class PostsController < ApplicationController
+  before_action :authenticate_user!
+
   # GET /posts
   # GET /posts.json
   def index

data/test/dummy/app/models/user.rb

@@ -12,7 +12,7 @@ class User < PARENT_MODEL_CLASS
   end
 
   devise :otp_authenticatable, :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable
+         :trackable, :validatable
 
   # Setup accessible (or protected) attributes for your model
   #attr_accessible :otp_enabled, :otp_mandatory, :as => :otp_privileged

data/test/dummy/config/application.rb

@@ -53,6 +53,8 @@ module Dummy
     # Enable escaping HTML in JSON.
     config.active_support.escape_html_entities_in_json = true
 
+    config.active_record.legacy_connection_handling = false
+
     # Use SQL instead of Active Record's schema dumper when creating the database.
     # This is necessary if your schema can't be completely dumped by the schema dumper,
     # like if you have constraints or database-specific column types
@@ -65,4 +67,3 @@ module Dummy
     config.assets.version = '1.0'
   end
 end
-

data/test/dummy/config/database.yml

@@ -14,7 +14,7 @@ development:
 # Do not set this db to the same as development or production.
 test:
   adapter: sqlite3
-  database: ":memory:"
+  database: db/test.sqlite3
   pool: 5
   timeout: 5000
 

data/test/dummy/config/environments/development.rb

@@ -22,13 +22,6 @@ Dummy::Application.configure do
   # Only use best-standards-support built into browsers
   config.action_dispatch.best_standards_support = :builtin
 
-  # Raise exception on mass assignment protection for Active Record models
-  config.active_record.mass_assignment_sanitizer = :strict
-
-  # Log the query plan for queries taking more than this (works
-  # with SQLite, MySQL, and PostgreSQL)
-  config.active_record.auto_explain_threshold_in_seconds = 0.5
-
   # Do not compress assets
   config.assets.compress = false
 

data/test/dummy/config/environments/production.rb

@@ -66,8 +66,4 @@ Dummy::Application.configure do
 
   # Send deprecation notices to registered listeners
   config.active_support.deprecation = :notify
-
-  # Log the query plan for queries taking more than this (works
-  # with SQLite, MySQL, and PostgreSQL)
-  # config.active_record.auto_explain_threshold_in_seconds = 0.5
 end