devise-otp 0.6.0 → 0.8.0

data/test/dummy/db/migrate/20240604000003_devise_otp_add_to_admins.rb

@@ -0,0 +1,28 @@
+class DeviseOtpAddToAdmins < ActiveRecord::Migration[5.0]
+  def self.up
+    change_table :admins do |t|
+      t.string :otp_auth_secret
+      t.string :otp_recovery_secret
+      t.boolean :otp_enabled, default: false, null: false
+      t.boolean :otp_mandatory, default: false, null: false
+      t.datetime :otp_enabled_on
+      t.integer :otp_time_drift, default: 0, null: false
+      t.integer :otp_failed_attempts, default: 0, null: false
+      t.integer :otp_recovery_counter, default: 0, null: false
+      t.string :otp_persistence_seed
+
+      t.string :otp_session_challenge
+      t.datetime :otp_challenge_expires
+    end
+
+    add_index :admins, :otp_session_challenge, unique: true
+    add_index :admins, :otp_challenge_expires
+  end
+
+  def self.down
+    change_table :admins do |t|
+      t.remove :otp_auth_secret, :otp_recovery_secret, :otp_enabled, :otp_mandatory, :otp_enabled_on, :otp_session_challenge,
+        :otp_challenge_expires, :otp_time_drift, :otp_failed_attempts, :otp_recovery_counter, :otp_persistence_seed
+    end
+  end
+end

data/test/integration/disable_token_test.rb

@@ -0,0 +1,53 @@
+require "test_helper"
+require "integration_tests_helper"
+
+class DisableTokenTest < ActionDispatch::IntegrationTest
+
+  def setup
+    # log in 1fa
+    @user = enable_otp_and_sign_in
+    assert_equal user_otp_credential_path, current_path
+
+    # otp 2fa
+    fill_in "token", with: ROTP::TOTP.new(@user.otp_auth_secret).at(Time.now)
+    click_button "Submit Token"
+    assert_equal root_path, current_path
+  end
+
+  def teardown
+    Capybara.reset_sessions!
+  end
+
+  test "disabling OTP after successfully enabling" do
+    # disable OTP
+    disable_otp
+
+    assert page.has_content? "Disabled"
+
+    # logout
+    sign_out
+
+    # log back in 1fa
+    sign_user_in(@user)
+
+    assert_equal root_path, current_path
+  end
+
+  test "disabling OTP does not reset token secrets" do
+    # get otp secrets
+    @user.reload
+    auth_secret = @user.otp_auth_secret
+    recovery_secret = @user.otp_recovery_secret
+
+    # disable OTP
+    disable_otp
+
+    # compare otp secrets
+    assert_not_nil @user.otp_auth_secret
+    assert_equal @user.otp_auth_secret, auth_secret
+
+    assert_not_nil @user.otp_recovery_secret
+    assert_equal @user.otp_recovery_secret, recovery_secret
+  end
+
+end

data/test/integration/enable_otp_form_test.rb

@@ -0,0 +1,57 @@
+require "test_helper"
+require "integration_tests_helper"
+
+class EnableOtpFormTest < ActionDispatch::IntegrationTest
+  def teardown
+    Capybara.reset_sessions!
+  end
+
+  test "a user should be able enable their OTP authentication by entering a confirmation code" do
+    user = sign_user_in
+
+    visit edit_user_otp_token_path
+
+    user.reload
+
+    fill_in "confirmation_code", with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+
+    click_button "Continue..."
+
+    assert_equal user_otp_token_path, current_path
+    assert page.has_content?("Enabled")
+
+    user.reload
+    assert user.otp_enabled?
+  end
+
+  test "a user should not be able enable their OTP authentication with an incorrect confirmation code" do
+    user = sign_user_in
+
+    visit edit_user_otp_token_path
+
+    fill_in "confirmation_code", with: "123456"
+
+    click_button "Continue..."
+
+    assert page.has_content?("To Enable Two-Factor Authentication")
+
+    user.reload
+    assert_not user.otp_enabled?
+  end
+
+  test "a user should not be able enable their OTP authentication with a blank confirmation code" do
+    user = sign_user_in
+
+    visit edit_user_otp_token_path
+
+    fill_in "confirmation_code", with: ""
+
+    click_button "Continue..."
+
+    assert page.has_content?("To Enable Two-Factor Authentication")
+
+    user.reload
+    assert_not user.otp_enabled?
+  end
+
+end

data/test/integration/persistence_test.rb

@@ -51,13 +51,10 @@ class PersistenceTest < ActionDispatch::IntegrationTest
     visit user_otp_token_path
     assert_equal user_otp_token_path, current_path
 
-    enable_chrome_headless_downloads(page, "/tmp/devise-otp")
+    click_link("Download recovery codes")
 
-    DownloadHelper.wait_for_download(count: 1) do
-      click_link("Download recovery codes")
-    end
-
-    assert_equal 1, DownloadHelper.downloads.size
+    assert current_path.match?(/recovery\.text/)
+    assert page.body.match?(user.next_otp_recovery_tokens.values.join("\n"))
   end
 
   test "trusted status should expire" do

data/test/integration/refresh_test.rb

@@ -5,10 +5,12 @@ class RefreshTest < ActionDispatch::IntegrationTest
   def setup
     @old_refresh = User.otp_credentials_refresh
     User.otp_credentials_refresh = 1.second
+    Admin.otp_credentials_refresh = 1.second
   end
 
   def teardown
     User.otp_credentials_refresh = @old_refresh
+    Admin.otp_credentials_refresh = @old_refresh
     Capybara.reset_sessions!
   end
 
@@ -72,4 +74,34 @@ class RefreshTest < ActionDispatch::IntegrationTest
 
     assert_equal user_otp_token_path, current_path
   end
+
+  test "works for non-default warden scopes" do
+    admin = create_full_admin
+
+    admin.populate_otp_secrets!
+    admin.enable_otp!
+
+    visit new_admin_session_path
+    fill_in "admin_email", with: admin.email
+    fill_in "admin_password", with: admin.password
+
+    page.has_content?("Log in") ? click_button("Log in") : click_button("Sign in")
+
+    assert_equal admin_otp_credential_path, current_path
+
+    fill_in "token", with: ROTP::TOTP.new(admin.otp_auth_secret).at(Time.now)
+    click_button "Submit Token"
+    assert_equal "/", current_path
+
+    sleep(2)
+
+    visit admin_otp_token_path
+    assert_equal refresh_admin_otp_credential_path, current_path
+
+    fill_in "admin_refresh_password", with: "12345678"
+    click_button "Continue..."
+
+    assert_equal admin_otp_token_path, current_path
+  end
+
 end

data/test/integration/reset_token_test.rb

@@ -0,0 +1,45 @@
+require "test_helper"
+require "integration_tests_helper"
+
+class ResetTokenTest < ActionDispatch::IntegrationTest
+
+  def setup
+    # log in 1fa
+    @user = enable_otp_and_sign_in
+    assert_equal user_otp_credential_path, current_path
+
+    # otp 2fa
+    fill_in "token", with: ROTP::TOTP.new(@user.otp_auth_secret).at(Time.now)
+    click_button "Submit Token"
+    assert_equal root_path, current_path
+  end
+
+
+  def teardown
+    Capybara.reset_sessions!
+  end
+
+  test "redirects to otp_tokens#edit page" do
+    reset_otp
+
+    assert_equal "/users/otp/token/edit", current_path
+  end
+
+  test "generates new token secrets" do
+    # get auth secrets
+    auth_secret = @user.otp_auth_secret
+    recovery_secret = @user.otp_recovery_secret
+
+    # reset otp
+    reset_otp
+
+    # compare auth secrets
+    @user.reload
+    assert_not_nil @user.otp_auth_secret
+    assert_not_equal @user.otp_auth_secret, auth_secret
+
+    assert_not_nil @user.otp_recovery_secret
+    assert_not_equal @user.otp_recovery_secret, recovery_secret
+  end
+
+end

data/test/integration/sign_in_test.rb

@@ -17,20 +17,16 @@ class SignInTest < ActionDispatch::IntegrationTest
     assert_equal posts_path, current_path
   end
 
-  test "a new user, just signed in, should be able to sign in and enable their OTP authentication" do
+  test "a new user, just signed in, should be able to see and click the 'Enable Two-Factor Authentication' link" do
     user = sign_user_in
 
     visit user_otp_token_path
-    assert !page.has_content?("Your token secret")
+    assert page.has_content?("Disabled")
 
-    check "user_otp_enabled"
-    click_button "Continue..."
+    click_link "Enable Two-Factor Authentication"
 
-    assert_equal user_otp_token_path, current_path
-
-    assert page.has_content?("Your token secret")
-    assert !user.otp_auth_secret.nil?
-    assert !user.otp_persistence_seed.nil?
+    assert page.has_content?("Enable Two-Factor Authentication")
+    assert_equal edit_user_otp_token_path, current_path
   end
 
   test "a new user should be able to sign in enable OTP and be prompted for their token" do
@@ -43,17 +39,17 @@ class SignInTest < ActionDispatch::IntegrationTest
     enable_otp_and_sign_in
     assert_equal user_otp_credential_path, current_path
 
-    fill_in "user_token", with: "123456"
+    fill_in "token", with: "123456"
     click_button "Submit Token"
 
-    assert_equal new_user_session_path, current_path
+    assert_equal user_otp_credential_path, current_path
   end
 
   test "fail blank token authentication" do
     enable_otp_and_sign_in
     assert_equal user_otp_credential_path, current_path
 
-    fill_in "user_token", with: ""
+    fill_in "token", with: ""
     click_button "Submit Token"
 
     assert_equal user_otp_credential_path, current_path
@@ -62,7 +58,7 @@ class SignInTest < ActionDispatch::IntegrationTest
   test "successful token authentication" do
     user = enable_otp_and_sign_in
 
-    fill_in "user_token", with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    fill_in "token", with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
     click_button "Submit Token"
 
     assert_equal root_path, current_path
@@ -76,7 +72,7 @@ class SignInTest < ActionDispatch::IntegrationTest
 
     sleep(2)
 
-    fill_in "user_token", with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    fill_in "token", with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
     click_button "Submit Token"
 
     User.otp_authentication_timeout = old_timeout

data/test/integration/trackable_test.rb

@@ -0,0 +1,50 @@
+require "test_helper"
+require "integration_tests_helper"
+
+class TrackableTest < ActionDispatch::IntegrationTest
+
+  def setup
+    @user = sign_user_in
+
+    @user.reload
+
+    @sign_in_count = @user.sign_in_count
+    @current_sign_in_at = @user.current_sign_in_at
+
+    sign_out
+  end
+
+  def teardown
+    Capybara.reset_sessions!
+  end
+
+  test "if otp is disabled, it should update devise trackable fields as usual when the user signs in" do
+    sign_user_in(@user)
+
+    @user.reload
+
+    assert_not_equal @sign_in_count, @user.sign_in_count
+    assert_not_equal @current_sign_in_at, @user.current_sign_in_at
+  end
+
+  test "if otp is enabled, it should not update devise trackable fields until user enters their user token to complete their sign in" do
+    @user.populate_otp_secrets!
+    @user.enable_otp!
+
+    sign_user_in(@user)
+
+    @user.reload
+
+    assert_equal @sign_in_count, @user.sign_in_count
+    assert_equal @current_sign_in_at, @user.current_sign_in_at
+
+    fill_in "token", with: ROTP::TOTP.new(@user.otp_auth_secret).at(Time.now)
+    click_button "Submit Token"
+
+    @user.reload
+
+    assert_not_equal @sign_in_count, @user.sign_in_count
+    assert_not_equal @current_sign_in_at, @user.current_sign_in_at
+  end
+
+end

data/test/integration_tests_helper.rb

@@ -16,18 +16,31 @@ class ActionDispatch::IntegrationTest
     end
   end
 
+  def create_full_admin
+    @admin ||= begin
+      admin = Admin.create!(
+        email: "admin@email.invalid",
+        password: "12345678",
+        password_confirmation: "12345678"
+      )
+      admin
+    end
+  end
+
   def enable_otp_and_sign_in_with_otp
     enable_otp_and_sign_in.tap do |user|
-      fill_in "user_token", with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+      fill_in "token", with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
       click_button "Submit Token"
     end
   end
 
   def enable_otp_and_sign_in
     user = create_full_user
+    user.populate_otp_secrets!
+
     sign_user_in(user)
-    visit user_otp_token_path
-    check "user_otp_enabled"
+    visit edit_user_otp_token_path
+    fill_in "confirmation_code", with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
     click_button "Continue..."
 
     Capybara.reset_sessions!
@@ -37,14 +50,18 @@ class ActionDispatch::IntegrationTest
   end
 
   def otp_challenge_for(user)
-    fill_in "user_token", with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    fill_in "token", with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
     click_button "Submit Token"
   end
 
   def disable_otp
     visit user_otp_token_path
-    uncheck "user_otp_enabled"
-    click_button "Continue..."
+    click_button "Disable Two-Factor Authentication"
+  end
+
+  def reset_otp
+    visit user_otp_token_path
+    click_button "Reset Token Secret"
   end
 
   def sign_out
@@ -61,4 +78,5 @@ class ActionDispatch::IntegrationTest
     page.has_content?("Log in") ? click_button("Log in") : click_button("Sign in")
     user
   end
+
 end

data/test/models/otp_authenticatable_test.rb

@@ -6,42 +6,70 @@ class OtpAuthenticatableTest < ActiveSupport::TestCase
     new_user
   end
 
-  test "new users have a non-nil secret set" do
-    assert_not_nil User.first.otp_auth_secret
+  test "new users do not have a secret set" do
+    user = User.first
+
+    [:otp_auth_secret, :otp_recovery_secret, :otp_persistence_seed].each do |field|
+      assert_nil user.send(field)
+    end
   end
 
   test "new users have OTP disabled by default" do
     assert !User.first.otp_enabled
   end
 
-  test "users should have an instance of TOTP/ROTP objects" do
-    u = User.first
-    assert u.time_based_otp.is_a? ROTP::TOTP
-    assert u.recovery_otp.is_a? ROTP::HOTP
+  test "populating otp secrets should populate all required fields" do
+    user = User.first
+    user.populate_otp_secrets!
+
+    [:otp_auth_secret, :otp_recovery_secret, :otp_persistence_seed].each do |field|
+      assert_not_nil user.send(field)
+    end
   end
 
-  test "users should have their otp_auth_secret/persistence_seed set on creation" do
-    assert User.first.otp_auth_secret
-    assert User.first.otp_persistence_seed
+  test "time_based_otp and recover_otp fields should be an instance of TOTP/ROTP objects" do
+    user = User.first
+    user.populate_otp_secrets!
+
+    assert user.time_based_otp.is_a? ROTP::TOTP
+    assert user.recovery_otp.is_a? ROTP::HOTP
   end
 
-  test "reset_otp_credentials should generate new secrets and disable OTP" do
-    u = User.first
-    u.update_attribute(:otp_enabled, true)
-    assert u.otp_enabled
-    otp_auth_secret = u.otp_auth_secret
-    otp_persistence_seed = u.otp_persistence_seed
+  test "clear_otp_fields should clear all otp fields" do
+    user = User.first
+    user.populate_otp_secrets!
 
-    u.reset_otp_credentials!
-    assert !(otp_auth_secret == u.otp_auth_secret)
-    assert !(otp_persistence_seed == u.otp_persistence_seed)
-    assert !u.otp_enabled
+    user.enable_otp!
+    user.generate_otp_challenge!
+    user.update(
+      :otp_failed_attempts => 1,
+      :otp_recovery_counter => 1
+    )
+
+
+    assert user.otp_enabled
+    [:otp_auth_secret, :otp_recovery_secret, :otp_persistence_seed].each do |field|
+      assert_not_nil user.send(field)
+    end
+    [:otp_failed_attempts, :otp_recovery_counter].each do |field|
+      assert_not user.send(field) == 0
+    end
+
+    user.clear_otp_fields!
+    [:otp_auth_secret, :otp_recovery_secret, :otp_persistence_seed].each do |field|
+      assert_nil user.send(field)
+    end
+    [:otp_failed_attempts, :otp_recovery_counter].each do |field|
+      assert user.send(field) == 0
+    end
   end
 
   test "reset_otp_persistence should generate new persistence_seed but NOT change the otp_auth_secret" do
     u = User.first
-    u.update_attribute(:otp_enabled, true)
+    u.populate_otp_secrets!
+    u.enable_otp!
     assert u.otp_enabled
+
     otp_auth_secret = u.otp_auth_secret
     otp_persistence_seed = u.otp_persistence_seed
 
@@ -53,7 +81,8 @@ class OtpAuthenticatableTest < ActiveSupport::TestCase
 
   test "generating a challenge, should retrieve the user later" do
     u = User.first
-    u.update_attribute(:otp_enabled, true)
+    u.populate_otp_secrets!
+    u.enable_otp!
     challenge = u.generate_otp_challenge!
 
     w = User.find_valid_otp_challenge(challenge)
@@ -63,7 +92,8 @@ class OtpAuthenticatableTest < ActiveSupport::TestCase
 
   test "expiring the challenge, should retrieve nothing" do
     u = User.first
-    u.update_attribute(:otp_enabled, true)
+    u.populate_otp_secrets!
+    u.enable_otp!
     challenge = u.generate_otp_challenge!(1.second)
     sleep(2)
 
@@ -73,7 +103,8 @@ class OtpAuthenticatableTest < ActiveSupport::TestCase
 
   test "expired challenges should not be valid" do
     u = User.first
-    u.update_attribute(:otp_enabled, true)
+    u.populate_otp_secrets!
+    u.enable_otp!
     challenge = u.generate_otp_challenge!(1.second)
     sleep(2)
     assert_equal false, u.otp_challenge_valid?
@@ -81,14 +112,16 @@ class OtpAuthenticatableTest < ActiveSupport::TestCase
 
   test "null otp challenge" do
     u = User.first
-    u.update_attribute(:otp_enabled, true)
+    u.populate_otp_secrets!
+    u.enable_otp!
     assert_equal false, u.validate_otp_token("")
     assert_equal false, u.validate_otp_token(nil)
   end
 
   test "generated otp token should be valid for the user" do
     u = User.first
-    u.update_attribute(:otp_enabled, true)
+    u.populate_otp_secrets!
+    u.enable_otp!
 
     secret = u.otp_auth_secret
     token = ROTP::TOTP.new(secret).now
@@ -98,7 +131,8 @@ class OtpAuthenticatableTest < ActiveSupport::TestCase
 
   test "generated otp token, out of drift window, should be NOT valid for the user" do
     u = User.first
-    u.update_attribute(:otp_enabled, true)
+    u.populate_otp_secrets!
+    u.enable_otp!
 
     secret = u.otp_auth_secret
 
@@ -110,7 +144,8 @@ class OtpAuthenticatableTest < ActiveSupport::TestCase
 
   test "recovery secrets should be valid, and valid only once" do
     u = User.first
-    u.update_attribute(:otp_enabled, true)
+    u.populate_otp_secrets!
+    u.enable_otp!
     recovery = u.next_otp_recovery_tokens
 
     assert u.valid_otp_recovery_token? recovery.fetch(0)

data/test/orm/active_record.rb

@@ -3,4 +3,9 @@ ActiveRecord::Base.logger = Logger.new(nil)
 
 migrations_path = File.expand_path("../../dummy/db/migrate/", __FILE__)
 
-ActiveRecord::MigrationContext.new(migrations_path, ActiveRecord::SchemaMigration).migrate
+if Rails.version.to_f >= 7.2
+  ActiveRecord::MigrationContext.new(migrations_path).migrate
+else
+  # To support order versions of Rails (pre v7.2)
+  ActiveRecord::MigrationContext.new(migrations_path, ActiveRecord::SchemaMigration).migrate
+end

data/test/test_helper.rb

@@ -6,86 +6,16 @@ require "dummy/config/environment"
 require "orm/#{DEVISE_ORM}"
 require "rails/test_help"
 require "capybara/rails"
-require "capybara/cuprite"
 require "minitest/reporters"
 
-MiniTest::Reporters.use!
+Minitest::Reporters.use!
 
 # I18n.load_path << File.expand_path("../support/locale/en.yml", __FILE__) if DEVISE_ORM == :mongoid
 
 # ActiveSupport::Deprecation.silenced = true
 
-# Use a module to not pollute the global namespace
-module CapybaraHelper
-  def self.register_driver(driver_name, args = [])
-    opts = {headless: true, js_errors: true, window_size: [1920, 1200], browser_options: {}}
-    args.each do |arg|
-      opts[:browser_options][arg] = nil
-    end
-
-    Capybara.register_driver(driver_name) do |app|
-      Capybara::Cuprite::Driver.new(app, opts)
-    end
-  end
-end
-
-# Register our own custom drivers
-CapybaraHelper.register_driver(:headless_chrome, %w[disable-gpu no-sandbox disable-dev-shm-usage])
-
-# Configure Capybara JS driver
-Capybara.current_driver = :headless_chrome
-Capybara.javascript_driver = :headless_chrome
-
-# Configure Capybara server
-Capybara.run_server = true
-Capybara.server = :puma, {Silent: true}
-
 class ActionDispatch::IntegrationTest
   include Capybara::DSL
-
-  # What capybara calls a "page" in its DSL is actually a Capybara::Session
-  # and doesn't know about the *command* method that allows us to play with
-  # the Chrome API.
-  # See: https://rubydoc.info/github/jnicklas/capybara/master/Capybara/Session
-  #
-  # To enable downloads we need to do it on the browser's page object, so fetch it
-  # from this long method chain.
-  # See: https://github.com/rubycdp/ferrum/blob/master/lib/ferrum/page.rb
-  def enable_chrome_headless_downloads(session, directory)
-    page = session.driver.browser.page
-    page.command("Page.setDownloadBehavior", behavior: "allow", downloadPath: directory)
-  end
-end
-
-# From https://collectiveidea.com/blog/archives/2012/01/27/testing-file-downloads-with-capybara-and-chromedriver
-module DownloadHelper
-  extend self
-
-  TIMEOUT = 10
-
-  def downloads
-    Dir["/tmp/devise-otp/*"]
-  end
-
-  def wait_for_download(count: 1)
-    yield if block_given?
-
-    Timeout.timeout(TIMEOUT) do
-      sleep 0.2 until downloaded?(count)
-    end
-  end
-
-  def downloaded?(count)
-    !downloading? && downloads.size == count
-  end
-
-  def downloading?
-    downloads.grep(/\.crdownload$/).any?
-  end
-
-  def clear_downloads
-    FileUtils.rm_f(downloads)
-  end
 end
 
 require "devise-otp"