devise-otp 0.8.0 → 1.1.0

data/test/dummy/app/views/layouts/application.html.erb

@@ -8,7 +8,13 @@
 </head>
 <body>
 
-<%= yield %>
+  <div id="alerts">
+    <% flash.keys.each do |key| %>
+      <%= content_tag :p, flash[key], :id => key %>
+    <% end %>
+  </div>
+
+  <%= yield %>
 
 </body>
 </html>

data/test/dummy/app/views/non_otp_posts/index.html.erb

@@ -0,0 +1,18 @@
+<h1>Listing posts</h1>
+
+<table>
+  <tr>
+    <th>Title</th>
+    <th>Body</th>
+    <th></th>
+    <th></th>
+    <th></th>
+  </tr>
+
+<% @posts.each do |post| %>
+  <tr>
+    <td><%= post.title %></td>
+    <td><%= post.body %></td>
+  </tr>
+<% end %>
+</table>

data/test/dummy/config/application.rb

@@ -9,13 +9,6 @@ require "sprockets/railtie"
 # require "rails/test_unit/railtie"
 
 Bundler.require
-Bundler.require(:default, DEVISE_ORM) if defined?(Bundler)
-
-begin
-  require "#{DEVISE_ORM}/railtie"
-rescue LoadError
-end
-PARENT_MODEL_CLASS = (DEVISE_ORM == :active_record) ? ActiveRecord::Base : Object
 
 require "devise"
 require "devise-otp"

data/test/dummy/config/database.yml

@@ -1,25 +1,32 @@
-# SQLite version 3.x
+# SQLite. Versions 3.8.0 and up are supported.
 #   gem install sqlite3
 #
 #   Ensure the SQLite 3 gem is defined in your Gemfile
-#   gem 'sqlite3'
-development:
+#   gem "sqlite3"
+#
+default: &default
   adapter: sqlite3
-  database: ":memory:"
-  pool: 5
+  pool: <%= ENV.fetch("RAILS_MAX_THREADS") { 5 } %>
   timeout: 5000
 
+development:
+  <<: *default
+  database: storage/development.sqlite3
+
 # Warning: The database defined as "test" will be erased and
 # re-generated from your development database when you run "rake".
 # Do not set this db to the same as development or production.
 test:
-  adapter: sqlite3
-  database: db/test.sqlite3
-  pool: 5
-  timeout: 5000
+  <<: *default
+  database: storage/test.sqlite3
+
 
+# SQLite3 write its data on the local filesystem, as such it requires
+# persistent disks. If you are deploying to a managed service, you should
+# make sure it provides disk persistence, as many don't.
+#
+# Similarly, if you deploy your application as a Docker container, you must
+# ensure the database is located in a persisted volume.
 production:
-  adapter: sqlite3
-  database: db/production.sqlite3
-  pool: 5
-  timeout: 5000
+  <<: *default
+  # database: path/to/persistent/storage/production.sqlite3

data/test/dummy/config/routes.rb

@@ -1,9 +1,11 @@
 Dummy::Application.routes.draw do
   devise_for :admins
   devise_for :users
+  devise_for :non_otp_users
 
   resources :posts
   resources :admin_posts
+  resources :non_otp_posts
 
   root to: "base#home"
 end

data/test/dummy/db/migrate/20240604000001_create_admins.rb

@@ -1,4 +1,4 @@
-class CreateAdmins < ActiveRecord::Migration[7.1]
+class CreateAdmins < ActiveRecord::Migration[5.0]
   def change
     create_table :admins do |t|
       t.string :name

data/test/dummy/db/migrate/20250718092451_create_non_otp_users.rb

@@ -0,0 +1,9 @@
+class CreateNonOtpUsers < ActiveRecord::Migration[5.0]
+  def change
+    create_table :non_otp_users do |t|
+      t.string :name
+
+      t.timestamps
+    end
+  end
+end

data/test/dummy/db/migrate/20250718092536_add_devise_to_non_otp_users.rb

@@ -0,0 +1,52 @@
+class AddDeviseToNonOtpUsers < ActiveRecord::Migration[5.0]
+  def self.up
+    change_table(:non_otp_users) do |t|
+      ## Database authenticatable
+      t.string :email, null: false, default: ""
+      t.string :encrypted_password, null: false, default: ""
+
+      ## Recoverable
+      t.string :reset_password_token
+      t.datetime :reset_password_sent_at
+
+      ## Rememberable
+      t.datetime :remember_created_at
+
+      ## Trackable
+      t.integer :sign_in_count, default: 0
+      t.datetime :current_sign_in_at
+      t.datetime :last_sign_in_at
+      t.string :current_sign_in_ip
+      t.string :last_sign_in_ip
+
+      ## Confirmable
+      # t.string   :confirmation_token
+      # t.datetime :confirmed_at
+      # t.datetime :confirmation_sent_at
+      # t.string   :unconfirmed_email # Only if using reconfirmable
+
+      ## Lockable
+      t.integer :failed_attempts, default: 0 # Only if lock strategy is :failed_attempts
+      t.string :unlock_token # Only if unlock strategy is :email or :both
+      t.datetime :locked_at
+
+      ## Token authenticatable
+      t.string :authentication_token
+
+      # Uncomment below if timestamps were not included in your original model.
+      # t.timestamps
+    end
+
+    add_index :non_otp_users, :email, unique: true
+    add_index :non_otp_users, :reset_password_token, unique: true
+    # add_index :non_otp_users, :confirmation_token,   :unique => true
+    add_index :non_otp_users, :unlock_token, unique: true
+    add_index :non_otp_users, :authentication_token, unique: true
+  end
+
+  def self.down
+    # By default, we don't want to make any assumption about how to roll back a migration when your
+    # model already existed. Please edit below which fields you would like to remove in this migration.
+    raise ActiveRecord::IrreversibleMigration
+  end
+end

data/test/dummy/db/schema.rb

@@ -0,0 +1,118 @@
+# This file is auto-generated from the current state of the database. Instead
+# of editing this file, please use the migrations feature of Active Record to
+# incrementally modify your database, and then regenerate this schema definition.
+#
+# This file is the source Rails uses to define your schema when running `bin/rails
+# db:schema:load`. When creating a new database, `bin/rails db:schema:load` tends to
+# be faster and is potentially less error prone than running all of your
+# migrations from scratch. Old migrations may fail to apply correctly if those
+# migrations use external dependencies or application code.
+#
+# It's strongly recommended that you check this file into your version control system.
+
+ActiveRecord::Schema[8.0].define(version: 2025_07_18_092536) do
+  create_table "admins", force: :cascade do |t|
+    t.string "name"
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
+    t.string "email", default: "", null: false
+    t.string "encrypted_password", default: "", null: false
+    t.string "reset_password_token"
+    t.datetime "reset_password_sent_at", precision: nil
+    t.datetime "remember_created_at", precision: nil
+    t.integer "sign_in_count", default: 0
+    t.datetime "current_sign_in_at", precision: nil
+    t.datetime "last_sign_in_at", precision: nil
+    t.string "current_sign_in_ip"
+    t.string "last_sign_in_ip"
+    t.integer "failed_attempts", default: 0
+    t.string "unlock_token"
+    t.datetime "locked_at", precision: nil
+    t.string "authentication_token"
+    t.string "otp_auth_secret"
+    t.string "otp_recovery_secret"
+    t.boolean "otp_enabled", default: false, null: false
+    t.boolean "otp_mandatory", default: false, null: false
+    t.datetime "otp_enabled_on", precision: nil
+    t.integer "otp_time_drift", default: 0, null: false
+    t.integer "otp_failed_attempts", default: 0, null: false
+    t.integer "otp_recovery_counter", default: 0, null: false
+    t.string "otp_persistence_seed"
+    t.string "otp_session_challenge"
+    t.datetime "otp_challenge_expires", precision: nil
+    t.index ["authentication_token"], name: "index_admins_on_authentication_token", unique: true
+    t.index ["email"], name: "index_admins_on_email", unique: true
+    t.index ["otp_challenge_expires"], name: "index_admins_on_otp_challenge_expires"
+    t.index ["otp_session_challenge"], name: "index_admins_on_otp_session_challenge", unique: true
+    t.index ["reset_password_token"], name: "index_admins_on_reset_password_token", unique: true
+    t.index ["unlock_token"], name: "index_admins_on_unlock_token", unique: true
+  end
+
+  create_table "non_otp_users", force: :cascade do |t|
+    t.string "name"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.string "email", default: "", null: false
+    t.string "encrypted_password", default: "", null: false
+    t.string "reset_password_token"
+    t.datetime "reset_password_sent_at"
+    t.datetime "remember_created_at"
+    t.integer "sign_in_count", default: 0
+    t.datetime "current_sign_in_at"
+    t.datetime "last_sign_in_at"
+    t.string "current_sign_in_ip"
+    t.string "last_sign_in_ip"
+    t.integer "failed_attempts", default: 0
+    t.string "unlock_token"
+    t.datetime "locked_at"
+    t.string "authentication_token"
+    t.index ["authentication_token"], name: "index_non_otp_users_on_authentication_token", unique: true
+    t.index ["email"], name: "index_non_otp_users_on_email", unique: true
+    t.index ["reset_password_token"], name: "index_non_otp_users_on_reset_password_token", unique: true
+    t.index ["unlock_token"], name: "index_non_otp_users_on_unlock_token", unique: true
+  end
+
+  create_table "posts", force: :cascade do |t|
+    t.string "title"
+    t.text "body"
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
+  end
+
+  create_table "users", force: :cascade do |t|
+    t.string "name"
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
+    t.string "email", default: "", null: false
+    t.string "encrypted_password", default: "", null: false
+    t.string "reset_password_token"
+    t.datetime "reset_password_sent_at", precision: nil
+    t.datetime "remember_created_at", precision: nil
+    t.integer "sign_in_count", default: 0
+    t.datetime "current_sign_in_at", precision: nil
+    t.datetime "last_sign_in_at", precision: nil
+    t.string "current_sign_in_ip"
+    t.string "last_sign_in_ip"
+    t.integer "failed_attempts", default: 0
+    t.string "unlock_token"
+    t.datetime "locked_at", precision: nil
+    t.string "authentication_token"
+    t.string "otp_auth_secret"
+    t.string "otp_recovery_secret"
+    t.boolean "otp_enabled", default: false, null: false
+    t.boolean "otp_mandatory", default: false, null: false
+    t.datetime "otp_enabled_on", precision: nil
+    t.integer "otp_time_drift", default: 0, null: false
+    t.integer "otp_failed_attempts", default: 0, null: false
+    t.integer "otp_recovery_counter", default: 0, null: false
+    t.string "otp_persistence_seed"
+    t.string "otp_session_challenge"
+    t.datetime "otp_challenge_expires", precision: nil
+    t.index ["authentication_token"], name: "index_users_on_authentication_token", unique: true
+    t.index ["email"], name: "index_users_on_email", unique: true
+    t.index ["otp_challenge_expires"], name: "index_users_on_otp_challenge_expires"
+    t.index ["otp_session_challenge"], name: "index_users_on_otp_session_challenge", unique: true
+    t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
+    t.index ["unlock_token"], name: "index_users_on_unlock_token", unique: true
+  end
+end

data/test/dummy/db/seeds.rb

@@ -0,0 +1,24 @@
+Admin.create(
+  name: "Test Admin",
+  email: "admin@devise-otp.local",
+  password: "Pass1234"
+)
+
+User.create(
+  name: "Test User",
+  email: "user@devise-otp.local",
+  password: "Pass1234"
+)
+
+NonOtpUser.create(
+  name: "Non OTP User",
+  email: "non-otp-user@devise-otp.local",
+  password: "Pass1234"
+)
+
+5.times do |n|
+  Post.create(
+    title: "Post #{n + 1}",
+    body: "This is post #{n + 1}."
+  )
+end

data/test/integration/disable_token_test.rb

@@ -23,6 +23,9 @@ class DisableTokenTest < ActionDispatch::IntegrationTest
     disable_otp
 
     assert page.has_content? "Disabled"
+    within "#alerts" do
+      assert page.has_content? 'Two-Factor Authentication has been disabled.'
+    end
 
     # logout
     sign_out

data/test/integration/enable_otp_form_test.rb

@@ -20,6 +20,10 @@ class EnableOtpFormTest < ActionDispatch::IntegrationTest
     assert_equal user_otp_token_path, current_path
     assert page.has_content?("Enabled")
 
+    within "#alerts" do
+      assert page.has_content? 'Your Two-Factor Authentication settings have been updated.'
+    end
+
     user.reload
     assert user.otp_enabled?
   end
@@ -37,6 +41,15 @@ class EnableOtpFormTest < ActionDispatch::IntegrationTest
 
     user.reload
     assert_not user.otp_enabled?
+
+    within "#alerts" do
+      assert page.has_content? 'The Confirmation Code you entered did not match the QR code shown below.'
+    end
+
+    visit "/"
+    within "#alerts" do
+      assert !page.has_content?('The Confirmation Code you entered did not match the QR code shown below.')
+    end
   end
 
   test "a user should not be able enable their OTP authentication with a blank confirmation code" do
@@ -50,6 +63,10 @@ class EnableOtpFormTest < ActionDispatch::IntegrationTest
 
     assert page.has_content?("To Enable Two-Factor Authentication")
 
+    within "#alerts" do
+      assert page.has_content? 'The Confirmation Code you entered did not match the QR code shown below.'
+    end
+
     user.reload
     assert_not user.otp_enabled?
   end

data/test/integration/non_otp_user_models_test.rb

@@ -0,0 +1,21 @@
+require "test_helper"
+require "integration_tests_helper"
+
+class NonOtpUserModelsTest < ActionDispatch::IntegrationTest
+
+  def teardown
+    Capybara.reset_sessions!
+  end
+
+  test "a non-OTP user should be able to sign in without error" do
+    create_non_otp_user
+
+    visit non_otp_posts_path
+    fill_in "non_otp_user_email", with: "non-otp-user@email.invalid"
+    fill_in "non_otp_user_password", with: "12345678"
+    page.has_content?("Log in") ? click_button("Log in") : click_button("Sign in")
+
+    assert_equal non_otp_posts_path, current_path
+  end
+
+end

data/test/integration/persistence_test.rb

@@ -36,6 +36,9 @@ class PersistenceTest < ActionDispatch::IntegrationTest
 
     click_link("Trust this browser")
     assert_text "Your browser is trusted."
+    within "#alerts" do
+      assert page.has_content? 'Your device is now trusted.'
+    end
     sign_out
 
     sign_user_in

data/test/integration/refresh_test.rb

@@ -60,6 +60,15 @@ class RefreshTest < ActionDispatch::IntegrationTest
     fill_in "user_refresh_password", with: "12345670"
     click_button "Continue..."
     assert_equal refresh_user_otp_credential_path, current_path
+
+    within "#alerts" do
+      assert page.has_content? 'Sorry, you provided the wrong credentials.'
+    end
+
+    visit "/"
+    within "#alerts" do
+      assert !page.has_content?('Sorry, you provided the wrong credentials.')
+    end
   end
 
   test "user should be finally be able to access their settings, and just password is enough" do

data/test/integration/reset_token_test.rb

@@ -23,6 +23,9 @@ class ResetTokenTest < ActionDispatch::IntegrationTest
     reset_otp
 
     assert_equal "/users/otp/token/edit", current_path
+    within "#alerts" do
+      assert page.has_content? 'Your token secret has been reset. Please confirm your new token secret below.'
+    end
   end
 
   test "generates new token secrets" do

data/test/integration/sign_in_test.rb

@@ -43,6 +43,7 @@ class SignInTest < ActionDispatch::IntegrationTest
     click_button "Submit Token"
 
     assert_equal user_otp_credential_path, current_path
+    assert page.has_content? "The token you provided was invalid."
   end
 
   test "fail blank token authentication" do
@@ -53,6 +54,7 @@ class SignInTest < ActionDispatch::IntegrationTest
     click_button "Submit Token"
 
     assert_equal user_otp_credential_path, current_path
+    assert page.has_content? "You need to type in the token you generated with your device."
   end
 
   test "successful token authentication" do
@@ -78,4 +80,32 @@ class SignInTest < ActionDispatch::IntegrationTest
     User.otp_authentication_timeout = old_timeout
     assert_equal new_user_session_path, current_path
   end
+
+  test "blank token flash message does not persist to successful authentication redirect." do
+    user = enable_otp_and_sign_in
+
+    fill_in "token", with: "123456"
+    click_button "Submit Token"
+
+    assert page.has_content?("The token you provided was invalid.")
+
+    fill_in "token", with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    click_button "Submit Token"
+
+    assert !page.has_content?("The token you provided was invalid.")
+  end
+
+  test "invalid token flash message does not persist to successful authentication redirect." do
+    user = enable_otp_and_sign_in
+
+    fill_in "token", with: ""
+    click_button "Submit Token"
+
+    assert page.has_content?("You need to type in the token you generated with your device.")
+
+    fill_in "token", with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    click_button "Submit Token"
+
+    assert !page.has_content?("You need to type in the token you generated with your device.")
+  end
 end

data/test/integration_tests_helper.rb

@@ -27,6 +27,17 @@ class ActionDispatch::IntegrationTest
     end
   end
 
+  def create_non_otp_user
+    @non_otp_user ||= begin
+      non_otp_user = NonOtpUser.create!(
+        email: "non-otp-user@email.invalid",
+        password: "12345678",
+        password_confirmation: "12345678"
+      )
+      non_otp_user
+    end
+  end
+
   def enable_otp_and_sign_in_with_otp
     enable_otp_and_sign_in.tap do |user|
       fill_in "token", with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)

data/test/test_helper.rb

@@ -1,17 +1,12 @@
 ENV["RAILS_ENV"] = "test"
-DEVISE_ORM = (ENV["DEVISE_ORM"] || :active_record).to_sym
 
-puts "\n==> Devise.orm = #{DEVISE_ORM.inspect}"
 require "dummy/config/environment"
-require "orm/#{DEVISE_ORM}"
 require "rails/test_help"
 require "capybara/rails"
 require "minitest/reporters"
 
 Minitest::Reporters.use!
 
-# I18n.load_path << File.expand_path("../support/locale/en.yml", __FILE__) if DEVISE_ORM == :mongoid
-
 # ActiveSupport::Deprecation.silenced = true
 
 class ActionDispatch::IntegrationTest