devise-otp 0.6.0 → 0.7.0

data/lib/devise_otp_authenticatable/controllers/helpers.rb

@@ -39,7 +39,6 @@ module DeviseOtpAuthenticatable
         end
       end
 
-      # fixme do cookies and persistence need to be scoped? probably
       #
       # check if the resource needs a credentials refresh. IE, they need to be asked a password again to access
       # this resource.
@@ -47,8 +46,8 @@ module DeviseOtpAuthenticatable
       def needs_credentials_refresh?(resource)
         return false unless resource.class.otp_credentials_refresh
 
-        (!session[otp_scoped_refresh_property].present? ||
-            (session[otp_scoped_refresh_property] < DateTime.now)).tap { |need| otp_set_refresh_return_url if need }
+        (!warden.session(resource_name)[otp_refresh_property].present? ||
+           (warden.session(resource_name)[otp_refresh_property] < DateTime.now)).tap { |need| otp_set_refresh_return_url if need }
       end
 
       #
@@ -56,7 +55,7 @@ module DeviseOtpAuthenticatable
       #
       def otp_refresh_credentials_for(resource)
         return false unless resource.class.otp_credentials_refresh
-        session[otp_scoped_refresh_property] = (Time.now + resource.class.otp_credentials_refresh)
+        warden.session(resource_name)[otp_refresh_property] = (Time.now + resource.class.otp_credentials_refresh)
       end
 
       #
@@ -85,19 +84,19 @@ module DeviseOtpAuthenticatable
       end
 
       def otp_set_refresh_return_url
-        session[otp_scoped_refresh_return_url_property] = request.fullpath
+        warden.session(resource_name)[otp_refresh_return_url_property] = request.fullpath
       end
 
       def otp_fetch_refresh_return_url
-        session.delete(otp_scoped_refresh_return_url_property) { :root }
+        warden.session(resource_name).delete(otp_refresh_return_url_property) { :root }
       end
 
-      def otp_scoped_refresh_return_url_property
-        "otp_#{resource_name}refresh_return_url".to_sym
+      def otp_refresh_return_url_property
+        "refresh_return_url"
       end
 
-      def otp_scoped_refresh_property
-        "otp_#{resource_name}refresh_after".to_sym
+      def otp_refresh_property
+        "credentials_refreshed_at"
       end
 
       def otp_scoped_persistence_cookie

data/lib/devise_otp_authenticatable/controllers/public_helpers.rb

@@ -0,0 +1,39 @@
+module DeviseOtpAuthenticatable
+  module Controllers
+    module PublicHelpers
+      extend ActiveSupport::Concern
+
+      def self.generate_helpers!
+        Devise.mappings.each do |key, mapping|
+          self.define_helpers(mapping)
+        end
+      end
+
+      def self.define_helpers(mapping) #:nodoc:
+        mapping = mapping.name
+
+        class_eval <<-METHODS, __FILE__, __LINE__ + 1
+          def ensure_mandatory_#{mapping}_otp!
+            resource = current_#{mapping}
+            if !devise_controller?
+              if mandatory_otp_missing_on?(resource)
+                redirect_to edit_#{mapping}_otp_token_path
+              end
+            end
+          end
+        METHODS
+      end
+
+      def otp_mandatory_on?(resource)
+        return false unless resource.respond_to?(:otp_mandatory)
+
+        resource.class.otp_mandatory or resource.otp_mandatory
+      end
+
+      def mandatory_otp_missing_on?(resource)
+        otp_mandatory_on?(resource) && !resource.otp_enabled
+      end
+
+    end
+  end
+end

data/lib/devise_otp_authenticatable/controllers/url_helpers.rb

@@ -21,6 +21,16 @@ module DeviseOtpAuthenticatable
         send("#{scope}_otp_token_path", opts)
       end
 
+      def edit_otp_token_path_for(resource_or_scope, opts = {})
+        scope = ::Devise::Mapping.find_scope!(resource_or_scope)
+        send("edit_#{scope}_otp_token_path", opts)
+      end
+
+      def reset_otp_token_path_for(resource_or_scope, opts = {})
+        scope = ::Devise::Mapping.find_scope!(resource_or_scope)
+        send("reset_#{scope}_otp_token_path", opts)
+      end
+
       def otp_credential_path_for(resource_or_scope, opts = {})
         scope = ::Devise::Mapping.find_scope!(resource_or_scope)
         send("#{scope}_otp_credential_path", opts)

data/lib/devise_otp_authenticatable/engine.rb

@@ -3,20 +3,17 @@ module DeviseOtpAuthenticatable
     config.devise_otp = ActiveSupport::OrderedOptions.new
     config.devise_otp.precompile_assets = true
 
-    # We use to_prepare instead of after_initialize here because Devise is a Rails engine;
-    config.to_prepare do
-      DeviseOtpAuthenticatable::Hooks.apply
-    end
-
     initializer "devise-otp", group: :all do |app|
       ActiveSupport.on_load(:devise_controller) do
         include DeviseOtpAuthenticatable::Controllers::UrlHelpers
         include DeviseOtpAuthenticatable::Controllers::Helpers
+        include DeviseOtpAuthenticatable::Controllers::PublicHelpers
       end
 
       ActiveSupport.on_load(:action_view) do
         include DeviseOtpAuthenticatable::Controllers::UrlHelpers
         include DeviseOtpAuthenticatable::Controllers::Helpers
+        include DeviseOtpAuthenticatable::Controllers::PublicHelpers
       end
 
       # See: https://guides.rubyonrails.org/engines.html#separate-assets-and-precompiling

data/lib/devise_otp_authenticatable/hooks/refreshable.rb

@@ -0,0 +1,5 @@
+# After each sign in, update credentials refreshed at time
+Warden::Manager.after_set_user except: :fetch do |record, warden, options|
+  warden.session(options[:scope])["credentials_refreshed_at"] = (Time.now + record.class.otp_credentials_refresh)
+end
+

data/lib/devise_otp_authenticatable/models/otp_authenticatable.rb

@@ -5,8 +5,6 @@ module Devise::Models
     extend ActiveSupport::Concern
 
     included do
-      before_validation :generate_otp_auth_secret, on: :create
-      before_validation :generate_otp_persistence_seed, on: :create
       scope :with_valid_otp_challenge, lambda { |time| where("otp_challenge_expires > ?", time) }
     end
 
@@ -36,21 +34,6 @@ module Devise::Models
       email
     end
 
-    def reset_otp_credentials
-      @time_based_otp = nil
-      @recovery_otp = nil
-      generate_otp_auth_secret
-      reset_otp_persistence
-      update!(otp_enabled: false,
-        otp_session_challenge: nil, otp_challenge_expires: nil,
-        otp_recovery_counter: 0)
-    end
-
-    def reset_otp_credentials!
-      reset_otp_credentials
-      save!
-    end
-
     def reset_otp_persistence
       generate_otp_persistence_seed
     end
@@ -60,11 +43,30 @@ module Devise::Models
       save!
     end
 
-    def enable_otp!
-      if otp_persistence_seed.nil?
-        reset_otp_credentials!
+    def populate_otp_secrets!
+      if [otp_auth_secret, otp_recovery_secret, otp_persistence_seed].any? { |a| a.blank? }
+        generate_otp_auth_secret
+        generate_otp_persistence_seed
+        self.save!
       end
+    end
+
+    def clear_otp_fields!
+      @time_based_otp = nil
+      @recovery_otp = nil
+
+      self.update!(
+        :otp_auth_secret => nil,
+        :otp_recovery_secret => nil,
+        :otp_persistence_seed => nil,
+        :otp_session_challenge => nil,
+        :otp_challenge_expires => nil,
+        :otp_failed_attempts => 0,
+        :otp_recovery_counter => 0
+      )
+    end
 
+    def enable_otp!
       update!(otp_enabled: true, otp_enabled_on: Time.now)
     end
 

data/lib/devise_otp_authenticatable/routes.rb

@@ -4,7 +4,7 @@ module ActionDispatch::Routing
 
     def devise_otp(mapping, controllers)
       namespace :otp, module: :devise_otp do
-        resource :token, only: [:show, :update, :destroy],
+        resource :token, only: [:show, :edit, :update, :destroy],
           path: mapping.path_names[:token], controller: controllers[:otp_tokens] do
           if Devise.otp_trust_persistence
             get :persistence, action: "get_persistence"
@@ -13,6 +13,7 @@ module ActionDispatch::Routing
           end
 
           get :recovery
+          post :reset
         end
 
         resource :credential, only: [:show, :update],
@@ -20,6 +21,7 @@ module ActionDispatch::Routing
           get :refresh, action: "get_refresh"
           put :refresh, action: "set_refresh"
         end
+
       end
     end
   end

data/test/dummy/app/controllers/admin_posts_controller.rb

@@ -0,0 +1,85 @@
+class AdminPostsController < ApplicationController
+  before_action :authenticate_admin!
+
+  # GET /posts
+  # GET /posts.json
+  def index
+    @posts = Post.all
+
+    respond_to do |format|
+      format.html # index.html.erb
+      format.json { render json: @posts }
+    end
+  end
+
+  # GET /posts/1
+  # GET /posts/1.json
+  def show
+    @post = Post.find(params[:id])
+
+    respond_to do |format|
+      format.html # show.html.erb
+      format.json { render json: @post }
+    end
+  end
+
+  # GET /posts/new
+  # GET /posts/new.json
+  def new
+    @post = Post.new
+
+    respond_to do |format|
+      format.html # new.html.erb
+      format.json { render json: @post }
+    end
+  end
+
+  # GET /posts/1/edit
+  def edit
+    @post = Post.find(params[:id])
+  end
+
+  # POST /posts
+  # POST /posts.json
+  def create
+    @post = Post.new(params[:post])
+
+    respond_to do |format|
+      if @post.save
+        format.html { redirect_to @post, notice: "Post was successfully created." }
+        format.json { render json: @post, status: :created, location: @post }
+      else
+        format.html { render action: "new" }
+        format.json { render json: @post.errors, status: :unprocessable_entity }
+      end
+    end
+  end
+
+  # PUT /posts/1
+  # PUT /posts/1.json
+  def update
+    @post = Post.find(params[:id])
+
+    respond_to do |format|
+      if @post.update_attributes(params[:post])
+        format.html { redirect_to @post, notice: "Post was successfully updated." }
+        format.json { head :ok }
+      else
+        format.html { render action: "edit" }
+        format.json { render json: @post.errors, status: :unprocessable_entity }
+      end
+    end
+  end
+
+  # DELETE /posts/1
+  # DELETE /posts/1.json
+  def destroy
+    @post = Post.find(params[:id])
+    @post.destroy
+
+    respond_to do |format|
+      format.html { redirect_to posts_url }
+      format.json { head :ok }
+    end
+  end
+end

data/test/dummy/app/controllers/application_controller.rb

@@ -1,4 +1,3 @@
 class ApplicationController < ActionController::Base
   protect_from_forgery
-  before_action :authenticate_user!
 end

data/test/dummy/app/controllers/base_controller.rb

@@ -0,0 +1,6 @@
+class BaseController < ApplicationController
+
+  def home
+  end
+
+end

data/test/dummy/app/models/admin.rb

@@ -0,0 +1,25 @@
+class Admin < PARENT_MODEL_CLASS
+  if DEVISE_ORM == :mongoid
+    include Mongoid::Document
+
+    ## Database authenticatable
+    field :email, type: String, null: false, default: ""
+    field :encrypted_password, type: String, null: false, default: ""
+
+    ## Recoverable
+    field :reset_password_token, type: String
+    field :reset_password_sent_at, type: Time
+  end
+
+  devise :otp_authenticatable, :database_authenticatable, :registerable,
+    :trackable, :validatable
+
+  # Setup accessible (or protected) attributes for your model
+  # attr_accessible :otp_enabled, :otp_mandatory, :as => :otp_privileged
+  # attr_accessible :email, :password, :password_confirmation, :remember_me
+
+  def self.otp_mandatory
+    true
+  end
+
+end

data/test/dummy/app/views/admin_posts/_form.html.erb

@@ -0,0 +1,25 @@
+<%= form_for([:admin, @post]) do |f| %>
+  <% if @post.errors.any? %>
+    <div id="error_explanation">
+      <h2><%= pluralize(@post.errors.count, "error") %> prohibited this post from being saved:</h2>
+
+      <ul>
+      <% @post.errors.full_messages.each do |msg| %>
+        <li><%= msg %></li>
+      <% end %>
+      </ul>
+    </div>
+  <% end %>
+
+  <div class="field">
+    <%= f.label :title %><br />
+    <%= f.text_field :title %>
+  </div>
+  <div class="field">
+    <%= f.label :body %><br />
+    <%= f.text_area :body %>
+  </div>
+  <div class="actions">
+    <%= f.submit %>
+  </div>
+<% end %>

data/test/dummy/app/views/admin_posts/edit.html.erb

@@ -0,0 +1,6 @@
+<h1>Editing post</h1>
+
+<%= render 'form' %>
+
+<%= link_to 'Show', @post %> |
+<%= link_to 'Back', admin_posts_path %>

data/test/dummy/app/views/admin_posts/index.html.erb

@@ -0,0 +1,25 @@
+<h1>Listing posts</h1>
+
+<table>
+  <tr>
+    <th>Title</th>
+    <th>Body</th>
+    <th></th>
+    <th></th>
+    <th></th>
+  </tr>
+
+<% @posts.each do |post| %>
+  <tr>
+    <td><%= post.title %></td>
+    <td><%= post.body %></td>
+    <td><%= link_to 'Show', post %></td>
+    <td><%= link_to 'Edit', edit_admin_post_path(post) %></td>
+    <td><%= link_to 'Destroy', [:admin, post], confirm: 'Are you sure?', method: :delete %></td>
+  </tr>
+<% end %>
+</table>
+
+<br />
+
+<%= link_to 'New Post', new_admin_post_path %>

data/test/dummy/app/views/admin_posts/new.html.erb

@@ -0,0 +1,5 @@
+<h1>New post</h1>
+
+<%= render 'form' %>
+
+<%= link_to 'Back', admin_posts_path %>

data/test/dummy/app/views/admin_posts/show.html.erb

@@ -0,0 +1,15 @@
+<p id="notice"><%= notice %></p>
+
+<p>
+  <b>Title:</b>
+  <%= @post.title %>
+</p>
+
+<p>
+  <b>Body:</b>
+  <%= @post.body %>
+</p>
+
+
+<%= link_to 'Edit', edit_admin_post_path(@post) %> |
+<%= link_to 'Back', admin_posts_path %>

data/test/dummy/app/views/base/home.html.erb

@@ -0,0 +1 @@
+<h1>Hello world!</h1>

data/test/dummy/config/application.rb

@@ -53,8 +53,6 @@ module Dummy
     # Enable escaping HTML in JSON.
     config.active_support.escape_html_entities_in_json = true
 
-    config.active_record.legacy_connection_handling = false
-
     # Use SQL instead of Active Record's schema dumper when creating the database.
     # This is necessary if your schema can't be completely dumped by the schema dumper,
     # like if you have constraints or database-specific column types

data/test/dummy/config/routes.rb

@@ -1,6 +1,9 @@
 Dummy::Application.routes.draw do
   devise_for :users
+  devise_for :admins
 
   resources :posts
-  root to: "posts#index"
+  resources :admin_posts
+
+  root to: "base#home"
 end

data/test/dummy/db/migrate/20240604000001_create_admins.rb

@@ -0,0 +1,9 @@
+class CreateAdmins < ActiveRecord::Migration[7.1]
+  def change
+    create_table :admins do |t|
+      t.string :name
+
+      t.timestamps
+    end
+  end
+end

data/test/dummy/db/migrate/20240604000002_add_devise_to_admins.rb

@@ -0,0 +1,52 @@
+class AddDeviseToAdmins < ActiveRecord::Migration[5.0]
+  def self.up
+    change_table(:admins) do |t|
+      ## Database authenticatable
+      t.string :email, null: false, default: ""
+      t.string :encrypted_password, null: false, default: ""
+
+      ## Recoverable
+      t.string :reset_password_token
+      t.datetime :reset_password_sent_at
+
+      ## Rememberable
+      t.datetime :remember_created_at
+
+      ## Trackable
+      t.integer :sign_in_count, default: 0
+      t.datetime :current_sign_in_at
+      t.datetime :last_sign_in_at
+      t.string :current_sign_in_ip
+      t.string :last_sign_in_ip
+
+      ## Confirmable
+      # t.string   :confirmation_token
+      # t.datetime :confirmed_at
+      # t.datetime :confirmation_sent_at
+      # t.string   :unconfirmed_email # Only if using reconfirmable
+
+      ## Lockable
+      t.integer :failed_attempts, default: 0 # Only if lock strategy is :failed_attempts
+      t.string :unlock_token # Only if unlock strategy is :email or :both
+      t.datetime :locked_at
+
+      ## Token authenticatable
+      t.string :authentication_token
+
+      # Uncomment below if timestamps were not included in your original model.
+      # t.timestamps
+    end
+
+    add_index :admins, :email, unique: true
+    add_index :admins, :reset_password_token, unique: true
+    # add_index :admins, :confirmation_token,   :unique => true
+    add_index :admins, :unlock_token, unique: true
+    add_index :admins, :authentication_token, unique: true
+  end
+
+  def self.down
+    # By default, we don't want to make any assumption about how to roll back a migration when your
+    # model already existed. Please edit below which fields you would like to remove in this migration.
+    raise ActiveRecord::IrreversibleMigration
+  end
+end

data/test/dummy/db/migrate/20240604000003_devise_otp_add_to_admins.rb

@@ -0,0 +1,28 @@
+class DeviseOtpAddToAdmins < ActiveRecord::Migration[5.0]
+  def self.up
+    change_table :admins do |t|
+      t.string :otp_auth_secret
+      t.string :otp_recovery_secret
+      t.boolean :otp_enabled, default: false, null: false
+      t.boolean :otp_mandatory, default: false, null: false
+      t.datetime :otp_enabled_on
+      t.integer :otp_time_drift, default: 0, null: false
+      t.integer :otp_failed_attempts, default: 0, null: false
+      t.integer :otp_recovery_counter, default: 0, null: false
+      t.string :otp_persistence_seed
+
+      t.string :otp_session_challenge
+      t.datetime :otp_challenge_expires
+    end
+
+    add_index :admins, :otp_session_challenge, unique: true
+    add_index :admins, :otp_challenge_expires
+  end
+
+  def self.down
+    change_table :admins do |t|
+      t.remove :otp_auth_secret, :otp_recovery_secret, :otp_enabled, :otp_mandatory, :otp_enabled_on, :otp_session_challenge,
+        :otp_challenge_expires, :otp_time_drift, :otp_failed_attempts, :otp_recovery_counter, :otp_persistence_seed
+    end
+  end
+end

data/test/integration/disable_token_test.rb

@@ -0,0 +1,53 @@
+require "test_helper"
+require "integration_tests_helper"
+
+class DisableTokenTest < ActionDispatch::IntegrationTest
+
+  def setup
+    # log in 1fa
+    @user = enable_otp_and_sign_in
+    assert_equal user_otp_credential_path, current_path
+
+    # otp 2fa
+    fill_in "token", with: ROTP::TOTP.new(@user.otp_auth_secret).at(Time.now)
+    click_button "Submit Token"
+    assert_equal root_path, current_path
+  end
+
+  def teardown
+    Capybara.reset_sessions!
+  end
+
+  test "disabling OTP after successfully enabling" do
+    # disable OTP
+    disable_otp
+
+    assert page.has_content? "Disabled"
+
+    # logout
+    sign_out
+
+    # log back in 1fa
+    sign_user_in(@user)
+
+    assert_equal root_path, current_path
+  end
+
+  test "disabling OTP does not reset token secrets" do
+    # get otp secrets
+    @user.reload
+    auth_secret = @user.otp_auth_secret
+    recovery_secret = @user.otp_recovery_secret
+
+    # disable OTP
+    disable_otp
+
+    # compare otp secrets
+    assert_not_nil @user.otp_auth_secret
+    assert_equal @user.otp_auth_secret, auth_secret
+
+    assert_not_nil @user.otp_recovery_secret
+    assert_equal @user.otp_recovery_secret, recovery_secret
+  end
+
+end

data/test/integration/enable_otp_form_test.rb

@@ -0,0 +1,57 @@
+require "test_helper"
+require "integration_tests_helper"
+
+class EnableOtpFormTest < ActionDispatch::IntegrationTest
+  def teardown
+    Capybara.reset_sessions!
+  end
+
+  test "a user should be able enable their OTP authentication by entering a confirmation code" do
+    user = sign_user_in
+
+    visit edit_user_otp_token_path
+
+    user.reload
+
+    fill_in "confirmation_code", with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+
+    click_button "Continue..."
+
+    assert_equal user_otp_token_path, current_path
+    assert page.has_content?("Enabled")
+
+    user.reload
+    assert user.otp_enabled?
+  end
+
+  test "a user should not be able enable their OTP authentication with an incorrect confirmation code" do
+    user = sign_user_in
+
+    visit edit_user_otp_token_path
+
+    fill_in "confirmation_code", with: "123456"
+
+    click_button "Continue..."
+
+    assert page.has_content?("To Enable Two-Factor Authentication")
+
+    user.reload
+    assert_not user.otp_enabled?
+  end
+
+  test "a user should not be able enable their OTP authentication with a blank confirmation code" do
+    user = sign_user_in
+
+    visit edit_user_otp_token_path
+
+    fill_in "confirmation_code", with: ""
+
+    click_button "Continue..."
+
+    assert page.has_content?("To Enable Two-Factor Authentication")
+
+    user.reload
+    assert_not user.otp_enabled?
+  end
+
+end