devise-otp 0.2.2 → 0.4.0

data/lib/devise_otp_authenticatable/controllers/url_helpers.rb

@@ -1,33 +1,32 @@
 module DeviseOtpAuthenticatable
   module Controllers
-
     module UrlHelpers
 
       def recovery_otp_token_for(resource_or_scope, opts = {})
-        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        scope = ::Devise::Mapping.find_scope!(resource_or_scope)
         send("recovery_#{scope}_otp_token_path", opts)
       end
 
       def refresh_otp_credential_path_for(resource_or_scope, opts = {})
-        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        scope = ::Devise::Mapping.find_scope!(resource_or_scope)
         send("refresh_#{scope}_otp_credential_path", opts)
       end
 
       def persistence_otp_token_path_for(resource_or_scope, opts = {})
-        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        scope = ::Devise::Mapping.find_scope!(resource_or_scope)
         send("persistence_#{scope}_otp_token_path", opts)
       end
 
       def otp_token_path_for(resource_or_scope, opts = {})
-        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        scope = ::Devise::Mapping.find_scope!(resource_or_scope)
         send("#{scope}_otp_token_path", opts)
       end
 
       def otp_credential_path_for(resource_or_scope, opts = {})
-        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        scope = ::Devise::Mapping.find_scope!(resource_or_scope)
         send("#{scope}_otp_credential_path", opts)
       end
 
     end
   end
-end
+end

data/lib/devise_otp_authenticatable/engine.rb

@@ -1,23 +1,32 @@
 module DeviseOtpAuthenticatable
   class Engine < ::Rails::Engine
 
-    ActiveSupport.on_load(:action_controller) do
-      include DeviseOtpAuthenticatable::Controllers::UrlHelpers
-      include DeviseOtpAuthenticatable::Controllers::Helpers
-    end
-    ActiveSupport.on_load(:action_view) do
-      include DeviseOtpAuthenticatable::Controllers::UrlHelpers
-      include DeviseOtpAuthenticatable::Controllers::Helpers
-    end
-
     # We use to_prepare instead of after_initialize here because Devise is a Rails engine;
     config.to_prepare do
       DeviseOtpAuthenticatable::Hooks.apply
     end
 
-    # extend mapping with after_initialize because is not reloaded
-    config.after_initialize do
-      Devise::Mapping.send :include, DeviseOtpAuthenticatable::Mapping
+    initializer "devise-otp", group: :all do |app|
+      ActiveSupport.on_load(:devise_controller) do
+        include DeviseOtpAuthenticatable::Controllers::UrlHelpers
+        include DeviseOtpAuthenticatable::Controllers::Helpers
+      end
+
+      ActiveSupport.on_load(:action_view) do
+        include DeviseOtpAuthenticatable::Controllers::UrlHelpers
+        include DeviseOtpAuthenticatable::Controllers::Helpers
+      end
+
+      # See: https://guides.rubyonrails.org/engines.html#separate-assets-and-precompiling
+      # check if Rails api mode
+      if app.config.respond_to?(:assets)
+        if defined?(Sprockets) && Sprockets::VERSION >= "4"
+          app.config.assets.precompile << "devise-otp.js"
+        else
+          # use a proc instead of a string
+          app.config.assets.precompile << proc { |path| path == "devise-otp.js" }
+        end
+      end
     end
   end
-end
+end

data/lib/devise_otp_authenticatable/hooks/sessions.rb

@@ -4,36 +4,36 @@ module DeviseOtpAuthenticatable::Hooks
     include DeviseOtpAuthenticatable::Controllers::UrlHelpers
 
     included do
-      alias_method_chain :create, :otp
+      alias_method  :create, :create_with_otp
     end
 
     #
     # replaces Devise::SessionsController#create
     #
     def create_with_otp
-
       resource = warden.authenticate!(auth_options)
 
+      devise_stored_location = stored_location_for(resource) # Grab the current stored location before it gets lost by warden.logout
+      store_location_for(resource, devise_stored_location) # Restore it since #stored_location_for removes it
+
       otp_refresh_credentials_for(resource)
 
       if otp_challenge_required_on?(resource)
         challenge = resource.generate_otp_challenge!
         warden.logout
+        store_location_for(resource, devise_stored_location) # restore the stored location
         respond_with resource, :location => otp_credential_path_for(resource, {:challenge => challenge})
-
       elsif otp_mandatory_on?(resource) # if mandatory, log in user but send him to the must activate otp
         set_flash_message(:notice, :signed_in_but_otp) if is_navigational_format?
         sign_in(resource_name, resource)
         respond_with resource, :location => otp_token_path_for(resource)
       else
-
         set_flash_message(:notice, :signed_in) if is_navigational_format?
         sign_in(resource_name, resource)
         respond_with resource, :location => after_sign_in_path_for(resource)
       end
     end
 
-
     private
 
     #
@@ -41,7 +41,8 @@ module DeviseOtpAuthenticatable::Hooks
     #
     def otp_challenge_required_on?(resource)
       return false unless resource.respond_to?(:otp_enabled) && resource.respond_to?(:otp_auth_secret)
-      resource.otp_enabled && !is_otp_trusted_device_for?(resource)
+
+      resource.otp_enabled && !is_otp_trusted_browser_for?(resource)
     end
 
     #
@@ -54,4 +55,4 @@ module DeviseOtpAuthenticatable::Hooks
       resource.otp_mandatory && !resource.otp_enabled
     end
   end
-end
+end

data/lib/devise_otp_authenticatable/hooks.rb

@@ -5,7 +5,7 @@ module DeviseOtpAuthenticatable
 
     class << self
       def apply
-        Devise::SessionsController.send(:include, Hooks::Sessions)
+        ::Devise::SessionsController.send(:include, Hooks::Sessions)
       end
     end
 

data/lib/devise_otp_authenticatable/models/otp_authenticatable.rb

@@ -12,7 +12,8 @@ module Devise::Models
 
     module ClassMethods
       ::Devise::Models.config(self, :otp_authentication_timeout, :otp_drift_window, :otp_trust_persistence,
-                                    :otp_mandatory, :otp_credentials_refresh, :otp_uri_application, :otp_recovery_tokens)
+                                    :otp_mandatory, :otp_credentials_refresh, :otp_issuer, :otp_recovery_tokens,
+                                    :otp_controller_path)
 
       def find_valid_otp_challenge(challenge)
         with_valid_otp_challenge(Time.now).where(:otp_session_challenge => challenge).first
@@ -20,7 +21,7 @@ module Devise::Models
     end
 
     def time_based_otp
-      @time_based_otp ||= ROTP::TOTP.new(otp_auth_secret)
+      @time_based_otp ||= ROTP::TOTP.new(otp_auth_secret, issuer: "#{self.class.otp_issuer || Rails.application.class.module_parent_name}")
     end
 
     def recovery_otp
@@ -32,7 +33,7 @@ module Devise::Models
     end
 
     def otp_provisioning_identifier
-      "#{email}/#{self.class.otp_uri_application || Rails.application.class.parent_name}"
+      email
     end
 
 
@@ -41,7 +42,7 @@ module Devise::Models
       @recovery_otp = nil
       generate_otp_auth_secret
       reset_otp_persistence
-      update(:otp_enabled => false, :otp_time_drift => 0,
+      update!(:otp_enabled => false,
              :otp_session_challenge => nil, :otp_challenge_expires => nil,
              :otp_recovery_counter => 0)
     end
@@ -61,11 +62,15 @@ module Devise::Models
     end
 
     def enable_otp!
+      if otp_persistence_seed.nil?
+        reset_otp_credentials!
+      end
+
       update!(:otp_enabled => true, :otp_enabled_on => Time.now)
     end
 
     def disable_otp!
-      update!(:otp_enabled => false, :otp_enabled_on => nil, :otp_time_drift => 0)
+      update!(:otp_enabled => false, :otp_enabled_on => nil)
     end
 
     def generate_otp_challenge!(expires = nil)
@@ -89,12 +94,8 @@ module Devise::Models
     alias_method :valid_otp_token?, :validate_otp_token
 
     def validate_otp_time_token(token)
-      if drift = validate_otp_token_with_drift(token)
-        update_column(:otp_time_drift, drift)
-        true
-      else
-        false
-      end
+      return false if token.blank?
+      validate_otp_token_with_drift(token)
     end
     alias_method :valid_otp_time_token?, :validate_otp_time_token
 
@@ -121,7 +122,7 @@ module Devise::Models
 
       # should be centered around saved drift
       (-self.class.otp_drift_window..self.class.otp_drift_window).any? {|drift|
-        (time_based_otp.verify(token, Time.now.ago(30 * drift))) }
+        (time_based_otp.verify(token, at: Time.now.ago(30 * drift))) }
     end
 
     def generate_otp_persistence_seed
@@ -134,4 +135,4 @@ module Devise::Models
     end
 
   end
-end
+end

data/lib/devise_otp_authenticatable/routes.rb

@@ -1,12 +1,9 @@
 module ActionDispatch::Routing
   class Mapper
 
-
     protected
-    #########
 
     def devise_otp(mapping, controllers)
-
       namespace :otp, :module => :devise_otp do
         resource :token, :only => [:show, :update, :destroy],
                  :path => mapping.path_names[:token], :controller => controllers[:otp_tokens] do
@@ -23,10 +20,10 @@ module ActionDispatch::Routing
         resource :credential, :only => [:show, :update],
                  :path => mapping.path_names[:credentials], :controller => controllers[:otp_credentials] do
 
-          get  :refresh, :action => 'get_refresh'
+          get :refresh, :action => 'get_refresh'
           put :refresh, :action => 'set_refresh'
         end
       end
     end
   end
-end
+end

data/lib/generators/active_record/templates/migration.rb

@@ -20,7 +20,7 @@ class DeviseOtpAddTo<%= table_name.camelize %> < ActiveRecord::Migration
   def self.down
     change_table :<%= table_name %> do |t|
       t.remove :otp_auth_secret, :otp_recovery_secret, :otp_enabled, :otp_mandatory, :otp_enabled_on, :otp_session_challenge,
-          :otp_challenge_expires, :otp_time_drift, :otp_failed_attempts, :otp_recovery_counter, :otp_persistence_seed
+          :otp_challenge_expires, :otp_failed_attempts, :otp_recovery_counter, :otp_persistence_seed
 
     end
   end

data/lib/generators/devise_otp/install_generator.rb

@@ -29,16 +29,19 @@ content = <<-CONTENT
 
   # Users are given a list of one-time recovery tokens, for emergency access
   # set to false to disable giving recovery tokens.
-  #config.recovery_tokens = 10
+  #config.otp_recovery_tokens = 10
 
   # The user is allowed to set his browser as "trusted", no more OTP challenges will be
   # asked for that browser, for a limited time.
   # set to false to disable setting the browser as trusted
   #config.otp_trust_persistence = 1.month
 
-  # The name of this application, to be added to the provisioning
-  # url as '<user_email>/application_name' (defaults to the Rails application class)
-  #config.otp_uri_application = 'my_application'
+  # The name of the token issuer, to be added to the provisioning
+  # url. Display will vary based on token application. (defaults to the Rails application class)
+  #config.otp_issuer = 'my_application'
+
+  # Custom view path for Devise OTP controllers
+  #config.otp_controller_path = 'devise'
 
 CONTENT
 
@@ -50,4 +53,4 @@ CONTENT
       end
     end
   end
-end
+end

data/lib/generators/devise_otp/views_generator.rb

@@ -9,10 +9,9 @@ module DeviseOtp
                        :desc => "The scope to copy views to"
 
       include ::Devise::Generators::ViewPathTemplates
-      source_root File.expand_path("../../../../app/views/devise_otp", __FILE__)
+      source_root File.expand_path("../../../../app/views", __FILE__)
       def copy_views
-        view_directory :credentials, 'app/views/devise_otp/credentials'
-        view_directory :tokens, 'app/views/devise_otp/tokens'
+        view_directory :devise, 'app/views/devise'
       end
     end
   end

data/test/dummy/app/assets/config/manifest.js

@@ -0,0 +1,2 @@
+//= link_directory ../javascripts .js
+//= link_directory ../stylesheets .css

data/test/dummy/app/assets/javascripts/application.js

@@ -11,3 +11,4 @@
 // GO AFTER THE REQUIRES BELOW.
 //
 //= require_tree .
+//= require devise-otp

data/test/dummy/app/controllers/application_controller.rb

@@ -1,4 +1,4 @@
 class ApplicationController < ActionController::Base
   protect_from_forgery
-  before_filter :authenticate_user!
+  before_action :authenticate_user!
 end

data/test/dummy/app/controllers/posts_controller.rb

@@ -1,4 +1,6 @@
 class PostsController < ApplicationController
+  before_action :authenticate_user!
+
   # GET /posts
   # GET /posts.json
   def index

data/test/dummy/app/models/user.rb

@@ -12,7 +12,7 @@ class User < PARENT_MODEL_CLASS
   end
 
   devise :otp_authenticatable, :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable
+         :trackable, :validatable
 
   # Setup accessible (or protected) attributes for your model
   #attr_accessible :otp_enabled, :otp_mandatory, :as => :otp_privileged

data/test/dummy/config/application.rb

@@ -53,6 +53,8 @@ module Dummy
     # Enable escaping HTML in JSON.
     config.active_support.escape_html_entities_in_json = true
 
+    config.active_record.legacy_connection_handling = false
+
     # Use SQL instead of Active Record's schema dumper when creating the database.
     # This is necessary if your schema can't be completely dumped by the schema dumper,
     # like if you have constraints or database-specific column types
@@ -65,4 +67,3 @@ module Dummy
     config.assets.version = '1.0'
   end
 end
-

data/test/dummy/config/database.yml

@@ -14,7 +14,7 @@ development:
 # Do not set this db to the same as development or production.
 test:
   adapter: sqlite3
-  database: ":memory:"
+  database: db/test.sqlite3
   pool: 5
   timeout: 5000
 

data/test/dummy/config/environments/development.rb

@@ -22,13 +22,6 @@ Dummy::Application.configure do
   # Only use best-standards-support built into browsers
   config.action_dispatch.best_standards_support = :builtin
 
-  # Raise exception on mass assignment protection for Active Record models
-  config.active_record.mass_assignment_sanitizer = :strict
-
-  # Log the query plan for queries taking more than this (works
-  # with SQLite, MySQL, and PostgreSQL)
-  config.active_record.auto_explain_threshold_in_seconds = 0.5
-
   # Do not compress assets
   config.assets.compress = false
 

data/test/dummy/config/environments/production.rb

@@ -66,8 +66,4 @@ Dummy::Application.configure do
 
   # Send deprecation notices to registered listeners
   config.active_support.deprecation = :notify
-
-  # Log the query plan for queries taking more than this (works
-  # with SQLite, MySQL, and PostgreSQL)
-  # config.active_record.auto_explain_threshold_in_seconds = 0.5
 end

data/test/dummy/db/migrate/20130125101430_create_users.rb

@@ -1,4 +1,4 @@
-class CreateUsers < ActiveRecord::Migration
+class CreateUsers < ActiveRecord::Migration[5.0]
   def change
     create_table :users do |t|
       t.string :name

data/test/dummy/db/migrate/20130131092406_add_devise_to_users.rb

@@ -1,4 +1,4 @@
-class AddDeviseToUsers < ActiveRecord::Migration
+class AddDeviseToUsers < ActiveRecord::Migration[5.0]
   def self.up
     change_table(:users) do |t|
       ## Database authenticatable

data/test/dummy/db/migrate/20130131142320_create_posts.rb

@@ -1,4 +1,4 @@
-class CreatePosts < ActiveRecord::Migration
+class CreatePosts < ActiveRecord::Migration[5.0]
   def change
     create_table :posts do |t|
       t.string :title

data/test/dummy/db/migrate/20130131160351_devise_otp_add_to_users.rb

@@ -1,4 +1,4 @@
-class DeviseOtpAddToUsers < ActiveRecord::Migration
+class DeviseOtpAddToUsers < ActiveRecord::Migration[5.0]
   def self.up
     change_table :users do |t|
       t.string    :otp_auth_secret
@@ -18,7 +18,7 @@ class DeviseOtpAddToUsers < ActiveRecord::Migration
     add_index :users, :otp_session_challenge,  :unique => true
     add_index :users, :otp_challenge_expires
   end
-  
+
   def self.down
     change_table :users do |t|
       t.remove :otp_auth_secret, :otp_recovery_secret, :otp_enabled, :otp_mandatory, :otp_enabled_on, :otp_session_challenge,

data/test/integration/persistence_test.rb

@@ -0,0 +1,81 @@
+require 'test_helper'
+require 'integration_tests_helper'
+
+class PersistenceTest < ActionDispatch::IntegrationTest
+
+  def setup
+    @old_persistence = User.otp_trust_persistence
+    User.otp_trust_persistence = 3.seconds
+  end
+
+  def teardown
+    User.otp_trust_persistence = @old_persistence
+    Capybara.reset_sessions!
+  end
+
+  test 'a user should be requested the otp challenge every log in' do
+    # log in 1fa
+    user = enable_otp_and_sign_in
+    otp_challenge_for user
+
+    visit user_otp_token_path
+    assert_equal user_otp_token_path, current_path
+
+    sign_out
+    sign_user_in
+
+    assert_equal user_otp_credential_path, current_path
+  end
+
+  test 'a user should be able to set their browser as trusted' do
+    # log in 1fa
+    user = enable_otp_and_sign_in
+    otp_challenge_for user
+
+    visit user_otp_token_path
+    assert_equal user_otp_token_path, current_path
+
+    click_link('Trust this browser')
+    assert_text 'Your browser is trusted.'
+    sign_out
+
+    sign_user_in
+
+    assert_equal root_path, current_path
+  end
+
+  test 'a user should be able to download its recovery codes' do
+    # log in 1fa
+    user = enable_otp_and_sign_in
+    otp_challenge_for user
+
+    visit user_otp_token_path
+    assert_equal user_otp_token_path, current_path
+
+    enable_chrome_headless_downloads(page, "/tmp/devise-otp")
+
+    DownloadHelper.wait_for_download(count: 1) do
+      click_link('Download recovery codes')
+    end
+
+    assert_equal 1, DownloadHelper.downloads.size
+  end
+
+  test 'trusted status should expire' do
+    # log in 1fa
+    user = enable_otp_and_sign_in
+    otp_challenge_for user
+
+    visit user_otp_token_path
+    assert_equal user_otp_token_path, current_path
+
+    click_link('Trust this browser')
+    assert_text 'Your browser is trusted.'
+    sign_out
+
+    sleep User.otp_trust_persistence.to_i + 1
+    sign_user_in
+
+    assert_equal user_otp_credential_path, current_path
+  end
+end

data/test/integration/refresh_test.rb

@@ -21,7 +21,6 @@ class RefreshTest < ActionDispatch::IntegrationTest
   end
 
   test 'a user should be prompted for credentials when the credentials_refresh time is expired' do
-
     sign_user_in
     visit user_otp_token_path
     assert_equal user_otp_token_path, current_path
@@ -45,7 +44,6 @@ class RefreshTest < ActionDispatch::IntegrationTest
     fill_in 'user_refresh_password', :with => '12345678'
     click_button 'Continue...'
     assert_equal user_otp_token_path, current_path
-
   end
 
   test 'a user should NOT be able to access their OTP settings unless refreshing' do
@@ -63,20 +61,7 @@ class RefreshTest < ActionDispatch::IntegrationTest
     assert_equal refresh_user_otp_credential_path, current_path
   end
 
-  test 'user should be asked their OTP challenge in order to refresh, if they have OTP' do
-    enable_otp_and_sign_in_with_otp
-
-    sleep(2)
-    visit user_otp_token_path
-    assert_equal refresh_user_otp_credential_path, current_path
-
-    fill_in 'user_refresh_password', :with => '12345678'
-    click_button 'Continue...'
-
-    assert_equal refresh_user_otp_credential_path, current_path
-  end
-
-  test 'user should be finally be able to access their settings, if they provide both a password and a valid OTP token' do
+  test 'user should be finally be able to access their settings, and just password is enough' do
     user = enable_otp_and_sign_in_with_otp
 
     sleep(2)
@@ -84,9 +69,8 @@ class RefreshTest < ActionDispatch::IntegrationTest
     assert_equal refresh_user_otp_credential_path, current_path
 
     fill_in 'user_refresh_password', :with => '12345678'
-    fill_in 'user_token', :with => ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
     click_button 'Continue...'
 
     assert_equal user_otp_token_path, current_path
   end
-end
+end

data/test/integration/sign_in_test.rb

@@ -10,12 +10,12 @@ class SignInTest < ActionDispatch::IntegrationTest
   test 'a new user should be able to sign in without using their token' do
     create_full_user
 
-    visit new_user_session_path
+    visit posts_path
     fill_in 'user_email', :with => 'user@email.invalid'
     fill_in 'user_password', :with => '12345678'
     page.has_content?('Log in') ? click_button('Log in') : click_button('Sign in')
 
-    assert_equal root_path, current_path
+    assert_equal posts_path, current_path
   end
 
   test 'a new user, just signed in, should be able to sign in and enable their OTP authentication' do
@@ -50,6 +50,16 @@ class SignInTest < ActionDispatch::IntegrationTest
     assert_equal new_user_session_path, current_path
   end
 
+  test 'fail blank token authentication' do
+    enable_otp_and_sign_in
+    assert_equal user_otp_credential_path, current_path
+
+    fill_in 'user_token', :with => ''
+    click_button 'Submit Token'
+
+    assert_equal user_otp_credential_path, current_path
+  end
+
   test 'successful token authentication' do
     user = enable_otp_and_sign_in
 
@@ -74,4 +84,4 @@ class SignInTest < ActionDispatch::IntegrationTest
     User.otp_authentication_timeout = old_timeout
     assert_equal new_user_session_path, current_path
   end
-end
+end

data/test/integration/token_test.rb

@@ -3,13 +3,11 @@ require 'integration_tests_helper'
 
 class TokenTest < ActionDispatch::IntegrationTest
 
-
   def teardown
     Capybara.reset_sessions!
   end
 
   test 'disabling OTP after successfully enabling' do
-
     # log in 1fa
     user = enable_otp_and_sign_in
     assert_equal user_otp_credential_path, current_path
@@ -29,6 +27,5 @@ class TokenTest < ActionDispatch::IntegrationTest
     sign_user_in(user)
 
     assert_equal root_path, current_path
-
   end
-end
+end

data/test/integration_tests_helper.rb

@@ -1,4 +1,5 @@
 class ActionDispatch::IntegrationTest
+  include Warden::Test::Helpers
 
   def warden
     request.env['warden']
@@ -22,7 +23,6 @@ class ActionDispatch::IntegrationTest
     end
   end
 
-
   def enable_otp_and_sign_in
     user = create_full_user
     sign_user_in(user)
@@ -36,6 +36,11 @@ class ActionDispatch::IntegrationTest
     user
   end
 
+  def otp_challenge_for(user)
+    fill_in 'user_token', :with => ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    click_button 'Submit Token'
+  end
+
   def disable_otp
     visit user_otp_token_path
     uncheck 'user_otp_enabled'
@@ -43,7 +48,7 @@ class ActionDispatch::IntegrationTest
   end
 
   def sign_out
-    Capybara.reset_sessions!
+    logout :user
   end
 
   def sign_user_in(user = nil)
@@ -57,5 +62,4 @@ class ActionDispatch::IntegrationTest
     user
   end
 
-
 end