devise-otp 0.8.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 95e8a170c1942c78dae2cb24c06a818c6e91854268acf78df61b83e22fd18726
-  data.tar.gz: 409a75794455459fa1c88892216d556b138cf1a40f4bfe0a06f3ce65a47a528e
+  metadata.gz: f329ff1fa9732961646ad4169f89921f3429a6aa86744486eafa21a891fd1628
+  data.tar.gz: 8a4797664986ea6c11e21a50a43d5aeda471000ce5610e91451ec37f3d231121
 SHA512:
-  metadata.gz: 45d13d374f2a2504fcee11d81f8771712ae706d138725e3bb777470b099b106cb09ffdb4e2132b6ac5c837b00bb341ff9b5fc56ce5981ff144b358d1e8ed4338
-  data.tar.gz: b946e7a0551ba464285e324559f287a9765657258159e508fe08f4b22068548a4be6602d3173a6fac46638130e5795c69bdbdd4b28031d48cfaa592b87eef9da
+  metadata.gz: e42b34ea4259e698e75f6408b6d0a0021b39f934d960e039a305ee2f9dc7d443a8dbdc9f99e1df452b75602430e601bf7ece1214b11766ba558fb3806d07355c
+  data.tar.gz: 8c1bde0740a5f96dfc440e976c568a8ef0b7f0ac91e7af620d14aea1e8208811e6339384dc9d7b6363c6f4ed9de363c1637422a82b5f5f5c6696fa17c9879764

data/.github/workflows/ci.yml

@@ -12,10 +12,20 @@ jobs:
       fail-fast: false
       matrix:
         ruby:
+          - '3.4'
           - '3.3'
           - '3.2'
-          - '3.1'
           - 'head'
+        rails:
+          - rails_8.0
+          - rails_7.2
+          - rails_7.1
+        exclude:
+          - ruby: '3.1'
+            rails: 'rails_8.0'
+
+    env: # $BUNDLE_GEMFILE must be set at the job level, so it is set for all steps
+      BUNDLE_GEMFILE: ${{ github.workspace }}/gemfiles/${{ matrix.rails }}.gemfile
 
     steps:
       - name: Checkout
@@ -27,7 +37,8 @@ jobs:
           ruby-version: ${{ matrix.ruby }}
           bundler-cache: true
 
+      - name: Create database
+        run: cd test/dummy && RAILS_ENV=test bundle exec rails db:create db:migrate --trace
+
       - name: Run tests
-        env:
-          DEVISE_ORM: active_record
         run: bundle exec rake test

data/.gitignore

@@ -34,11 +34,11 @@ lib/bundler/man
 ## PROJECT::SPECIFIC
 test/dummy/log/**
 test/dummy/tmp/**
-test/dummy/db/*.sqlite3
-test/dummy/db/*.sqlite3-shm
-test/dummy/db/*.sqlite3-wal
+test/dummy/storage/**
 
+# Ignore Gemfile.lock
 Gemfile.lock
+gemfiles/*.lock
 
 # Generated test files
 tmp/*

data/Appraisals

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+appraise 'rails_7.1' do
+  gem 'rails', '~> 7.1.0'
+  gem 'sqlite3', '~> 1.5.0'
+
+  # Fix:
+  # warning: logger was loaded from the standard library, but will no longer be part of the default gems since Ruby 3.5.0.
+  # Add logger to your Gemfile or gemspec.
+  install_if '-> { Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.4.0") }' do
+    gem 'logger'
+  end
+end
+
+appraise 'rails_7.2' do
+  gem 'rails', '~> 7.2.0'
+  gem 'sqlite3', '~> 1.5.0'
+end
+
+appraise 'rails_8.0' do
+  gem 'rails', '~> 8.0.0'
+end

data/CHANGELOG.md

@@ -2,7 +2,40 @@
 
 ## Unreleased
 
-- Upgrade gemspec to support Rails v7.2
+## 1.1.0
+
+Bug fixes:
+- Update refreshable hook to ensure that user models without Devise OTP can still sign in
+- Add tests for non-OTP user models to confirm resolution
+
+Improvements:
+- Remove references to MongoDB from test suite
+- Standardize test application's database configuration
+- Add Development Instructions to README
+
+## 1.0.1
+- Add support for Ruby 3.4
+- Set minimum Ruby version to 3.2
+- Set miminum Rails version to 7.1
+- Add MIT license type to gemspec
+- Correct Devise spelling error in README
+
+## 1.0.0
+- Add support for Rails 8
+- Generate QR Codes as SVG
+- Fix Issue with Invalid Token Message
+- Simplify OTP Credentials Controller
+- Expand Flash Message Tests
+- Use Appraisal gem to against older Rails versions
+
+## 0.8.0
+- Add support for Rails 7.2 and drop support for Rails 6.1
+- Fix issue with scoped redirects for non-default resources
+- Add migration version numbers
+- Cleanup old docs
+
+## 0.7.1
+- Fix host and port for 3rd-party tests
 
 ## 0.7.0
 

data/Gemfile

@@ -3,6 +3,8 @@ source "https://rubygems.org"
 # Specify your gem's dependencies in devise-otp.gemspec
 gemspec
 
+gem "appraisal", git: "https://github.com/thoughtbot/appraisal.git"
+
 gem "capybara"
 gem "minitest-reporters", ">= 0.5.0"
 gem "puma"
@@ -10,5 +12,5 @@ gem "rake"
 gem "rdoc"
 gem "shoulda"
 gem "sprockets-rails"
-gem "sqlite3", "~> 1.4"
+gem "sqlite3", "~> 2.1"
 gem "standardrb"

data/README.md

@@ -13,7 +13,7 @@ Some of the compatible token devices are:
 * [Google Authenticator](https://code.google.com/p/google-authenticator/)
 * [FreeOTP](https://fedorahosted.org/freeotp/)
 
-Device OTP was recently updated to work with Rails 7 and Turbo.
+Devise OTP was recently updated to work with Rails 7+ and Turbo.
 
 ## Sponsor
 
@@ -58,10 +58,13 @@ Don't forget to migrate:
 
     rake db:migrate
 
-Add the gem's JavaScript to you `application.js`:
+### Default CSS
 
-    //= require devise-otp
+To use the default CSS for devise-otp, just require the devise-otp.css file as usual in your application.css file (or equivalent):
 
+    *= require devise-otp
+
+It might be even easier to just copy the styles to your project.
 
 ### Custom views
 
@@ -77,9 +80,7 @@ The install generator also installs an english copy of a Devise OTP i18n file. T
 
 ### QR codes
 
-By default, Devise OTP assumes that you use [Sprockets](https://github.com/rails/sprockets) to render assets and so will use the ([qrcode.js](/app/assets/javascripts/qrcode.js)) embeded library to render the QR code.
-
-If you need something more, have a look at [QR codes](/docs/QR_CODES.md) documentation file.
+Devise OTP generates QR Codes directly as SVG's via the [rqrcode](https://github.com/whomwah/rqrcode), so there are no JavaScript (or Sprockets) dependencies.
 
 ## Configuration
 
@@ -100,9 +101,23 @@ Enforcing mandatory OTP requires adding the ensure\_mandatory\_{scope}\_otp! met
     before_action :authenticate_user!
     before_action :ensure_mandatory_user_otp!
 
+## Development Instructions
+WARNING: Make sure to use the latest Ruby/Rails versions for development. If using older versions of Ruby/Rails, you will need to install all gems for all versions via Appraisal ("bundle exec appraisal install").
+
+To run the devise-otp dummy application in the development environment:
+- Navigate to the dummy app directory ("cd test/dummy")
+- Create and seed the database ("rails db:reset")
+- Run the rails console or server (e.g. "rails c")
+
+To run the tests for devise-otp against your current Ruby/Rails configuration:
+- Navigate to the dummy app directory ("cd test/dummy")
+- Create and migrate the database for the test environment ("RAILS\_ENV=test rails db:drop db:create db:migrate")
+- Return to the root directory of devise-otp
+- Run "rake test"
+
 ## Authors
 
-The project was originally started by Lele Forzani by forking [devise_google_authenticator](https://github.com/AsteriskLabs/devise_google_authenticator) and still contains some devise_google_authenticator code. It's now maintained by [Josef Strzibny](https://github.com/strzibny/).
+The project was originally started by Lele Forzani by forking [devise_google_authenticator](https://github.com/AsteriskLabs/devise_google_authenticator) and still contains some devise_google_authenticator code. It's now maintained by [Josef Strzibny](https://github.com/strzibny/) and [Laney Stroup](https://github.com/strouptl).
 
 Contributions are welcome!
 

data/Rakefile

@@ -28,14 +28,3 @@ Rake::TestTask.new(:test) do |test|
   test.pattern = "test/**/*_test.rb"
   test.verbose = true
 end
-
-desc "Run Devise tests for all ORMs."
-task :tests do
-  Dir[File.join(File.dirname(__FILE__), "test", "orm", "*.rb")].each do |file|
-    orm = File.basename(file).split(".").first
-    system "rake test DEVISE_ORM=#{orm}"
-  end
-end
-
-desc "Default: run tests for all ORMs."
-task default: :tests

data/app/assets/stylesheets/devise-otp.css

@@ -0,0 +1,4 @@
+.qrcode-container {
+  max-width: 300px;
+  margin: 0 auto;
+}

data/app/controllers/devise_otp/devise/otp_credentials_controller.rb

@@ -26,17 +26,15 @@ module DeviseOtp
       # signs the resource in, if the OTP token is valid and the user has a valid challenge
       #
       def update
-        if @token.blank?
-          otp_set_flash_message(:alert, :token_blank)
-          redirect_to otp_credential_path_for(resource_name, challenge: @challenge, recovery: @recovery)
-        elsif resource.otp_challenge_valid? && resource.validate_otp_token(@token, @recovery)
+        if resource.otp_challenge_valid? && resource.validate_otp_token(@token, @recovery)
           sign_in(resource_name, resource)
 
           otp_set_trusted_device_for(resource) if params[:enable_persistence] == "true"
           otp_refresh_credentials_for(resource)
           respond_with resource, location: after_sign_in_path_for(resource)
         else
-          otp_set_flash_message :alert, :token_invalid
+          kind = (@token.blank? ? :token_blank : :token_invalid)
+          otp_set_flash_message :alert, kind, :now => true
           render :show
         end
       end
@@ -103,7 +101,7 @@ module DeviseOtp
       end
 
       def failed_refresh
-        otp_set_flash_message :alert, :invalid_refresh
+        otp_set_flash_message :alert, :invalid_refresh, :now => true
         render :refresh
       end
 

data/app/controllers/devise_otp/devise/otp_tokens_controller.rb

@@ -35,7 +35,7 @@ module DeviseOtp
           otp_set_flash_message :success, :successfully_updated
           redirect_to otp_token_path_for(resource)
         else
-          otp_set_flash_message :danger, :could_not_confirm
+          otp_set_flash_message :danger, :could_not_confirm, :now => true
           render :edit
         end
       end
@@ -109,7 +109,6 @@ module DeviseOtp
         ensure_resource!
 
         if needs_credentials_refresh?(resource)
-          otp_set_flash_message :notice, :need_to_refresh_credentials
           redirect_to refresh_otp_credential_path_for(resource)
         end
       end

data/config/locales/en.yml

@@ -14,7 +14,6 @@ en:
         otp_session_invalid: Session invalid. Please start again.
         token_invalid: 'The token you provided was invalid.'
         token_blank: 'You need to type in the token you generated with your device.'
-        need_to_refresh_credentials: 'We need to check your credentials before you can change these settings.'
         valid_refresh: 'Thank you, your credentials were accepted.'
         invalid_refresh: 'Sorry, you provided the wrong credentials.'
       credentials_refresh:
@@ -41,7 +40,6 @@ en:
         successfully_set_persistence: 'Your device is now trusted.'
         successfully_cleared_persistence: 'Your device has been removed from the list of trusted devices.'
         successfully_reset_persistence: 'Your list of trusted devices has been cleared.'
-        need_to_refresh_credentials: 'We need to check your credentials before you can change these settings.'
         recovery:
           title: 'Your Emergency Recovery Codes'
           explain: 'Take note or print these recovery codes. The will allow you to log back in in case your token device is lost, stolen, or unavailable.'

data/devise-otp.gemspec

@@ -5,16 +5,20 @@ require_relative "lib/devise-otp/version"
 Gem::Specification.new do |gem|
   gem.name = "devise-otp"
   gem.version = Devise::OTP::VERSION
-  gem.authors = ["Lele Forzani", "Josef Strzibny"]
-  gem.email = ["lele@windmill.it", "strzibny@strzibny.name"]
-  gem.description = "Time Based OTP/rfc6238 compatible authentication for Devise"
+  gem.authors = ["Lele Forzani", "Josef Strzibny", "Laney Stroup"]
+  gem.email = ["lele@windmill.it", "strzibny@strzibny.name", "laney@stroupsolutions.com"]
+  gem.description = "OTP authentication for Devise"
   gem.summary = "Time Based OTP/rfc6238 compatible authentication for Devise"
-  gem.homepage = "http://git.windmill.it/wm/devise-otp"
+  gem.homepage = "https://github.com/wmlele/devise-otp"
+  gem.license = "MIT"
 
   gem.files = `git ls-files`.split($/)
   gem.require_paths = ["lib"]
 
-  gem.add_dependency "rails", ">= 7.0", "< 8.0"
+  gem.required_ruby_version = ">= 3.2.0"
+
+  gem.add_dependency "rails", ">= 7.1"
   gem.add_dependency "devise", ">= 4.8.0", "< 5.0"
   gem.add_dependency "rotp", ">= 2.0.0"
+  gem.add_dependency "rqrcode", "~> 2.0"
 end

data/gemfiles/rails_7.1.gemfile

@@ -0,0 +1,21 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "appraisal", git: "https://github.com/thoughtbot/appraisal.git"
+gem "capybara"
+gem "minitest-reporters", ">= 0.5.0"
+gem "puma"
+gem "rake"
+gem "rdoc"
+gem "shoulda"
+gem "sprockets-rails"
+gem "sqlite3", "~> 1.5.0"
+gem "standardrb"
+gem "rails", "~> 7.1.0"
+
+install_if -> { Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.4.0") } do
+  gem "logger"
+end
+
+gemspec path: "../"

data/gemfiles/rails_7.2.gemfile

@@ -0,0 +1,17 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "appraisal", git: "https://github.com/thoughtbot/appraisal.git"
+gem "capybara"
+gem "minitest-reporters", ">= 0.5.0"
+gem "puma"
+gem "rake"
+gem "rdoc"
+gem "shoulda"
+gem "sprockets-rails"
+gem "sqlite3", "~> 1.5.0"
+gem "standardrb"
+gem "rails", "~> 7.2.0"
+
+gemspec path: "../"

data/gemfiles/rails_8.0.gemfile

@@ -0,0 +1,17 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "appraisal", git: "https://github.com/thoughtbot/appraisal.git"
+gem "capybara"
+gem "minitest-reporters", ">= 0.5.0"
+gem "puma"
+gem "rake"
+gem "rdoc"
+gem "shoulda"
+gem "sprockets-rails"
+gem "sqlite3", "~> 2.1"
+gem "standardrb"
+gem "rails", "~> 8.0.0"
+
+gemspec path: "../"

data/lib/devise-otp/version.rb

@@ -1,5 +1,5 @@
 module Devise
   module OTP
-    VERSION = "0.8.0"
+    VERSION = "1.1.0"
   end
 end

data/lib/devise_otp_authenticatable/controllers/helpers.rb

@@ -1,3 +1,5 @@
+require "rqrcode"
+
 module DeviseOtpAuthenticatable
   module Controllers
     module Helpers
@@ -12,11 +14,8 @@ module DeviseOtpAuthenticatable
       #
       def otp_set_flash_message(key, kind, options = {})
         options[:scope] ||= "devise.otp.#{controller_name}"
-        options[:default] = Array(options[:default]).unshift(kind.to_sym)
-        options[:resource_name] = resource_name
-        options = devise_i18n_options(options) if respond_to?(:devise_i18n_options, true)
-        message = I18n.t("#{options[:resource_name]}.#{kind}", **options)
-        flash[key] = message if message.present?
+
+        set_flash_message(key, kind, options)
       end
 
       def otp_t
@@ -122,33 +121,11 @@ module DeviseOtpAuthenticatable
       # returns the URL for the QR Code to initialize the Authenticator device
       #
       def otp_authenticator_token_image(resource)
-        otp_authenticator_token_image_js(resource.otp_provisioning_uri)
-      end
-
-      private
-
-      def otp_authenticator_token_image_js(otp_url)
         content_tag(:div, class: "qrcode-container") do
-          content_tag(:div, id: "qrcode", class: "qrcode") do
-            javascript_tag(%[
-              new QRCode("qrcode", {
-                text: "#{otp_url}",
-                width: 256,
-                height: 256,
-                colorDark : "#000000",
-                colorLight : "#ffffff",
-                correctLevel : QRCode.CorrectLevel.H
-              });
-            ])
-          end
+          raw RQRCode::QRCode.new(resource.otp_provisioning_uri).as_svg(:module_size => 5, :viewbox => true, :use_path => true)
         end
       end
 
-      def otp_authenticator_token_image_google(otp_url)
-        otp_url = Rack::Utils.escape(otp_url)
-        url = "https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl=#{otp_url}"
-        image_tag(url, alt: "OTP Url QRCode")
-      end
     end
   end
 end

data/lib/devise_otp_authenticatable/hooks/refreshable.rb

@@ -1,5 +1,7 @@
 # After each sign in, update credentials refreshed at time
 Warden::Manager.after_set_user except: :fetch do |record, warden, options|
-  warden.session(options[:scope])["credentials_refreshed_at"] = (Time.now + record.class.otp_credentials_refresh)
+  if defined?(record.class.otp_credentials_refresh)
+    warden.session(options[:scope])["credentials_refreshed_at"] = (Time.now + record.class.otp_credentials_refresh)
+  end
 end
 

data/test/dummy/app/assets/javascripts/application.js

@@ -11,4 +11,3 @@
 // GO AFTER THE REQUIRES BELOW.
 //
 //= require_tree .
-//= require devise-otp

data/test/dummy/app/assets/stylesheets/application.css

@@ -8,6 +8,7 @@
  * You're free to add application-wide styles to this file and they'll appear at the top of the
  * compiled file, but it's generally better to create a new file per style scope.
  *
+ *= require devise-otp
  *= require_self
  *= require_tree .
  */

data/test/dummy/app/controllers/admin_posts_controller.rb

@@ -1,8 +1,6 @@
 class AdminPostsController < ApplicationController
   before_action :authenticate_admin!
 
-  # GET /posts
-  # GET /posts.json
   def index
     @posts = Post.all
 
@@ -12,74 +10,4 @@ class AdminPostsController < ApplicationController
     end
   end
 
-  # GET /posts/1
-  # GET /posts/1.json
-  def show
-    @post = Post.find(params[:id])
-
-    respond_to do |format|
-      format.html # show.html.erb
-      format.json { render json: @post }
-    end
-  end
-
-  # GET /posts/new
-  # GET /posts/new.json
-  def new
-    @post = Post.new
-
-    respond_to do |format|
-      format.html # new.html.erb
-      format.json { render json: @post }
-    end
-  end
-
-  # GET /posts/1/edit
-  def edit
-    @post = Post.find(params[:id])
-  end
-
-  # POST /posts
-  # POST /posts.json
-  def create
-    @post = Post.new(params[:post])
-
-    respond_to do |format|
-      if @post.save
-        format.html { redirect_to @post, notice: "Post was successfully created." }
-        format.json { render json: @post, status: :created, location: @post }
-      else
-        format.html { render action: "new" }
-        format.json { render json: @post.errors, status: :unprocessable_entity }
-      end
-    end
-  end
-
-  # PUT /posts/1
-  # PUT /posts/1.json
-  def update
-    @post = Post.find(params[:id])
-
-    respond_to do |format|
-      if @post.update_attributes(params[:post])
-        format.html { redirect_to @post, notice: "Post was successfully updated." }
-        format.json { head :ok }
-      else
-        format.html { render action: "edit" }
-        format.json { render json: @post.errors, status: :unprocessable_entity }
-      end
-    end
-  end
-
-  # DELETE /posts/1
-  # DELETE /posts/1.json
-  def destroy
-    @post = Post.find(params[:id])
-    @post.destroy
-
-    respond_to do |format|
-      format.html { redirect_to posts_url }
-      format.json { head :ok }
-    end
-  end
 end

data/test/dummy/app/controllers/non_otp_posts_controller.rb

@@ -0,0 +1,13 @@
+class NonOtpPostsController < ApplicationController
+  before_action :authenticate_non_otp_user!
+
+  def index
+    @posts = Post.all
+
+    respond_to do |format|
+      format.html # index.html.erb
+      format.json { render json: @posts }
+    end
+  end
+
+end

data/test/dummy/app/controllers/posts_controller.rb

@@ -42,7 +42,7 @@ class PostsController < ApplicationController
   # POST /posts
   # POST /posts.json
   def create
-    @post = Post.new(params[:post])
+    @post = Post.new(post_params)
 
     respond_to do |format|
       if @post.save
@@ -61,7 +61,7 @@ class PostsController < ApplicationController
     @post = Post.find(params[:id])
 
     respond_to do |format|
-      if @post.update_attributes(params[:post])
+      if @post.update_attributes(post_params)
         format.html { redirect_to @post, notice: "Post was successfully updated." }
         format.json { head :ok }
       else
@@ -82,4 +82,10 @@ class PostsController < ApplicationController
       format.json { head :ok }
     end
   end
+
+  private
+
+  def post_params
+    params.require(:post).permit(:title, :body)
+  end
 end

data/test/dummy/app/models/admin.rb

@@ -1,16 +1,4 @@
-class Admin < PARENT_MODEL_CLASS
-  if DEVISE_ORM == :mongoid
-    include Mongoid::Document
-
-    ## Database authenticatable
-    field :email, type: String, null: false, default: ""
-    field :encrypted_password, type: String, null: false, default: ""
-
-    ## Recoverable
-    field :reset_password_token, type: String
-    field :reset_password_sent_at, type: Time
-  end
-
+class Admin < ActiveRecord::Base
   devise :otp_authenticatable, :database_authenticatable, :registerable,
     :trackable, :validatable
 

data/test/dummy/app/models/non_otp_user.rb

@@ -0,0 +1,4 @@
+class NonOtpUser < ActiveRecord::Base
+  devise :database_authenticatable, :registerable, :trackable, :validatable
+
+end

data/test/dummy/app/models/post.rb

@@ -1,2 +1,2 @@
-class Post < PARENT_MODEL_CLASS
+class Post < ActiveRecord::Base
 end

data/test/dummy/app/models/user.rb

@@ -1,16 +1,4 @@
-class User < PARENT_MODEL_CLASS
-  if DEVISE_ORM == :mongoid
-    include Mongoid::Document
-
-    ## Database authenticatable
-    field :email, type: String, null: false, default: ""
-    field :encrypted_password, type: String, null: false, default: ""
-
-    ## Recoverable
-    field :reset_password_token, type: String
-    field :reset_password_sent_at, type: Time
-  end
-
+class User < ActiveRecord::Base
   devise :otp_authenticatable, :database_authenticatable, :registerable,
     :trackable, :validatable
 

data/test/dummy/app/views/admin_posts/index.html.erb

@@ -13,13 +13,6 @@
   <tr>
     <td><%= post.title %></td>
     <td><%= post.body %></td>
-    <td><%= link_to 'Show', post %></td>
-    <td><%= link_to 'Edit', edit_admin_post_path(post) %></td>
-    <td><%= link_to 'Destroy', [:admin, post], confirm: 'Are you sure?', method: :delete %></td>
   </tr>
 <% end %>
 </table>
-
-<br />
-
-<%= link_to 'New Post', new_admin_post_path %>