devise-otp 0.7.1 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 591466bedc565bb6914c791657c39f3337ab5cb8c91bad78027ce2a27e7008ae
-  data.tar.gz: b7b7edc112fd429cf51ad1c48adf126138b3f875cdb103c6259cd316237ae5d1
+  metadata.gz: 7a2884c76d255b2c2bb3b40859db7018c5668d49fcb6897141dacd8d7df0bc62
+  data.tar.gz: 3c7ee30dd96a9711b4b4194cb2b94cea6abb06113dda2ef58b70c9a96c998ec4
 SHA512:
-  metadata.gz: 299c6b4523d6f180fa3c795b1fc56a00eceeafdff0f36e9086f26da9c958acbcbabd2329919105fa24cf433bc14eeeba44642a0dff75189473811dd48da3088f
-  data.tar.gz: 6caad7adc9cd91b05f9e05cb0d0364e9aca50d7d9cc67b97c58aeb7d465f365bf42e4fad1f37f54d19d48452b844e9ede4156f8f25898e463a99951e5c66c8df
+  metadata.gz: b099c20c5c6d76fc2e1226511615bb43f2b081620f01bbf1bcc939cec66e286aa3536f8a654495907607e42d23e7f3efd9bb3377ed3a1a8a6ef522ec5e9568e1
+  data.tar.gz: 731d1dc34877d0fe91bb092b33ce4ee7c302c4cb75183daa3ff67a0df7f6d242bc86b3ab4e0923683b8408c8f1e6bab8e8a1d1c5fa10b9b0e104617a9b87ded7

data/.github/workflows/ci.yml

@@ -7,28 +7,38 @@ on:
 
 jobs:
   rspec:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
         ruby:
+          - '3.3'
+          - '3.2'
           - '3.1'
+          - 'head'
+        rails:
+          - rails_8.0
+          - rails_7.2
+          - rails_7.1
+          - rails_7.0
+        exclude:
+          - ruby: '3.1'
+            rails: 'rails_8.0'
+
+    env: # $BUNDLE_GEMFILE must be set at the job level, so it is set for all steps
+      BUNDLE_GEMFILE: ${{ github.workspace }}/gemfiles/${{ matrix.rails }}.gemfile
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Setup Ruby
         uses: ruby/setup-ruby@v1
         with:
           ruby-version: ${{ matrix.ruby }}
-
-      - name: Bundle
-        run: |
-          gem install bundler
-          bundle install --jobs 4 --retry 3
+          bundler-cache: true
 
       - name: Run tests
         env:
           DEVISE_ORM: active_record
-        run: rake test
+        run: bundle exec rake test

data/.gitignore

@@ -38,7 +38,9 @@ test/dummy/db/*.sqlite3
 test/dummy/db/*.sqlite3-shm
 test/dummy/db/*.sqlite3-wal
 
+# Ignore Gemfile.lock
 Gemfile.lock
+gemfiles/*.lock
 
 # Generated test files
 tmp/*

data/Appraisals

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+appraise 'rails_7.0' do
+  gem 'rails', '~> 7.0.0'
+  gem 'sqlite3', '~> 1.5.0'
+
+  # Fix: LoadError: cannot load such file -- base64
+  install_if '-> { Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.3.0") }' do
+    gem 'base64'
+    gem 'bigdecimal'
+    gem 'mutex_m'
+    gem 'drb'
+    gem 'logger'
+  end
+end
+
+appraise 'rails_7.1' do
+  gem 'rails', '~> 7.1.0'
+  gem 'sqlite3', '~> 1.5.0'
+
+  # Fix:
+  # warning: logger was loaded from the standard library, but will no longer be part of the default gems since Ruby 3.5.0.
+  # Add logger to your Gemfile or gemspec.
+  install_if '-> { Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.4.0") }' do
+    gem 'logger'
+  end
+end
+
+appraise 'rails_7.2' do
+  gem 'rails', '~> 7.2.0'
+  gem 'sqlite3', '~> 1.5.0'
+end
+
+appraise 'rails_8.0' do
+  gem 'rails', '~> 8.0.0'
+end

data/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## Unreleased
+
+- Upgrade gemspec to support Rails v7.2
+
 ## 0.7.0
 
 Breaking changes:
@@ -57,4 +61,3 @@ Fixes:
 
 - mandatory otp fix by @cotcomsol in #68
 - remove success message by @strzibny in #69
-

data/Gemfile

@@ -2,3 +2,15 @@ source "https://rubygems.org"
 
 # Specify your gem's dependencies in devise-otp.gemspec
 gemspec
+
+gem "appraisal", git: "https://github.com/thoughtbot/appraisal.git"
+
+gem "capybara"
+gem "minitest-reporters", ">= 0.5.0"
+gem "puma"
+gem "rake"
+gem "rdoc"
+gem "shoulda"
+gem "sprockets-rails"
+gem "sqlite3", "~> 2.1"
+gem "standardrb"

data/README.md

@@ -13,7 +13,7 @@ Some of the compatible token devices are:
 * [Google Authenticator](https://code.google.com/p/google-authenticator/)
 * [FreeOTP](https://fedorahosted.org/freeotp/)
 
-Device OTP was recently updated to work with Rails 7 and Turbo.
+Device OTP was recently updated to work with Rails 7+ and Turbo.
 
 ## Sponsor
 
@@ -58,10 +58,13 @@ Don't forget to migrate:
 
     rake db:migrate
 
-Add the gem's JavaScript to you `application.js`:
+### Default CSS
 
-    //= require devise-otp
+To use the default CSS for devise-otp, just require the devise-otp.css file as usual in your application.css file (or equivalent):
 
+    *= require devise-otp
+
+It might be even easier to just copy the styles to your project.
 
 ### Custom views
 
@@ -77,9 +80,7 @@ The install generator also installs an english copy of a Devise OTP i18n file. T
 
 ### QR codes
 
-By default, Devise OTP assumes that you use [Sprockets](https://github.com/rails/sprockets) to render assets and so will use the ([qrcode.js](/app/assets/javascripts/qrcode.js)) embeded library to render the QR code.
-
-If you need something more, have a look at [QR codes](/docs/QR_CODES.md) documentation file.
+Devise OTP generates QR Codes directly as SVG's via the [rqrcode](https://github.com/whomwah/rqrcode), so there are no JavaScript (or Sprockets) dependencies.
 
 ## Configuration
 
@@ -102,7 +103,7 @@ Enforcing mandatory OTP requires adding the ensure\_mandatory\_{scope}\_otp! met
 
 ## Authors
 
-The project was originally started by Lele Forzani by forking [devise_google_authenticator](https://github.com/AsteriskLabs/devise_google_authenticator) and still contains some devise_google_authenticator code. It's now maintained by [Josef Strzibny](https://github.com/strzibny/).
+The project was originally started by Lele Forzani by forking [devise_google_authenticator](https://github.com/AsteriskLabs/devise_google_authenticator) and still contains some devise_google_authenticator code. It's now maintained by [Josef Strzibny](https://github.com/strzibny/) and [Laney Stroup](https://github.com/strouptl).
 
 Contributions are welcome!
 

data/app/assets/stylesheets/devise-otp.css

@@ -0,0 +1,4 @@
+.qrcode-container {
+  max-width: 300px;
+  margin: 0 auto;
+}

data/app/controllers/devise_otp/devise/otp_credentials_controller.rb

@@ -26,17 +26,15 @@ module DeviseOtp
       # signs the resource in, if the OTP token is valid and the user has a valid challenge
       #
       def update
-        if @token.blank?
-          otp_set_flash_message(:alert, :token_blank)
-          redirect_to otp_credential_path_for(resource_name, challenge: @challenge, recovery: @recovery)
-        elsif resource.otp_challenge_valid? && resource.validate_otp_token(@token, @recovery)
+        if resource.otp_challenge_valid? && resource.validate_otp_token(@token, @recovery)
           sign_in(resource_name, resource)
 
           otp_set_trusted_device_for(resource) if params[:enable_persistence] == "true"
           otp_refresh_credentials_for(resource)
           respond_with resource, location: after_sign_in_path_for(resource)
         else
-          otp_set_flash_message :alert, :token_invalid
+          kind = (@token.blank? ? :token_blank : :token_invalid)
+          otp_set_flash_message :alert, kind, :now => true
           render :show
         end
       end
@@ -103,7 +101,7 @@ module DeviseOtp
       end
 
       def failed_refresh
-        otp_set_flash_message :alert, :invalid_refresh
+        otp_set_flash_message :alert, :invalid_refresh, :now => true
         render :refresh
       end
 

data/app/controllers/devise_otp/devise/otp_tokens_controller.rb

@@ -33,9 +33,9 @@ module DeviseOtp
         if resource.valid_otp_token?(params[:confirmation_code])
           resource.enable_otp!
           otp_set_flash_message :success, :successfully_updated
-          redirect_to action: :show
+          redirect_to otp_token_path_for(resource)
         else
-          otp_set_flash_message :danger, :could_not_confirm
+          otp_set_flash_message :danger, :could_not_confirm, :now => true
           render :edit
         end
       end
@@ -48,7 +48,7 @@ module DeviseOtp
           otp_set_flash_message :success, :successfully_disabled_otp
         end
 
-        redirect_to action: :show
+        redirect_to otp_token_path_for(resource)
       end
 
       #
@@ -59,7 +59,7 @@ module DeviseOtp
           otp_set_flash_message :success, :successfully_set_persistence
         end
 
-        redirect_to action: :show
+        redirect_to otp_token_path_for(resource)
       end
 
       #
@@ -70,7 +70,7 @@ module DeviseOtp
           otp_set_flash_message :success, :successfully_cleared_persistence
         end
 
-        redirect_to action: :show
+        redirect_to otp_token_path_for(resource)
       end
 
       #
@@ -81,7 +81,7 @@ module DeviseOtp
           otp_set_flash_message :notice, :successfully_reset_persistence
         end
 
-        redirect_to action: :show
+        redirect_to otp_token_path_for(resource)
       end
 
       def recovery
@@ -100,7 +100,7 @@ module DeviseOtp
           otp_set_flash_message :success, :successfully_reset_otp
         end
 
-        redirect_to action: :edit
+        redirect_to edit_otp_token_path_for(resource)
       end
 
       private
@@ -109,7 +109,6 @@ module DeviseOtp
         ensure_resource!
 
         if needs_credentials_refresh?(resource)
-          otp_set_flash_message :notice, :need_to_refresh_credentials
           redirect_to refresh_otp_credential_path_for(resource)
         end
       end

data/app/views/devise/otp_tokens/show.html.erb

@@ -7,7 +7,7 @@
   <%= render :partial => 'trusted_devices' if trusted_devices_enabled? %>
 
   <% unless otp_mandatory_on?(resource) %>
-    <%= button_to I18n.t('disable_link', :scope => 'devise.otp.otp_tokens'), @resource, :method => :delete, :data => { "turbo-method": "DELETE" } %>
+    <%= button_to I18n.t('disable_link', :scope => 'devise.otp.otp_tokens'), otp_token_path_for(resource), :method => :delete, :data => { "turbo-method": "DELETE" } %>
   <% end %>
 <% else %>
   <%= link_to I18n.t('enable_link', :scope => 'devise.otp.otp_tokens'), edit_otp_token_path_for(resource) %>

data/config/locales/en.yml

@@ -14,7 +14,6 @@ en:
         otp_session_invalid: Session invalid. Please start again.
         token_invalid: 'The token you provided was invalid.'
         token_blank: 'You need to type in the token you generated with your device.'
-        need_to_refresh_credentials: 'We need to check your credentials before you can change these settings.'
         valid_refresh: 'Thank you, your credentials were accepted.'
         invalid_refresh: 'Sorry, you provided the wrong credentials.'
       credentials_refresh:
@@ -41,7 +40,6 @@ en:
         successfully_set_persistence: 'Your device is now trusted.'
         successfully_cleared_persistence: 'Your device has been removed from the list of trusted devices.'
         successfully_reset_persistence: 'Your list of trusted devices has been cleared.'
-        need_to_refresh_credentials: 'We need to check your credentials before you can change these settings.'
         recovery:
           title: 'Your Emergency Recovery Codes'
           explain: 'Take note or print these recovery codes. The will allow you to log back in in case your token device is lost, stolen, or unavailable.'

data/devise-otp.gemspec

@@ -5,25 +5,17 @@ require_relative "lib/devise-otp/version"
 Gem::Specification.new do |gem|
   gem.name = "devise-otp"
   gem.version = Devise::OTP::VERSION
-  gem.authors = ["Lele Forzani", "Josef Strzibny"]
-  gem.email = ["lele@windmill.it", "strzibny@strzibny.name"]
-  gem.description = "Time Based OTP/rfc6238 compatible authentication for Devise"
+  gem.authors = ["Lele Forzani", "Josef Strzibny", "Laney Stroup"]
+  gem.email = ["lele@windmill.it", "strzibny@strzibny.name", "laney@stroupsolutions.com"]
+  gem.description = "OTP authentication for Devise"
   gem.summary = "Time Based OTP/rfc6238 compatible authentication for Devise"
-  gem.homepage = "http://git.windmill.it/wm/devise-otp"
+  gem.homepage = "https://github.com/wmlele/devise-otp"
 
   gem.files = `git ls-files`.split($/)
   gem.require_paths = ["lib"]
 
-  gem.add_runtime_dependency "rails", ">= 6.1", "< 7.2"
-  gem.add_runtime_dependency "devise", ">= 4.8.0", "< 5.0"
-  gem.add_runtime_dependency "rotp", ">= 2.0.0"
-
-  gem.add_development_dependency "capybara"
-  gem.add_development_dependency "minitest-reporters", ">= 0.5.0"
-  gem.add_development_dependency "puma"
-  gem.add_development_dependency "rdoc"
-  gem.add_development_dependency "shoulda"
-  gem.add_development_dependency "sprockets-rails"
-  gem.add_development_dependency "sqlite3", "~> 1.4"
-  gem.add_development_dependency "standardrb"
+  gem.add_dependency "rails", ">= 7.0"
+  gem.add_dependency "devise", ">= 4.8.0", "< 5.0"
+  gem.add_dependency "rotp", ">= 2.0.0"
+  gem.add_dependency "rqrcode", "~> 2.0"
 end

data/gemfiles/rails_7.0.gemfile

@@ -0,0 +1,25 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "appraisal", git: "https://github.com/thoughtbot/appraisal.git"
+gem "capybara"
+gem "minitest-reporters", ">= 0.5.0"
+gem "puma"
+gem "rake"
+gem "rdoc"
+gem "shoulda"
+gem "sprockets-rails"
+gem "sqlite3", "~> 1.5.0"
+gem "standardrb"
+gem "rails", "~> 7.0.0"
+
+install_if -> { Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.3.0") } do
+  gem "base64"
+  gem "bigdecimal"
+  gem "mutex_m"
+  gem "drb"
+  gem "logger"
+end
+
+gemspec path: "../"

data/gemfiles/rails_7.1.gemfile

@@ -0,0 +1,21 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "appraisal", git: "https://github.com/thoughtbot/appraisal.git"
+gem "capybara"
+gem "minitest-reporters", ">= 0.5.0"
+gem "puma"
+gem "rake"
+gem "rdoc"
+gem "shoulda"
+gem "sprockets-rails"
+gem "sqlite3", "~> 1.5.0"
+gem "standardrb"
+gem "rails", "~> 7.1.0"
+
+install_if -> { Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.4.0") } do
+  gem "logger"
+end
+
+gemspec path: "../"

data/gemfiles/rails_7.2.gemfile

@@ -0,0 +1,17 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "appraisal", git: "https://github.com/thoughtbot/appraisal.git"
+gem "capybara"
+gem "minitest-reporters", ">= 0.5.0"
+gem "puma"
+gem "rake"
+gem "rdoc"
+gem "shoulda"
+gem "sprockets-rails"
+gem "sqlite3", "~> 1.5.0"
+gem "standardrb"
+gem "rails", "~> 7.2.0"
+
+gemspec path: "../"

data/gemfiles/rails_8.0.gemfile

@@ -0,0 +1,17 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "appraisal", git: "https://github.com/thoughtbot/appraisal.git"
+gem "capybara"
+gem "minitest-reporters", ">= 0.5.0"
+gem "puma"
+gem "rake"
+gem "rdoc"
+gem "shoulda"
+gem "sprockets-rails"
+gem "sqlite3", "~> 2.1"
+gem "standardrb"
+gem "rails", "~> 8.0.0"
+
+gemspec path: "../"

data/lib/devise-otp/version.rb

@@ -1,5 +1,5 @@
 module Devise
   module OTP
-    VERSION = "0.7.1"
+    VERSION = "1.0.0"
   end
 end

data/lib/devise_otp_authenticatable/controllers/helpers.rb

@@ -1,3 +1,5 @@
+require "rqrcode"
+
 module DeviseOtpAuthenticatable
   module Controllers
     module Helpers
@@ -12,11 +14,8 @@ module DeviseOtpAuthenticatable
       #
       def otp_set_flash_message(key, kind, options = {})
         options[:scope] ||= "devise.otp.#{controller_name}"
-        options[:default] = Array(options[:default]).unshift(kind.to_sym)
-        options[:resource_name] = resource_name
-        options = devise_i18n_options(options) if respond_to?(:devise_i18n_options, true)
-        message = I18n.t("#{options[:resource_name]}.#{kind}", **options)
-        flash[key] = message if message.present?
+
+        set_flash_message(key, kind, options)
       end
 
       def otp_t
@@ -122,33 +121,11 @@ module DeviseOtpAuthenticatable
       # returns the URL for the QR Code to initialize the Authenticator device
       #
       def otp_authenticator_token_image(resource)
-        otp_authenticator_token_image_js(resource.otp_provisioning_uri)
-      end
-
-      private
-
-      def otp_authenticator_token_image_js(otp_url)
         content_tag(:div, class: "qrcode-container") do
-          content_tag(:div, id: "qrcode", class: "qrcode") do
-            javascript_tag(%[
-              new QRCode("qrcode", {
-                text: "#{otp_url}",
-                width: 256,
-                height: 256,
-                colorDark : "#000000",
-                colorLight : "#ffffff",
-                correctLevel : QRCode.CorrectLevel.H
-              });
-            ])
-          end
+          raw RQRCode::QRCode.new(resource.otp_provisioning_uri).as_svg(:module_size => 5, :viewbox => true, :use_path => true)
         end
       end
 
-      def otp_authenticator_token_image_google(otp_url)
-        otp_url = Rack::Utils.escape(otp_url)
-        url = "https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl=#{otp_url}"
-        image_tag(url, alt: "OTP Url QRCode")
-      end
     end
   end
 end

data/lib/generators/active_record/templates/migration.rb

@@ -1,4 +1,4 @@
-class DeviseOtpAddTo<%= table_name.camelize %> < ActiveRecord::Migration
+class DeviseOtpAddTo<%= table_name.camelize %> < ActiveRecord::Migration[7.0]
   def self.up
     change_table :<%= table_name %> do |t|
       t.string    :otp_auth_secret

data/test/dummy/app/assets/javascripts/application.js

@@ -11,4 +11,3 @@
 // GO AFTER THE REQUIRES BELOW.
 //
 //= require_tree .
-//= require devise-otp

data/test/dummy/app/assets/stylesheets/application.css

@@ -8,6 +8,7 @@
  * You're free to add application-wide styles to this file and they'll appear at the top of the
  * compiled file, but it's generally better to create a new file per style scope.
  *
+ *= require devise-otp
  *= require_self
  *= require_tree .
  */

data/test/dummy/app/views/layouts/application.html.erb

@@ -8,7 +8,13 @@
 </head>
 <body>
 
-<%= yield %>
+  <div id="alerts">
+    <% flash.keys.each do |key| %>
+      <%= content_tag :p, flash[key], :id => key %>
+    <% end %>
+  </div>
+
+  <%= yield %>
 
 </body>
 </html>

data/test/dummy/config/routes.rb

@@ -1,6 +1,6 @@
 Dummy::Application.routes.draw do
-  devise_for :users
   devise_for :admins
+  devise_for :users
 
   resources :posts
   resources :admin_posts

data/test/dummy/db/migrate/20240604000001_create_admins.rb

@@ -1,4 +1,4 @@
-class CreateAdmins < ActiveRecord::Migration[7.1]
+class CreateAdmins < ActiveRecord::Migration[5.0]
   def change
     create_table :admins do |t|
       t.string :name

data/test/integration/disable_token_test.rb

@@ -23,6 +23,9 @@ class DisableTokenTest < ActionDispatch::IntegrationTest
     disable_otp
 
     assert page.has_content? "Disabled"
+    within "#alerts" do
+      assert page.has_content? 'Two-Factor Authentication has been disabled.'
+    end
 
     # logout
     sign_out

data/test/integration/enable_otp_form_test.rb

@@ -20,6 +20,10 @@ class EnableOtpFormTest < ActionDispatch::IntegrationTest
     assert_equal user_otp_token_path, current_path
     assert page.has_content?("Enabled")
 
+    within "#alerts" do
+      assert page.has_content? 'Your Two-Factor Authentication settings have been updated.'
+    end
+
     user.reload
     assert user.otp_enabled?
   end
@@ -37,6 +41,15 @@ class EnableOtpFormTest < ActionDispatch::IntegrationTest
 
     user.reload
     assert_not user.otp_enabled?
+
+    within "#alerts" do
+      assert page.has_content? 'The Confirmation Code you entered did not match the QR code shown below.'
+    end
+
+    visit "/"
+    within "#alerts" do
+      assert !page.has_content?('The Confirmation Code you entered did not match the QR code shown below.')
+    end
   end
 
   test "a user should not be able enable their OTP authentication with a blank confirmation code" do
@@ -50,6 +63,10 @@ class EnableOtpFormTest < ActionDispatch::IntegrationTest
 
     assert page.has_content?("To Enable Two-Factor Authentication")
 
+    within "#alerts" do
+      assert page.has_content? 'The Confirmation Code you entered did not match the QR code shown below.'
+    end
+
     user.reload
     assert_not user.otp_enabled?
   end

data/test/integration/persistence_test.rb

@@ -36,6 +36,9 @@ class PersistenceTest < ActionDispatch::IntegrationTest
 
     click_link("Trust this browser")
     assert_text "Your browser is trusted."
+    within "#alerts" do
+      assert page.has_content? 'Your device is now trusted.'
+    end
     sign_out
 
     sign_user_in

data/test/integration/refresh_test.rb

@@ -60,6 +60,15 @@ class RefreshTest < ActionDispatch::IntegrationTest
     fill_in "user_refresh_password", with: "12345670"
     click_button "Continue..."
     assert_equal refresh_user_otp_credential_path, current_path
+
+    within "#alerts" do
+      assert page.has_content? 'Sorry, you provided the wrong credentials.'
+    end
+
+    visit "/"
+    within "#alerts" do
+      assert !page.has_content?('Sorry, you provided the wrong credentials.')
+    end
   end
 
   test "user should be finally be able to access their settings, and just password is enough" do

data/test/integration/reset_token_test.rb

@@ -23,6 +23,9 @@ class ResetTokenTest < ActionDispatch::IntegrationTest
     reset_otp
 
     assert_equal "/users/otp/token/edit", current_path
+    within "#alerts" do
+      assert page.has_content? 'Your token secret has been reset. Please confirm your new token secret below.'
+    end
   end
 
   test "generates new token secrets" do