devise-otp 0.2.0 → 0.3.0

data/test/dummy/db/migrate/20130125101430_create_users.rb

@@ -1,4 +1,4 @@
-class CreateUsers < ActiveRecord::Migration
+class CreateUsers < ActiveRecord::Migration[5.0]
   def change
     create_table :users do |t|
       t.string :name

data/test/dummy/db/migrate/20130131092406_add_devise_to_users.rb

@@ -1,4 +1,4 @@
-class AddDeviseToUsers < ActiveRecord::Migration
+class AddDeviseToUsers < ActiveRecord::Migration[5.0]
   def self.up
     change_table(:users) do |t|
       ## Database authenticatable

data/test/dummy/db/migrate/20130131142320_create_posts.rb

@@ -1,4 +1,4 @@
-class CreatePosts < ActiveRecord::Migration
+class CreatePosts < ActiveRecord::Migration[5.0]
   def change
     create_table :posts do |t|
       t.string :title

data/test/dummy/db/migrate/20130131160351_devise_otp_add_to_users.rb

@@ -1,4 +1,4 @@
-class DeviseOtpAddToUsers < ActiveRecord::Migration
+class DeviseOtpAddToUsers < ActiveRecord::Migration[5.0]
   def self.up
     change_table :users do |t|
       t.string    :otp_auth_secret
@@ -18,7 +18,7 @@ class DeviseOtpAddToUsers < ActiveRecord::Migration
     add_index :users, :otp_session_challenge,  :unique => true
     add_index :users, :otp_challenge_expires
   end
-  
+
   def self.down
     change_table :users do |t|
       t.remove :otp_auth_secret, :otp_recovery_secret, :otp_enabled, :otp_mandatory, :otp_enabled_on, :otp_session_challenge,

data/test/integration/persistence_test.rb

@@ -0,0 +1,81 @@
+require 'test_helper'
+require 'integration_tests_helper'
+
+class PersistenceTest < ActionDispatch::IntegrationTest
+
+  def setup
+    @old_persistence = User.otp_trust_persistence
+    User.otp_trust_persistence = 3.seconds
+  end
+
+  def teardown
+    User.otp_trust_persistence = @old_persistence
+    Capybara.reset_sessions!
+  end
+
+  test 'a user should be requested the otp challenge every log in' do
+    # log in 1fa
+    user = enable_otp_and_sign_in
+    otp_challenge_for user
+
+    visit user_otp_token_path
+    assert_equal user_otp_token_path, current_path
+
+    sign_out
+    sign_user_in
+
+    assert_equal user_otp_credential_path, current_path
+  end
+
+  test 'a user should be able to set their browser as trusted' do
+    # log in 1fa
+    user = enable_otp_and_sign_in
+    otp_challenge_for user
+
+    visit user_otp_token_path
+    assert_equal user_otp_token_path, current_path
+
+    click_link('Trust this browser')
+    assert_text 'Your browser is trusted.'
+    sign_out
+
+    sign_user_in
+
+    assert_equal root_path, current_path
+  end
+
+  test 'a user should be able to download its recovery codes' do
+    # log in 1fa
+    user = enable_otp_and_sign_in
+    otp_challenge_for user
+
+    visit user_otp_token_path
+    assert_equal user_otp_token_path, current_path
+
+    enable_chrome_headless_downloads(page, "/tmp/devise-otp")
+
+    DownloadHelper.wait_for_download(count: 1) do
+      click_link('Download recovery codes')
+    end
+
+    assert_equal 1, DownloadHelper.downloads.size
+  end
+
+  test 'trusted status should expire' do
+    # log in 1fa
+    user = enable_otp_and_sign_in
+    otp_challenge_for user
+
+    visit user_otp_token_path
+    assert_equal user_otp_token_path, current_path
+
+    click_link('Trust this browser')
+    assert_text 'Your browser is trusted.'
+    sign_out
+
+    sleep User.otp_trust_persistence.to_i + 1
+    sign_user_in
+
+    assert_equal user_otp_credential_path, current_path
+  end
+end

data/test/integration/refresh_test.rb

@@ -21,7 +21,6 @@ class RefreshTest < ActionDispatch::IntegrationTest
   end
 
   test 'a user should be prompted for credentials when the credentials_refresh time is expired' do
-
     sign_user_in
     visit user_otp_token_path
     assert_equal user_otp_token_path, current_path
@@ -45,7 +44,6 @@ class RefreshTest < ActionDispatch::IntegrationTest
     fill_in 'user_refresh_password', :with => '12345678'
     click_button 'Continue...'
     assert_equal user_otp_token_path, current_path
-
   end
 
   test 'a user should NOT be able to access their OTP settings unless refreshing' do
@@ -63,20 +61,7 @@ class RefreshTest < ActionDispatch::IntegrationTest
     assert_equal refresh_user_otp_credential_path, current_path
   end
 
-  test 'user should be asked their OTP challenge in order to refresh, if they have OTP' do
-    enable_otp_and_sign_in_with_otp
-
-    sleep(2)
-    visit user_otp_token_path
-    assert_equal refresh_user_otp_credential_path, current_path
-
-    fill_in 'user_refresh_password', :with => '12345678'
-    click_button 'Continue...'
-
-    assert_equal refresh_user_otp_credential_path, current_path
-  end
-
-  test 'user should be finally be able to access their settings, if they provide both a password and a valid OTP token' do
+  test 'user should be finally be able to access their settings, and just password is enough' do
     user = enable_otp_and_sign_in_with_otp
 
     sleep(2)
@@ -84,9 +69,8 @@ class RefreshTest < ActionDispatch::IntegrationTest
     assert_equal refresh_user_otp_credential_path, current_path
 
     fill_in 'user_refresh_password', :with => '12345678'
-    fill_in 'user_token', :with => ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
     click_button 'Continue...'
 
     assert_equal user_otp_token_path, current_path
   end
-end
+end

data/test/integration/sign_in_test.rb

@@ -10,12 +10,12 @@ class SignInTest < ActionDispatch::IntegrationTest
   test 'a new user should be able to sign in without using their token' do
     create_full_user
 
-    visit new_user_session_path
+    visit posts_path
     fill_in 'user_email', :with => 'user@email.invalid'
     fill_in 'user_password', :with => '12345678'
-    click_button 'Sign in'
+    page.has_content?('Log in') ? click_button('Log in') : click_button('Sign in')
 
-    assert_equal root_path, current_path
+    assert_equal posts_path, current_path
   end
 
   test 'a new user, just signed in, should be able to sign in and enable their OTP authentication' do
@@ -50,6 +50,16 @@ class SignInTest < ActionDispatch::IntegrationTest
     assert_equal new_user_session_path, current_path
   end
 
+  test 'fail blank token authentication' do
+    enable_otp_and_sign_in
+    assert_equal user_otp_credential_path, current_path
+
+    fill_in 'user_token', :with => ''
+    click_button 'Submit Token'
+
+    assert_equal user_otp_credential_path, current_path
+  end
+
   test 'successful token authentication' do
     user = enable_otp_and_sign_in
 
@@ -74,4 +84,4 @@ class SignInTest < ActionDispatch::IntegrationTest
     User.otp_authentication_timeout = old_timeout
     assert_equal new_user_session_path, current_path
   end
-end
+end

data/test/integration/token_test.rb

@@ -0,0 +1,31 @@
+require 'test_helper'
+require 'integration_tests_helper'
+
+class TokenTest < ActionDispatch::IntegrationTest
+
+  def teardown
+    Capybara.reset_sessions!
+  end
+
+  test 'disabling OTP after successfully enabling' do
+    # log in 1fa
+    user = enable_otp_and_sign_in
+    assert_equal user_otp_credential_path, current_path
+
+    # otp 2fa
+    fill_in 'user_token', :with => ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    click_button 'Submit Token'
+    assert_equal root_path, current_path
+
+    # disable OTP
+    disable_otp
+
+    # logout
+    sign_out
+
+    # log back in 1fa
+    sign_user_in(user)
+
+    assert_equal root_path, current_path
+  end
+end

data/test/integration_tests_helper.rb

@@ -1,4 +1,5 @@
 class ActionDispatch::IntegrationTest
+  include Warden::Test::Helpers
 
   def warden
     request.env['warden']
@@ -22,7 +23,6 @@ class ActionDispatch::IntegrationTest
     end
   end
 
-
   def enable_otp_and_sign_in
     user = create_full_user
     sign_user_in(user)
@@ -36,13 +36,30 @@ class ActionDispatch::IntegrationTest
     user
   end
 
+  def otp_challenge_for(user)
+    fill_in 'user_token', :with => ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    click_button 'Submit Token'
+  end
+
+  def disable_otp
+    visit user_otp_token_path
+    uncheck 'user_otp_enabled'
+    click_button 'Continue...'
+  end
+
+  def sign_out
+    logout :user
+  end
+
   def sign_user_in(user = nil)
     user ||= create_full_user
     resource_name = user.class.name.underscore
     visit send("new_#{resource_name}_session_path")
     fill_in "#{resource_name}_email", :with => user.email
     fill_in "#{resource_name}_password", :with => user.password
-    click_button 'Sign in'
+
+    page.has_content?('Log in') ? click_button('Log in') : click_button('Sign in')
     user
   end
+
 end

data/test/models/otp_authenticatable_test.rb

@@ -3,17 +3,17 @@ require 'model_tests_helper'
 
 class OtpAuthenticatableTest < ActiveSupport::TestCase
 
-	def setup
-		new_user
+  def setup
+    new_user
   end
 
   test 'new users have a non-nil secret set' do
- 		assert_not_nil User.first.otp_auth_secret
- 	end
+    assert_not_nil User.first.otp_auth_secret
+  end
 
   test 'new users have OTP disabled by default' do
- 		assert !User.first.otp_enabled
- 	end
+    assert !User.first.otp_enabled
+  end
 
   test 'users should have an instance of TOTP/ROTP objects' do
     u = User.first
@@ -80,6 +80,12 @@ class OtpAuthenticatableTest < ActiveSupport::TestCase
     assert_equal false, u.otp_challenge_valid?
   end
 
+  test 'null otp challenge' do
+    u = User.first
+    u.update_attribute(:otp_enabled, true)
+    assert_equal false, u.validate_otp_token('')
+    assert_equal false, u.validate_otp_token(nil)
+  end
 
   test 'generated otp token should be valid for the user' do
     u = User.first
@@ -109,8 +115,7 @@ class OtpAuthenticatableTest < ActiveSupport::TestCase
     recovery = u.next_otp_recovery_tokens
 
     assert u.valid_otp_recovery_token? recovery.fetch(0)
-    assert_equal false, u.valid_otp_recovery_token?(recovery.fetch(0))
+    assert_nil u.valid_otp_recovery_token?(recovery.fetch(0))
     assert u.valid_otp_recovery_token? recovery.fetch(2)
   end
-
-end
+end

data/test/orm/active_record.rb

@@ -1,4 +1,6 @@
 ActiveRecord::Migration.verbose = false
 ActiveRecord::Base.logger = Logger.new(nil)
 
-ActiveRecord::Migrator.migrate(File.expand_path("../../dummy/db/migrate/", __FILE__))
+migrations_path = File.expand_path("../../dummy/db/migrate/", __FILE__)
+
+ActiveRecord::MigrationContext.new(migrations_path, ActiveRecord::SchemaMigration).migrate

data/test/test_helper.rb

@@ -1,12 +1,12 @@
 ENV["RAILS_ENV"] = "test"
 DEVISE_ORM = (ENV["DEVISE_ORM"] || :active_record).to_sym
 
-$:.unshift File.dirname(__FILE__)
 puts "\n==> Devise.orm = #{DEVISE_ORM.inspect}"
 require "dummy/config/environment"
 require "orm/#{DEVISE_ORM}"
 require 'rails/test_help'
 require 'capybara/rails'
+require 'capybara/cuprite'
 require 'minitest/reporters'
 
 MiniTest::Reporters.use!
@@ -15,8 +15,77 @@ MiniTest::Reporters.use!
 
 #ActiveSupport::Deprecation.silenced = true
 
-#Capybara.default_driver = :selenium
+# Use a module to not pollute the global namespace
+module CapybaraHelper
+  def self.register_driver(driver_name, args = [])
+    opts = { headless: true, js_errors: true, window_size: [1920, 1200], browser_options: {} }
+    args.each do |arg|
+      opts[:browser_options][arg] = nil
+    end
+
+    Capybara.register_driver(driver_name) do |app|
+      Capybara::Cuprite::Driver.new(app, opts)
+    end
+  end
+end
+
+# Register our own custom drivers
+CapybaraHelper.register_driver(:headless_chrome, %w[disable-gpu no-sandbox disable-dev-shm-usage])
+
+# Configure Capybara JS driver
+Capybara.current_driver    = :headless_chrome
+Capybara.javascript_driver = :headless_chrome
+
+# Configure Capybara server
+Capybara.run_server = true
+Capybara.server     = :puma, { Silent: true }
 
 class ActionDispatch::IntegrationTest
   include Capybara::DSL
+
+  # What capybara calls a "page" in its DSL is actually a Capybara::Session
+  # and doesn't know about the *command* method that allows us to play with
+  # the Chrome API.
+  # See: https://rubydoc.info/github/jnicklas/capybara/master/Capybara/Session
+  #
+  # To enable downloads we need to do it on the browser's page object, so fetch it
+  # from this long method chain.
+  # See: https://github.com/rubycdp/ferrum/blob/master/lib/ferrum/page.rb
+  def enable_chrome_headless_downloads(session, directory)
+    page = session.driver.browser.page
+    page.command('Page.setDownloadBehavior', behavior: 'allow', downloadPath: directory)
+  end
+end
+
+# From https://collectiveidea.com/blog/archives/2012/01/27/testing-file-downloads-with-capybara-and-chromedriver
+module DownloadHelper
+  extend self
+
+  TIMEOUT = 10
+
+  def downloads
+    Dir["/tmp/devise-otp/*"]
+  end
+
+  def wait_for_download(count: 1)
+    yield if block_given?
+
+    Timeout.timeout(TIMEOUT) do
+      sleep 0.2 until downloaded?(count)
+    end
+  end
+
+  def downloaded?(count)
+    !downloading? && downloads.size == count
+  end
+
+  def downloading?
+    downloads.grep(/\.crdownload$/).any?
+  end
+
+  def clear_downloads
+    FileUtils.rm_f(downloads)
+  end
 end
+
+require "devise-otp"