devise-otp 0.6.0 → 0.8.0

data/lib/devise/strategies/database_authenticatable.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require 'devise/strategies/authenticatable'
+
+module Devise
+  module Strategies
+    # Default strategy for signing in a user, based on their email and password in the database.
+    class DatabaseAuthenticatable < Authenticatable
+      def authenticate!
+        resource  = password.present? && mapping.to.find_for_database_authentication(authentication_hash)
+        hashed = false
+
+        if validate(resource){ hashed = true; resource.valid_password?(password) }
+          if otp_challenge_required_on?(resource)
+            # Redirect to challenge
+            challenge = resource.generate_otp_challenge!
+            redirect!(otp_challenge_url, {:challenge => challenge})
+          else
+            # Sign in user as usual
+            remember_me(resource)
+            resource.after_database_authentication
+            success!(resource)
+          end
+        end
+
+        # In paranoid mode, hash the password even when a resource doesn't exist for the given authentication key.
+        # This is necessary to prevent enumeration attacks - e.g. the request is faster when a resource doesn't
+        # exist in the database if the password hashing algorithm is not called.
+        mapping.to.new.password = password if !hashed && Devise.paranoid
+        unless resource
+          Devise.paranoid ? fail(:invalid) : fail(:not_found_in_database)
+        end
+      end
+
+      private
+
+      #
+      # resource should be challenged for otp
+      #
+      def otp_challenge_required_on?(resource)
+        resource.respond_to?(:otp_enabled?) && resource.otp_enabled?
+      end
+
+      def otp_challenge_url
+        if Rails.env.development? || Rails.env.test?
+          host = "#{request.host}:#{request.port}"
+        else
+          host = "#{request.host}"
+        end
+
+        path_fragments = ["otp", mapping.path_names[:credentials]]
+        if mapping.fullpath == "/"
+          path = mapping.fullpath + path_fragments.join("/")
+        else
+          path = path_fragments.prepend(mapping.fullpath).join("/")
+        end
+
+        request.protocol + host + path
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:database_authenticatable, Devise::Strategies::DatabaseAuthenticatable)

data/lib/devise-otp/version.rb

@@ -1,5 +1,5 @@
 module Devise
   module OTP
-    VERSION = "0.6.0"
+    VERSION = "0.8.0"
   end
 end

data/lib/devise-otp.rb

@@ -9,6 +9,24 @@ require "active_support/concern"
 
 require "devise"
 
+#
+# define DeviseOtpAuthenticatable module, and autoload hooks and helpers
+#
+module DeviseOtpAuthenticatable
+  module Controllers
+    autoload :Helpers, "devise_otp_authenticatable/controllers/helpers"
+    autoload :UrlHelpers, "devise_otp_authenticatable/controllers/url_helpers"
+    autoload :PublicHelpers, "devise_otp_authenticatable/controllers/public_helpers"
+  end
+end
+
+require "devise_otp_authenticatable/routes"
+require "devise_otp_authenticatable/engine"
+require "devise_otp_authenticatable/hooks/refreshable"
+
+#
+# update Devise module with additions needed for DeviseOtpAuthenticatable
+#
 module Devise
   mattr_accessor :otp_mandatory
   @@otp_mandatory = false
@@ -49,22 +67,24 @@ module Devise
   mattr_accessor :otp_controller_path
   @@otp_controller_path = "devise"
 
+  #
+  # add PublicHelpers to helpers class variable to ensure that per-mapping helpers are present.
+  # this integrates with the "define_helpers," which is run when adding each mapping in the Devise gem (lib/devise.rb#541)
+  #
+  @@helpers << DeviseOtpAuthenticatable::Controllers::PublicHelpers
+
   module Otp
   end
-end
-
-module DeviseOtpAuthenticatable
-  autoload :Hooks, "devise_otp_authenticatable/hooks"
 
-  module Controllers
-    autoload :Helpers, "devise_otp_authenticatable/controllers/helpers"
-    autoload :UrlHelpers, "devise_otp_authenticatable/controllers/url_helpers"
-  end
 end
 
-require "devise_otp_authenticatable/routes"
-require "devise_otp_authenticatable/engine"
-
 Devise.add_module :otp_authenticatable,
   controller: :tokens,
   model: "devise_otp_authenticatable/models/otp_authenticatable", route: :otp
+
+#
+# add PublicHelpers after adding Devise module to ensure that per-mapping routes from above are included
+#
+ActiveSupport.on_load(:action_controller) do
+  include DeviseOtpAuthenticatable::Controllers::PublicHelpers
+end

data/lib/devise_otp_authenticatable/controllers/helpers.rb

@@ -39,7 +39,6 @@ module DeviseOtpAuthenticatable
         end
       end
 
-      # fixme do cookies and persistence need to be scoped? probably
       #
       # check if the resource needs a credentials refresh. IE, they need to be asked a password again to access
       # this resource.
@@ -47,8 +46,8 @@ module DeviseOtpAuthenticatable
       def needs_credentials_refresh?(resource)
         return false unless resource.class.otp_credentials_refresh
 
-        (!session[otp_scoped_refresh_property].present? ||
-            (session[otp_scoped_refresh_property] < DateTime.now)).tap { |need| otp_set_refresh_return_url if need }
+        (!warden.session(resource_name)[otp_refresh_property].present? ||
+           (warden.session(resource_name)[otp_refresh_property] < DateTime.now)).tap { |need| otp_set_refresh_return_url if need }
       end
 
       #
@@ -56,7 +55,7 @@ module DeviseOtpAuthenticatable
       #
       def otp_refresh_credentials_for(resource)
         return false unless resource.class.otp_credentials_refresh
-        session[otp_scoped_refresh_property] = (Time.now + resource.class.otp_credentials_refresh)
+        warden.session(resource_name)[otp_refresh_property] = (Time.now + resource.class.otp_credentials_refresh)
       end
 
       #
@@ -85,19 +84,19 @@ module DeviseOtpAuthenticatable
       end
 
       def otp_set_refresh_return_url
-        session[otp_scoped_refresh_return_url_property] = request.fullpath
+        warden.session(resource_name)[otp_refresh_return_url_property] = request.fullpath
       end
 
       def otp_fetch_refresh_return_url
-        session.delete(otp_scoped_refresh_return_url_property) { :root }
+        warden.session(resource_name).delete(otp_refresh_return_url_property) { :root }
       end
 
-      def otp_scoped_refresh_return_url_property
-        "otp_#{resource_name}refresh_return_url".to_sym
+      def otp_refresh_return_url_property
+        "refresh_return_url"
       end
 
-      def otp_scoped_refresh_property
-        "otp_#{resource_name}refresh_after".to_sym
+      def otp_refresh_property
+        "credentials_refreshed_at"
       end
 
       def otp_scoped_persistence_cookie

data/lib/devise_otp_authenticatable/controllers/public_helpers.rb

@@ -0,0 +1,39 @@
+module DeviseOtpAuthenticatable
+  module Controllers
+    module PublicHelpers
+      extend ActiveSupport::Concern
+
+      def self.generate_helpers!
+        Devise.mappings.each do |key, mapping|
+          self.define_helpers(mapping)
+        end
+      end
+
+      def self.define_helpers(mapping) #:nodoc:
+        mapping = mapping.name
+
+        class_eval <<-METHODS, __FILE__, __LINE__ + 1
+          def ensure_mandatory_#{mapping}_otp!
+            resource = current_#{mapping}
+            if !devise_controller?
+              if mandatory_otp_missing_on?(resource)
+                redirect_to edit_#{mapping}_otp_token_path
+              end
+            end
+          end
+        METHODS
+      end
+
+      def otp_mandatory_on?(resource)
+        return false unless resource.respond_to?(:otp_mandatory)
+
+        resource.class.otp_mandatory or resource.otp_mandatory
+      end
+
+      def mandatory_otp_missing_on?(resource)
+        otp_mandatory_on?(resource) && !resource.otp_enabled
+      end
+
+    end
+  end
+end

data/lib/devise_otp_authenticatable/controllers/url_helpers.rb

@@ -21,6 +21,16 @@ module DeviseOtpAuthenticatable
         send("#{scope}_otp_token_path", opts)
       end
 
+      def edit_otp_token_path_for(resource_or_scope, opts = {})
+        scope = ::Devise::Mapping.find_scope!(resource_or_scope)
+        send("edit_#{scope}_otp_token_path", opts)
+      end
+
+      def reset_otp_token_path_for(resource_or_scope, opts = {})
+        scope = ::Devise::Mapping.find_scope!(resource_or_scope)
+        send("reset_#{scope}_otp_token_path", opts)
+      end
+
       def otp_credential_path_for(resource_or_scope, opts = {})
         scope = ::Devise::Mapping.find_scope!(resource_or_scope)
         send("#{scope}_otp_credential_path", opts)

data/lib/devise_otp_authenticatable/engine.rb

@@ -3,20 +3,17 @@ module DeviseOtpAuthenticatable
     config.devise_otp = ActiveSupport::OrderedOptions.new
     config.devise_otp.precompile_assets = true
 
-    # We use to_prepare instead of after_initialize here because Devise is a Rails engine;
-    config.to_prepare do
-      DeviseOtpAuthenticatable::Hooks.apply
-    end
-
     initializer "devise-otp", group: :all do |app|
       ActiveSupport.on_load(:devise_controller) do
         include DeviseOtpAuthenticatable::Controllers::UrlHelpers
         include DeviseOtpAuthenticatable::Controllers::Helpers
+        include DeviseOtpAuthenticatable::Controllers::PublicHelpers
       end
 
       ActiveSupport.on_load(:action_view) do
         include DeviseOtpAuthenticatable::Controllers::UrlHelpers
         include DeviseOtpAuthenticatable::Controllers::Helpers
+        include DeviseOtpAuthenticatable::Controllers::PublicHelpers
       end
 
       # See: https://guides.rubyonrails.org/engines.html#separate-assets-and-precompiling

data/lib/devise_otp_authenticatable/hooks/refreshable.rb

@@ -0,0 +1,5 @@
+# After each sign in, update credentials refreshed at time
+Warden::Manager.after_set_user except: :fetch do |record, warden, options|
+  warden.session(options[:scope])["credentials_refreshed_at"] = (Time.now + record.class.otp_credentials_refresh)
+end
+

data/lib/devise_otp_authenticatable/models/otp_authenticatable.rb

@@ -5,8 +5,6 @@ module Devise::Models
     extend ActiveSupport::Concern
 
     included do
-      before_validation :generate_otp_auth_secret, on: :create
-      before_validation :generate_otp_persistence_seed, on: :create
       scope :with_valid_otp_challenge, lambda { |time| where("otp_challenge_expires > ?", time) }
     end
 
@@ -36,21 +34,6 @@ module Devise::Models
       email
     end
 
-    def reset_otp_credentials
-      @time_based_otp = nil
-      @recovery_otp = nil
-      generate_otp_auth_secret
-      reset_otp_persistence
-      update!(otp_enabled: false,
-        otp_session_challenge: nil, otp_challenge_expires: nil,
-        otp_recovery_counter: 0)
-    end
-
-    def reset_otp_credentials!
-      reset_otp_credentials
-      save!
-    end
-
     def reset_otp_persistence
       generate_otp_persistence_seed
     end
@@ -60,11 +43,30 @@ module Devise::Models
       save!
     end
 
-    def enable_otp!
-      if otp_persistence_seed.nil?
-        reset_otp_credentials!
+    def populate_otp_secrets!
+      if [otp_auth_secret, otp_recovery_secret, otp_persistence_seed].any? { |a| a.blank? }
+        generate_otp_auth_secret
+        generate_otp_persistence_seed
+        self.save!
       end
+    end
+
+    def clear_otp_fields!
+      @time_based_otp = nil
+      @recovery_otp = nil
+
+      self.update!(
+        :otp_auth_secret => nil,
+        :otp_recovery_secret => nil,
+        :otp_persistence_seed => nil,
+        :otp_session_challenge => nil,
+        :otp_challenge_expires => nil,
+        :otp_failed_attempts => 0,
+        :otp_recovery_counter => 0
+      )
+    end
 
+    def enable_otp!
       update!(otp_enabled: true, otp_enabled_on: Time.now)
     end
 

data/lib/devise_otp_authenticatable/routes.rb

@@ -4,7 +4,7 @@ module ActionDispatch::Routing
 
     def devise_otp(mapping, controllers)
       namespace :otp, module: :devise_otp do
-        resource :token, only: [:show, :update, :destroy],
+        resource :token, only: [:show, :edit, :update, :destroy],
           path: mapping.path_names[:token], controller: controllers[:otp_tokens] do
           if Devise.otp_trust_persistence
             get :persistence, action: "get_persistence"
@@ -13,6 +13,7 @@ module ActionDispatch::Routing
           end
 
           get :recovery
+          post :reset
         end
 
         resource :credential, only: [:show, :update],
@@ -20,6 +21,7 @@ module ActionDispatch::Routing
           get :refresh, action: "get_refresh"
           put :refresh, action: "set_refresh"
         end
+
       end
     end
   end

data/lib/generators/active_record/templates/migration.rb

@@ -1,4 +1,4 @@
-class DeviseOtpAddTo<%= table_name.camelize %> < ActiveRecord::Migration
+class DeviseOtpAddTo<%= table_name.camelize %> < ActiveRecord::Migration[7.0]
   def self.up
     change_table :<%= table_name %> do |t|
       t.string    :otp_auth_secret

data/test/dummy/app/controllers/admin_posts_controller.rb

@@ -0,0 +1,85 @@
+class AdminPostsController < ApplicationController
+  before_action :authenticate_admin!
+
+  # GET /posts
+  # GET /posts.json
+  def index
+    @posts = Post.all
+
+    respond_to do |format|
+      format.html # index.html.erb
+      format.json { render json: @posts }
+    end
+  end
+
+  # GET /posts/1
+  # GET /posts/1.json
+  def show
+    @post = Post.find(params[:id])
+
+    respond_to do |format|
+      format.html # show.html.erb
+      format.json { render json: @post }
+    end
+  end
+
+  # GET /posts/new
+  # GET /posts/new.json
+  def new
+    @post = Post.new
+
+    respond_to do |format|
+      format.html # new.html.erb
+      format.json { render json: @post }
+    end
+  end
+
+  # GET /posts/1/edit
+  def edit
+    @post = Post.find(params[:id])
+  end
+
+  # POST /posts
+  # POST /posts.json
+  def create
+    @post = Post.new(params[:post])
+
+    respond_to do |format|
+      if @post.save
+        format.html { redirect_to @post, notice: "Post was successfully created." }
+        format.json { render json: @post, status: :created, location: @post }
+      else
+        format.html { render action: "new" }
+        format.json { render json: @post.errors, status: :unprocessable_entity }
+      end
+    end
+  end
+
+  # PUT /posts/1
+  # PUT /posts/1.json
+  def update
+    @post = Post.find(params[:id])
+
+    respond_to do |format|
+      if @post.update_attributes(params[:post])
+        format.html { redirect_to @post, notice: "Post was successfully updated." }
+        format.json { head :ok }
+      else
+        format.html { render action: "edit" }
+        format.json { render json: @post.errors, status: :unprocessable_entity }
+      end
+    end
+  end
+
+  # DELETE /posts/1
+  # DELETE /posts/1.json
+  def destroy
+    @post = Post.find(params[:id])
+    @post.destroy
+
+    respond_to do |format|
+      format.html { redirect_to posts_url }
+      format.json { head :ok }
+    end
+  end
+end

data/test/dummy/app/controllers/application_controller.rb

@@ -1,4 +1,3 @@
 class ApplicationController < ActionController::Base
   protect_from_forgery
-  before_action :authenticate_user!
 end

data/test/dummy/app/controllers/base_controller.rb

@@ -0,0 +1,6 @@
+class BaseController < ApplicationController
+
+  def home
+  end
+
+end

data/test/dummy/app/models/admin.rb

@@ -0,0 +1,25 @@
+class Admin < PARENT_MODEL_CLASS
+  if DEVISE_ORM == :mongoid
+    include Mongoid::Document
+
+    ## Database authenticatable
+    field :email, type: String, null: false, default: ""
+    field :encrypted_password, type: String, null: false, default: ""
+
+    ## Recoverable
+    field :reset_password_token, type: String
+    field :reset_password_sent_at, type: Time
+  end
+
+  devise :otp_authenticatable, :database_authenticatable, :registerable,
+    :trackable, :validatable
+
+  # Setup accessible (or protected) attributes for your model
+  # attr_accessible :otp_enabled, :otp_mandatory, :as => :otp_privileged
+  # attr_accessible :email, :password, :password_confirmation, :remember_me
+
+  def self.otp_mandatory
+    true
+  end
+
+end

data/test/dummy/app/views/admin_posts/_form.html.erb

@@ -0,0 +1,25 @@
+<%= form_for([:admin, @post]) do |f| %>
+  <% if @post.errors.any? %>
+    <div id="error_explanation">
+      <h2><%= pluralize(@post.errors.count, "error") %> prohibited this post from being saved:</h2>
+
+      <ul>
+      <% @post.errors.full_messages.each do |msg| %>
+        <li><%= msg %></li>
+      <% end %>
+      </ul>
+    </div>
+  <% end %>
+
+  <div class="field">
+    <%= f.label :title %><br />
+    <%= f.text_field :title %>
+  </div>
+  <div class="field">
+    <%= f.label :body %><br />
+    <%= f.text_area :body %>
+  </div>
+  <div class="actions">
+    <%= f.submit %>
+  </div>
+<% end %>

data/test/dummy/app/views/admin_posts/edit.html.erb

@@ -0,0 +1,6 @@
+<h1>Editing post</h1>
+
+<%= render 'form' %>
+
+<%= link_to 'Show', @post %> |
+<%= link_to 'Back', admin_posts_path %>

data/test/dummy/app/views/admin_posts/index.html.erb

@@ -0,0 +1,25 @@
+<h1>Listing posts</h1>
+
+<table>
+  <tr>
+    <th>Title</th>
+    <th>Body</th>
+    <th></th>
+    <th></th>
+    <th></th>
+  </tr>
+
+<% @posts.each do |post| %>
+  <tr>
+    <td><%= post.title %></td>
+    <td><%= post.body %></td>
+    <td><%= link_to 'Show', post %></td>
+    <td><%= link_to 'Edit', edit_admin_post_path(post) %></td>
+    <td><%= link_to 'Destroy', [:admin, post], confirm: 'Are you sure?', method: :delete %></td>
+  </tr>
+<% end %>
+</table>
+
+<br />
+
+<%= link_to 'New Post', new_admin_post_path %>

data/test/dummy/app/views/admin_posts/new.html.erb

@@ -0,0 +1,5 @@
+<h1>New post</h1>
+
+<%= render 'form' %>
+
+<%= link_to 'Back', admin_posts_path %>

data/test/dummy/app/views/admin_posts/show.html.erb

@@ -0,0 +1,15 @@
+<p id="notice"><%= notice %></p>
+
+<p>
+  <b>Title:</b>
+  <%= @post.title %>
+</p>
+
+<p>
+  <b>Body:</b>
+  <%= @post.body %>
+</p>
+
+
+<%= link_to 'Edit', edit_admin_post_path(@post) %> |
+<%= link_to 'Back', admin_posts_path %>

data/test/dummy/app/views/base/home.html.erb

@@ -0,0 +1 @@
+<h1>Hello world!</h1>

data/test/dummy/config/application.rb

@@ -53,8 +53,6 @@ module Dummy
     # Enable escaping HTML in JSON.
     config.active_support.escape_html_entities_in_json = true
 
-    config.active_record.legacy_connection_handling = false
-
     # Use SQL instead of Active Record's schema dumper when creating the database.
     # This is necessary if your schema can't be completely dumped by the schema dumper,
     # like if you have constraints or database-specific column types

data/test/dummy/config/routes.rb

@@ -1,6 +1,9 @@
 Dummy::Application.routes.draw do
+  devise_for :admins
   devise_for :users
 
   resources :posts
-  root to: "posts#index"
+  resources :admin_posts
+
+  root to: "base#home"
 end

data/test/dummy/db/migrate/20240604000001_create_admins.rb

@@ -0,0 +1,9 @@
+class CreateAdmins < ActiveRecord::Migration[7.1]
+  def change
+    create_table :admins do |t|
+      t.string :name
+
+      t.timestamps
+    end
+  end
+end

data/test/dummy/db/migrate/20240604000002_add_devise_to_admins.rb

@@ -0,0 +1,52 @@
+class AddDeviseToAdmins < ActiveRecord::Migration[5.0]
+  def self.up
+    change_table(:admins) do |t|
+      ## Database authenticatable
+      t.string :email, null: false, default: ""
+      t.string :encrypted_password, null: false, default: ""
+
+      ## Recoverable
+      t.string :reset_password_token
+      t.datetime :reset_password_sent_at
+
+      ## Rememberable
+      t.datetime :remember_created_at
+
+      ## Trackable
+      t.integer :sign_in_count, default: 0
+      t.datetime :current_sign_in_at
+      t.datetime :last_sign_in_at
+      t.string :current_sign_in_ip
+      t.string :last_sign_in_ip
+
+      ## Confirmable
+      # t.string   :confirmation_token
+      # t.datetime :confirmed_at
+      # t.datetime :confirmation_sent_at
+      # t.string   :unconfirmed_email # Only if using reconfirmable
+
+      ## Lockable
+      t.integer :failed_attempts, default: 0 # Only if lock strategy is :failed_attempts
+      t.string :unlock_token # Only if unlock strategy is :email or :both
+      t.datetime :locked_at
+
+      ## Token authenticatable
+      t.string :authentication_token
+
+      # Uncomment below if timestamps were not included in your original model.
+      # t.timestamps
+    end
+
+    add_index :admins, :email, unique: true
+    add_index :admins, :reset_password_token, unique: true
+    # add_index :admins, :confirmation_token,   :unique => true
+    add_index :admins, :unlock_token, unique: true
+    add_index :admins, :authentication_token, unique: true
+  end
+
+  def self.down
+    # By default, we don't want to make any assumption about how to roll back a migration when your
+    # model already existed. Please edit below which fields you would like to remove in this migration.
+    raise ActiveRecord::IrreversibleMigration
+  end
+end