devise-otp 0.6.0 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 40ba57c939a2a84a81a014b151a2ea0fe37a4253942df15a703a0fd83aa9e80c
-  data.tar.gz: bba9a1e8d78ea6760c9c32ed643c05ed9138635095c0f9a16451f6a9922bfeba
+  metadata.gz: 95e8a170c1942c78dae2cb24c06a818c6e91854268acf78df61b83e22fd18726
+  data.tar.gz: 409a75794455459fa1c88892216d556b138cf1a40f4bfe0a06f3ce65a47a528e
 SHA512:
-  metadata.gz: 79f30180843989aed3f784e8d775d8d86a206a328f3032b7f202815e1f590fcc5d3bf3d65cccc20731af5d1de227dd2d857111432fc21ad305524a402219f91a
-  data.tar.gz: 905e257c92ef4cad86876a2e37ec46cea614dafc715ebff364e58c580f7ab1528181771ff96534e5e61978168840f4a9820729b9d819f4c7c002ec970de81da5
+  metadata.gz: 45d13d374f2a2504fcee11d81f8771712ae706d138725e3bb777470b099b106cb09ffdb4e2132b6ac5c837b00bb341ff9b5fc56ce5981ff144b358d1e8ed4338
+  data.tar.gz: b946e7a0551ba464285e324559f287a9765657258159e508fe08f4b22068548a4be6602d3173a6fac46638130e5795c69bdbdd4b28031d48cfaa592b87eef9da

data/.github/workflows/ci.yml

@@ -7,30 +7,27 @@ on:
 
 jobs:
   rspec:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
         ruby:
+          - '3.3'
+          - '3.2'
           - '3.1'
-          - '3.0'
-          - '2.7'
+          - 'head'
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Setup Ruby
         uses: ruby/setup-ruby@v1
         with:
           ruby-version: ${{ matrix.ruby }}
-
-      - name: Bundle
-        run: |
-          gem install bundler
-          bundle install --jobs 4 --retry 3
+          bundler-cache: true
 
       - name: Run tests
         env:
           DEVISE_ORM: active_record
-        run: rake test
+        run: bundle exec rake test

data/.gitignore

@@ -35,8 +35,10 @@ lib/bundler/man
 test/dummy/log/**
 test/dummy/tmp/**
 test/dummy/db/*.sqlite3
+test/dummy/db/*.sqlite3-shm
+test/dummy/db/*.sqlite3-wal
 
 Gemfile.lock
 
 # Generated test files
-tmp/*
+tmp/*

data/CHANGELOG.md

@@ -1,17 +1,63 @@
 # Changelog
 
-## 0.4.0
+## Unreleased
+
+- Upgrade gemspec to support Rails v7.2
+
+## 0.7.0
 
 Breaking changes:
 
-- rename `Devise::Otp` to `Devise::OTP`
-- change `credentials` directory to `otp_credentials`
-- change `tokens` directory to `otp_tokens`
+- Require confirmation token before enabling Two Factor Authentication (2FA) to ensure that user has added OTP token properly to their device
+- Update DeviseAuthenticatable to redirect user (rather than login user) when OTP is enabled
+- Remove OtpAuthenticatable callbacks for setting OTP credentials on create action (no longer needed)
+- Replace OtpAuthenticatable "reset_otp_credentials" methods with "clear_otp_fields!" method
+- Update otp_tokens#edit to populate OTP secrets (rather than assuming they are populated via callbacks in OTPDeviseAuthenticatable module)
+- Repurpose otp_tokens#destroy to disable 2FA and clear OTP secrets (rather than resetting them)
+- Add reset token action and hide/repurpose disable token action
+- Update disable action to preserve the existing token secret
+- Hide button for mandatory OTP
+- Add Refreshable hook, and tie into after\_set\_user calback
+- Utilize native warden session for scoping of credentials\_refreshed\_at and refresh\_return\_url properties
+- Require adding "ensure\_mandatory\_{scope}\_otp! to controllers for mandatory OTP
+- Update locales to support the new workflow
+
+### Upgrading
+
+Regenerate your views with `rails g devise_otp:views` and update locales.
+
+Changes to locales:
+
+- Remove:
+  - otp_tokens.enable_request
+  - otp_tokens.status
+  - otp_tokens.submit
+- Add to otp_tokens scope:
+  - enable_link
+- Move/rename devise.otp.token_secret.reset_\* values to devise.otp.otp_tokens.disable_\* (for consistency with "enable_link")
+  - disable_link
+  - disable_explain
+  - disable_explain_warn
+- Add to new edit_otp_token scope:
+  - title
+  - lead_in
+  - step1
+  - step2
+  - confirmation_code
+  - submit
+- Move "explain" to new edit_otp_token scope
+- Add devise.otp.otp_tokens.could_not_confirm
+- Rename "successfully_reset_creds" to "successfully_disabled_otp"
+
+You can grab the full locale file [here](https://github.com/wmlele/devise-otp/blob/master/config/locales/en.yml).
+
+## 0.6.0
 
-Other improvements:
+Improvements:
 
-- Fix file permissions
+- support rails 6.1 by @cotcomsol in #67
 
-## 0.3.0
+Fixes:
 
-A long awaited update bringing Devise::OTP from the dead!
+- mandatory otp fix by @cotcomsol in #68
+- remove success message by @strzibny in #69

data/Gemfile

@@ -2,3 +2,13 @@ source "https://rubygems.org"
 
 # Specify your gem's dependencies in devise-otp.gemspec
 gemspec
+
+gem "capybara"
+gem "minitest-reporters", ">= 0.5.0"
+gem "puma"
+gem "rake"
+gem "rdoc"
+gem "shoulda"
+gem "sprockets-rails"
+gem "sqlite3", "~> 1.4"
+gem "standardrb"

data/README.md

@@ -1,6 +1,6 @@
 # Devise::OTP
 
-Devise OTP is a two-factors authentication extension for Devise. The second factor is done using an [RFC 6238](https://datatracker.ietf.org/doc/html/rfc6238) Time-Based One-Time Password (TOTP) implemented by the [rotp library](https://github.com/mdp/rotp).
+Devise OTP is a Two-Factor Authentication extension for Devise. The second factor is done using an [RFC 6238](https://datatracker.ietf.org/doc/html/rfc6238) Time-Based One-Time Password (TOTP) implemented by the [rotp library](https://github.com/mdp/rotp).
 
 It has the following features:
 
@@ -19,7 +19,7 @@ Device OTP was recently updated to work with Rails 7 and Turbo.
 
 Devise::OTP development is sponsored by [Business Class](https://businessclasskit.com/) Rails SaaS starter kit. If you don't want to setup OTP yourself for your new project, consider starting one on Business Class.
 
-## Two-factors authentication using OTP
+## Two-Factor Authentication using OTP
 
 * A shared secret is generated on the server, and stored both on the token device (e.g. the phone) and the server itself.
 * The secret is used to generate short numerical tokens that are either time or sequence based.
@@ -94,6 +94,12 @@ The install generator adds some options to the end of your Devise config file (`
 * `config.otp_issuer`: The name of the token issuer, to be added to the provisioning url. Display will vary based on token application. (defaults to the Rails application class)
 * `config.otp_controller_path`: The view path for Devise OTP controllers. The default being 'devise' to match Devise default installation.
 
+## Mandatory OTP
+Enforcing mandatory OTP requires adding the ensure\_mandatory\_{scope}\_otp! method to the desired controller(s) to ensure that the user is redirected to the Enable Two-Factor Authentication form before proceeding to other parts of the application. This functions the same way as the authenticate\_{scope}! methods, and can be included inline with them in the controllers, e.g.:
+
+    before_action :authenticate_user!
+    before_action :ensure_mandatory_user_otp!
+
 ## Authors
 
 The project was originally started by Lele Forzani by forking [devise_google_authenticator](https://github.com/AsteriskLabs/devise_google_authenticator) and still contains some devise_google_authenticator code. It's now maintained by [Josef Strzibny](https://github.com/strzibny/).

data/app/controllers/devise_otp/devise/otp_credentials_controller.rb

@@ -5,45 +5,31 @@ module DeviseOtp
 
       prepend_before_action :authenticate_scope!, only: [:get_refresh, :set_refresh]
       prepend_before_action :require_no_authentication, only: [:show, :update]
+      before_action :set_challenge, only: [:show, :update]
+      before_action :set_recovery, only: [:show, :update]
+      before_action :set_resource, only: [:show, :update]
+      before_action :set_token, only: [:update]
+      before_action :skip_challenge_if_trusted_browser, only: [:show, :update]
 
       #
       # show a request for the OTP token
       #
       def show
-        @challenge = params[:challenge]
-        @recovery = (params[:recovery] == "true") && recovery_enabled?
-
-        if @challenge.nil?
-          redirect_to :root
-        else
-          self.resource = resource_class.find_valid_otp_challenge(@challenge)
-          if resource.nil?
-            redirect_to :root
-          elsif @recovery
-            @recovery_count = resource.otp_recovery_counter
-            render :show
-          else
-            render :show
-          end
+        if @recovery
+          @recovery_count = resource.otp_recovery_counter
         end
+
+        render :show
       end
 
       #
       # signs the resource in, if the OTP token is valid and the user has a valid challenge
       #
       def update
-        resource = resource_class.find_valid_otp_challenge(params[resource_name][:challenge])
-        recovery = (params[resource_name][:recovery] == "true") && recovery_enabled?
-        token = params[resource_name][:token]
-
-        if token.blank?
+        if @token.blank?
           otp_set_flash_message(:alert, :token_blank)
-          redirect_to otp_credential_path_for(resource_name, challenge: params[resource_name][:challenge],
-            recovery: recovery)
-        elsif resource.nil?
-          otp_set_flash_message(:alert, :otp_session_invalid)
-          redirect_to new_session_path(resource_name)
-        elsif resource.otp_challenge_valid? && resource.validate_otp_token(params[resource_name][:token], recovery)
+          redirect_to otp_credential_path_for(resource_name, challenge: @challenge, recovery: @recovery)
+        elsif resource.otp_challenge_valid? && resource.validate_otp_token(@token, @recovery)
           sign_in(resource_name, resource)
 
           otp_set_trusted_device_for(resource) if params[:enable_persistence] == "true"
@@ -51,7 +37,7 @@ module DeviseOtp
           respond_with resource, location: after_sign_in_path_for(resource)
         else
           otp_set_flash_message :alert, :token_invalid
-          redirect_to new_session_path(resource_name)
+          render :show
         end
       end
 
@@ -78,6 +64,39 @@ module DeviseOtp
 
       private
 
+      def set_challenge
+        @challenge = params[:challenge]
+
+        unless @challenge.present?
+          redirect_to :root
+        end
+      end
+
+      def set_recovery
+        @recovery = (recovery_enabled? && params[:recovery] == "true")
+      end
+
+      def set_resource
+        self.resource = resource_class.find_valid_otp_challenge(@challenge)
+
+        unless resource.present?
+          otp_set_flash_message(:alert, :otp_session_invalid)
+          redirect_to new_session_path(resource_name)
+        end
+      end
+
+      def set_token
+        @token = params[:token]
+      end
+
+      def skip_challenge_if_trusted_browser
+        if is_otp_trusted_browser_for?(resource)
+          sign_in(resource_name, resource)
+          otp_refresh_credentials_for(resource)
+          redirect_to after_sign_in_path_for(resource)
+        end
+      end
+
       def done_valid_refresh
         otp_refresh_credentials_for(resource)
         respond_with resource, location: otp_fetch_refresh_return_url

data/app/controllers/devise_otp/devise/otp_tokens_controller.rb

@@ -19,27 +19,36 @@ module DeviseOtp
         end
       end
 
+      #
+      # Displays the QR Code and Validation Token form for enabling the OTP
+      #
+      def edit
+        resource.populate_otp_secrets!
+      end
+
       #
       # Updates the status of OTP authentication
       #
       def update
-        enabled = params[resource_name][:otp_enabled] == "1"
-        if enabled ? resource.enable_otp! : resource.disable_otp!
+        if resource.valid_otp_token?(params[:confirmation_code])
+          resource.enable_otp!
           otp_set_flash_message :success, :successfully_updated
+          redirect_to otp_token_path_for(resource)
+        else
+          otp_set_flash_message :danger, :could_not_confirm
+          render :edit
         end
-
-        render :show
       end
 
       #
       # Resets OTP authentication, generates new credentials, sets it to off
       #
       def destroy
-        if resource.reset_otp_credentials!
-          otp_set_flash_message :success, :successfully_reset_creds
+        if resource.disable_otp!
+          otp_set_flash_message :success, :successfully_disabled_otp
         end
 
-        redirect_to action: :show
+        redirect_to otp_token_path_for(resource)
       end
 
       #
@@ -50,7 +59,7 @@ module DeviseOtp
           otp_set_flash_message :success, :successfully_set_persistence
         end
 
-        redirect_to action: :show
+        redirect_to otp_token_path_for(resource)
       end
 
       #
@@ -61,7 +70,7 @@ module DeviseOtp
           otp_set_flash_message :success, :successfully_cleared_persistence
         end
 
-        redirect_to action: :show
+        redirect_to otp_token_path_for(resource)
       end
 
       #
@@ -72,7 +81,7 @@ module DeviseOtp
           otp_set_flash_message :notice, :successfully_reset_persistence
         end
 
-        redirect_to action: :show
+        redirect_to otp_token_path_for(resource)
       end
 
       def recovery
@@ -85,6 +94,15 @@ module DeviseOtp
         end
       end
 
+      def reset
+        if resource.disable_otp!
+          resource.clear_otp_fields!
+          otp_set_flash_message :success, :successfully_reset_otp
+        end
+
+        redirect_to edit_otp_token_path_for(resource)
+      end
+
       private
 
       def ensure_credentials_refresh

data/app/views/devise/otp_credentials/show.html.erb

@@ -3,21 +3,21 @@
 
 <%= form_for(resource, :as => resource_name, :url => [resource_name, :otp_credential], :html => { :method => :put, "data-turbo" => false }) do |f| %>
 
-  <%= f.hidden_field :challenge, {:value => @challenge} %>
-  <%= f.hidden_field :recovery, {:value => @recovery} %>
+  <%= hidden_field_tag :challenge, @challenge %>
+  <%= hidden_field_tag :recovery, @recovery %>
 
   <% if @recovery %>
     <p>
-      <%= f.label :token, I18n.t('recovery_prompt', :scope => 'devise.otp.submit_token') %><br />
-      <%= f.text_field :otp_recovery_counter, :autocomplete => :off, :disabled => true, :size => 4 %>
+      <%= label_tag :token, I18n.t('recovery_prompt', :scope => 'devise.otp.submit_token') %><br />
+      <%= text_field_tag :otp_recovery_counter, resource.otp_recovery_counter, :autocomplete => :off, :disabled => true, :size => 4 %>
     </p>
   <% else %>
     <p>
-      <%= f.label :token, I18n.t('prompt', :scope => 'devise.otp.submit_token') %><br />
+      <%= label_tag :token, I18n.t('prompt', :scope => 'devise.otp.submit_token') %><br />
     </p>
   <% end %>
 
-  <%= f.text_field :token, :autocomplete => :off, :autofocus => true, :size => 6, :value => '' %><br>
+  <%= text_field_tag :token, nil, :autocomplete => :off, :autofocus => true, :size => 6 %><br>
 
   <%= label_tag :enable_persistence do %>
     <%= check_box_tag :enable_persistence, true, false %> <%= I18n.t('remember', :scope => 'devise.otp.general') %>

data/app/views/devise/otp_tokens/_token_secret.html.erb

@@ -1,5 +1,4 @@
 <h3><%= I18n.t('title', :scope => 'devise.otp.token_secret') %></h3>
-<p><%= I18n.t('explain', :scope => 'devise.otp.token_secret') %></p>
 
 <%= otp_authenticator_token_image(resource) %>
 
@@ -8,11 +7,11 @@
   <code><%= resource.otp_auth_secret %></code>
 </p>
 
-<p><%= button_to I18n.t('reset_otp', :scope => 'devise.otp.token_secret'), @resource, :method => :delete, :data => { "turbo-method": "DELETE" } %></p>
+<p><%= button_to I18n.t('reset_link', :scope => 'devise.otp.otp_tokens'), reset_otp_token_path_for(resource), :method => :post , :data => { "turbo-method": "POST" } %></p>
 
 <p>
-  <%= I18n.t('reset_explain', :scope => 'devise.otp.token_secret') %>
-  <strong><%= I18n.t('reset_explain_warn', :scope => 'devise.otp.token_secret') %></strong>
+  <%= I18n.t('reset_explain', :scope => 'devise.otp.otp_tokens') %>
+  <strong><%= I18n.t('reset_explain_warn', :scope => 'devise.otp.otp_tokens') %></strong>
 </p>
 
 <%- if recovery_enabled? %>

data/app/views/devise/otp_tokens/edit.html.erb

@@ -0,0 +1,26 @@
+<h2><%= I18n.t('title', :scope => 'devise.otp.edit_otp_token') %></h2>
+<p><%= I18n.t('explain', :scope => 'devise.otp.edit_otp_token') %></p>
+
+<h2><%= I18n.t('lead_in', :scope => 'devise.otp.edit_otp_token') %></h2>
+
+<p><%= I18n.t('step_1', :scope => 'devise.otp.edit_otp_token') %></p>
+
+<%= otp_authenticator_token_image(resource) %>
+
+<p>
+  <strong><%= I18n.t('manual_provisioning', :scope => 'devise.otp.token_secret') %>:</strong>
+  <code><%= resource.otp_auth_secret %></code>
+</p>
+
+<p><%= I18n.t('step_2', :scope => 'devise.otp.edit_otp_token') %></p>
+
+<%= form_with(:url => [resource_name, :otp_token], :method => :put) do |f| %>
+
+  <p>
+    <%= f.label :confirmation_code, I18n.t('confirmation_code', :scope => 'devise.otp.edit_otp_token') %>
+    <%= f.text_field :confirmation_code %>
+  </p>
+
+  <p><%= f.submit I18n.t('submit', :scope => 'devise.otp.edit_otp_token') %></p>
+
+<% end %>

data/app/views/devise/otp_tokens/show.html.erb

@@ -1,21 +1,14 @@
 <h2><%= I18n.t('title', :scope => 'devise.otp.otp_tokens') %></h2>
-<p><%= I18n.t('explain', :scope => 'devise.otp.otp_tokens') %></p>
 
-<%= form_for(resource, :as => resource_name, :url => [resource_name, :otp_token], :html => { :method => :put, "data-turbo" => false }) do |f| %>
-
-  <%= render "devise/shared/error_messages", resource: resource %>
-
-  <h3><%= I18n.t('enable_request', :scope => 'devise.otp.otp_tokens') %></h3>
-
-  <p>
-    <%= f.label :otp_enabled, I18n.t('status', :scope => 'devise.otp.otp_tokens') %><br />
-    <%= f.check_box :otp_enabled %>
-  </p>
-
-  <p><%= f.submit I18n.t('submit', :scope => 'devise.otp.otp_tokens') %></p>
-<% end %>
+<p><strong>Status:</strong> <%= resource.otp_enabled? ? "Enabled" : "Disabled" %></p>
 
 <%- if resource.otp_enabled? %>
   <%= render :partial => 'token_secret' if resource.otp_enabled? %>
   <%= render :partial => 'trusted_devices' if trusted_devices_enabled? %>
+
+  <% unless otp_mandatory_on?(resource) %>
+    <%= button_to I18n.t('disable_link', :scope => 'devise.otp.otp_tokens'), otp_token_path_for(resource), :method => :delete, :data => { "turbo-method": "DELETE" } %>
+  <% end %>
+<% else %>
+  <%= link_to I18n.t('enable_link', :scope => 'devise.otp.otp_tokens'), edit_otp_token_path_for(resource) %>
 <% end %>

data/config/locales/en.yml

@@ -5,12 +5,13 @@ en:
         remember: Remember me
       submit_token:
         title: 'Check Token'
-        explain: "You're getting this because you enabled two-factors authentication on your account"
-        prompt: 'Please enter your two-factors authentication token:'
+        explain: "You're getting this because you enabled Two-Factor Authentication on your account"
+        prompt: 'Please enter your Two-Factor Authentication token:'
         recovery_prompt: 'Please enter your recovery code:'
         submit: 'Submit Token'
         recovery_link: "I don't have my device, I want to use a recovery code"
       otp_credentials:
+        otp_session_invalid: Session invalid. Please start again.
         token_invalid: 'The token you provided was invalid.'
         token_blank: 'You need to type in the token you generated with your device.'
         need_to_refresh_credentials: 'We need to check your credentials before you can change these settings.'
@@ -21,22 +22,22 @@ en:
         explain: 'In order to ensure this is  safe, please enter your password again.'
         go_on: 'Continue...'
         identity: 'Identity:'
-        token: 'Your two-factors authentication token'
+        token: 'Your Two-Factor Authentication token'
       token_secret:
         title: 'Your token secret'
         explain: 'Take a photo of this QR code with your mobile'
         manual_provisioning: 'Manual provisioning code'
-        reset_otp: 'Reset your Two Factors Authentication status'
-        reset_explain: 'This will reset your credentials, and disable two-factors authentication.'
-        reset_explain_warn: 'You will need to enroll your mobile device again.'
       otp_tokens:
-        title: 'Two-factors Authentication:'
-        explain: 'Two factors authentication adds an additional layer of security to your account. When logging in you will be asked for a code that you can generate on a physical device, like your phone.'
-        enable_request: 'Would you like to enable Two Factors Authenticator?'
-        status: 'Enable Two-Factors Authentication.'
-        submit: 'Continue...'
-        successfully_updated: 'Your two-factors authentication settings have been updated.'
-        successfully_reset_creds: 'Your two-factors credentials has been reset.'
+        title: 'Two-Factor Authentication:'
+        enable_link: 'Enable Two-Factor Authentication'
+        disable_link: 'Disable Two-Factor Authentication'
+        reset_link: 'Reset Token Secret'
+        reset_explain: 'Resetting your token secret will temporarilly disable Two-Factor Authentication.'
+        reset_explain_warn: 'To re-enable Two-Factor Authentication, you will need to re-enroll your mobile device with the new token secret.'
+        successfully_updated: 'Your Two-Factor Authentication settings have been updated.'
+        could_not_confirm: 'The Confirmation Code you entered did not match the QR code shown below.'
+        successfully_disabled_otp: 'Two-Factor Authentication has been disabled.'
+        successfully_reset_otp: 'Your token secret has been reset. Please confirm your new token secret below.'
         successfully_set_persistence: 'Your device is now trusted.'
         successfully_cleared_persistence: 'Your device has been removed from the list of trusted devices.'
         successfully_reset_persistence: 'Your list of trusted devices has been cleared.'
@@ -48,9 +49,17 @@ en:
           code: 'Recovery Code'
           codes_list: 'Here is the list of your recovery codes'
           download_codes: 'Download recovery codes'
+      edit_otp_token:
+        title: 'Enable Two-factor Authentication'
+        explain: 'Two-Factor Authentication adds an additional layer of security to your account. When logging in you will be asked for a code that you can generate on a physical device, like your phone.'
+        lead_in: 'To Enable Two-Factor Authentication:'
+        step_1: '1. Open your authenticator app and scan the QR code shown below:'
+        step_2: '2. Enter the 6-digit code shown in your authenticator app below:'
+        confirmation_code: "Confirmation Code"
+        submit: 'Continue...'
       trusted_browsers:
         title: 'Trusted Browsers'
-        explain: 'If you set your browser as trusted, you will not be asked to provide a Two-factor authentication token when logging in from that browser.'
+        explain: 'If you set your browser as trusted, you will not be asked to provide a Two-Factor Authentication token when logging in from that browser.'
         browser_trusted: 'Your browser is trusted.'
         browser_not_trusted: 'Your browser is not trusted.'
         trust_remove: 'Remove this browser from the list of trusted browsers'

data/devise-otp.gemspec

@@ -14,17 +14,7 @@ Gem::Specification.new do |gem|
   gem.files = `git ls-files`.split($/)
   gem.require_paths = ["lib"]
 
-  gem.add_runtime_dependency "rails", ">= 6.1", "< 7.2"
-  gem.add_runtime_dependency "devise", ">= 4.8.0", "< 5.0"
-  gem.add_runtime_dependency "rotp", ">= 2.0.0"
-
-  gem.add_development_dependency "capybara"
-  gem.add_development_dependency "cuprite"
-  gem.add_development_dependency "minitest-reporters", ">= 0.5.0"
-  gem.add_development_dependency "puma"
-  gem.add_development_dependency "rdoc"
-  gem.add_development_dependency "shoulda"
-  gem.add_development_dependency "sprockets-rails"
-  gem.add_development_dependency "sqlite3"
-  gem.add_development_dependency "standardrb"
+  gem.add_dependency "rails", ">= 7.0", "< 8.0"
+  gem.add_dependency "devise", ">= 4.8.0", "< 5.0"
+  gem.add_dependency "rotp", ">= 2.0.0"
 end

data/docs/QR_CODES.md

@@ -6,43 +6,4 @@ To do that, add the the following line to your `application.js` file:
 
     //= require devise-otp
 
-You can change this behavior by overriding the `otp_authenticator_token_image` method in your view helper to call `otp_authenticator_token_image_google`:
-
-```ruby
-def otp_authenticator_token_image(resource)
-  otp_authenticator_token_image_google(resource.otp_provisioning_uri)
-end
-```
-
-This will call [Google API](https://github.com/wmlele/devise-otp/tree/master/lib/devise_otp_authenticatable/controllers/helpers.rb#L160) to render the QR code.
-
-If your application is configured to use CSP policies, you'll need to authorize `chart.googleapis.com`. Here's an example with [secure_headers](https://github.com/github/secure_headers)):
-
-```ruby
-config.csp[:img_src] << 'chart.googleapis.com'
-```
-
-A third option consists in installing [jquery-qrcode]https://github.com/jeromeetienne/jquery-qrcode with Yarn or [shakapacker](https://github.com/shakacode/shakapacker) and overriding `otp_authenticator_token_image` to render some HTML :
-
-```ruby
-def otp_authenticator_token_image(resource)
-  tag(:span, data: { toggle: 'qrcode', otp_url: resource.otp_provisioning_uri, width: 192, height: 192, render: 'canvas' })
-end
-```
-The QR code is then rendered by `jquery-qrcode` by setting a JS listener in your `application.js` :
-
-```js
-  $(document).on('turbo:load', function() {
-    return $('[data-toggle=qrcode]').each(function() {
-      var data;
-      data = $(this).data();
-      return $(this).qrcode({
-        text: data['otpUrl'],
-        width: data['width'],
-        height: data['height'],
-        render: data['render']
-      });
-    });
-  });
-```
-This way you don't rely on external services to render the QR codes.
+You can change this behavior by overriding the `otp_authenticator_token_image` method in your view helper.