devise-otp 1.1.0 → 2.0.0

data/config/locales/en.yml

@@ -2,7 +2,8 @@ en:
   devise:
     otp:
       general:
-        remember: Remember me
+        enabled: 'Enabled'
+        disabled: 'Disabled'
       submit_token:
         title: 'Check Token'
         explain: "You're getting this because you enabled Two-Factor Authentication on your account"
@@ -18,7 +19,7 @@ en:
         invalid_refresh: 'Sorry, you provided the wrong credentials.'
       credentials_refresh:
         title: 'Please enter your password again.'
-        explain: 'In order to ensure this is  safe, please enter your password again.'
+        explain: 'In order to ensure this is safe, please enter your password again.'
         go_on: 'Continue...'
         identity: 'Identity:'
         token: 'Your Two-Factor Authentication token'
@@ -31,22 +32,23 @@ en:
         enable_link: 'Enable Two-Factor Authentication'
         disable_link: 'Disable Two-Factor Authentication'
         reset_link: 'Reset Token Secret'
-        reset_explain: 'Resetting your token secret will temporarilly disable Two-Factor Authentication.'
+        reset_explain: 'Resetting your token secret will temporarily disable Two-Factor Authentication.'
         reset_explain_warn: 'To re-enable Two-Factor Authentication, you will need to re-enroll your mobile device with the new token secret.'
         successfully_updated: 'Your Two-Factor Authentication settings have been updated.'
         could_not_confirm: 'The Confirmation Code you entered did not match the QR code shown below.'
         successfully_disabled_otp: 'Two-Factor Authentication has been disabled.'
         successfully_reset_otp: 'Your token secret has been reset. Please confirm your new token secret below.'
-        successfully_set_persistence: 'Your device is now trusted.'
-        successfully_cleared_persistence: 'Your device has been removed from the list of trusted devices.'
-        successfully_reset_persistence: 'Your list of trusted devices has been cleared.'
         recovery:
           title: 'Your Emergency Recovery Codes'
-          explain: 'Take note or print these recovery codes. The will allow you to log back in in case your token device is lost, stolen, or unavailable.'
+          explain: 'Take note or print these recovery codes. They will allow you to log in if your token device is lost, stolen, or unavailable.'
           sequence: 'Sequence'
           code: 'Recovery Code'
           codes_list: 'Here is the list of your recovery codes'
           download_codes: 'Download recovery codes'
+      otp_persistence:
+        successfully_set_persistence: 'Your device is now trusted.'
+        successfully_cleared_persistence: 'Your device has been removed from the list of trusted devices.'
+        successfully_reset_persistence: 'Your list of trusted devices has been cleared.'
       edit_otp_token:
         title: 'Enable Two-factor Authentication'
         explain: 'Two-Factor Authentication adds an additional layer of security to your account. When logging in you will be asked for a code that you can generate on a physical device, like your phone.'

data/devise-otp.gemspec

@@ -20,5 +20,7 @@ Gem::Specification.new do |gem|
   gem.add_dependency "rails", ">= 7.1"
   gem.add_dependency "devise", ">= 4.8.0", "< 5.0"
   gem.add_dependency "rotp", ">= 2.0.0"
-  gem.add_dependency "rqrcode", "~> 2.0"
+  gem.add_dependency "rqrcode", "~> 3.0"
+
+  gem.add_development_dependency "timecop", "~> 0.9.10"
 end

data/lib/devise/strategies/database_authenticatable.rb

@@ -10,11 +10,11 @@ module Devise
         resource  = password.present? && mapping.to.find_for_database_authentication(authentication_hash)
         hashed = false
 
-        if validate(resource){ hashed = true; resource.valid_password?(password) }
+        if validate(resource) { hashed = true; resource.valid_password?(password) }
           if otp_challenge_required_on?(resource)
             # Redirect to challenge
             challenge = resource.generate_otp_challenge!
-            redirect!(otp_challenge_url, {:challenge => challenge})
+            redirect!(otp_challenge_path, {challenge: challenge, remember_me: remember_me?})
           else
             # Sign in user as usual
             remember_me(resource)
@@ -41,21 +41,8 @@ module Devise
         resource.respond_to?(:otp_enabled?) && resource.otp_enabled?
       end
 
-      def otp_challenge_url
-        if Rails.env.development? || Rails.env.test?
-          host = "#{request.host}:#{request.port}"
-        else
-          host = "#{request.host}"
-        end
-
-        path_fragments = ["otp", mapping.path_names[:credentials]]
-        if mapping.fullpath == "/"
-          path = mapping.fullpath + path_fragments.join("/")
-        else
-          path = path_fragments.prepend(mapping.fullpath).join("/")
-        end
-
-        request.protocol + host + path
+      def otp_challenge_path
+        Rails.application.routes.url_helpers.public_send("#{mapping.singular}_otp_credential_path")
       end
     end
   end

data/lib/devise-otp/version.rb

@@ -1,5 +1,5 @@
 module Devise
   module OTP
-    VERSION = "1.1.0"
+    VERSION = "2.0.0"
   end
 end

data/lib/devise-otp.rb

@@ -75,7 +75,6 @@ module Devise
 
   module Otp
   end
-
 end
 
 Devise.add_module :otp_authenticatable,

data/lib/devise_otp_authenticatable/controllers/helpers.rb

@@ -122,10 +122,9 @@ module DeviseOtpAuthenticatable
       #
       def otp_authenticator_token_image(resource)
         content_tag(:div, class: "qrcode-container") do
-          raw RQRCode::QRCode.new(resource.otp_provisioning_uri).as_svg(:module_size => 5, :viewbox => true, :use_path => true)
+          raw RQRCode::QRCode.new(resource.otp_provisioning_uri).as_svg(module_size: 5, viewbox: true, use_path: true)
         end
       end
-
     end
   end
 end

data/lib/devise_otp_authenticatable/controllers/public_helpers.rb

@@ -9,7 +9,7 @@ module DeviseOtpAuthenticatable
         end
       end
 
-      def self.define_helpers(mapping) #:nodoc:
+      def self.define_helpers(mapping) # :nodoc:
         mapping = mapping.name
 
         class_eval <<-METHODS, __FILE__, __LINE__ + 1
@@ -33,7 +33,6 @@ module DeviseOtpAuthenticatable
       def mandatory_otp_missing_on?(resource)
         otp_mandatory_on?(resource) && !resource.otp_enabled
       end
-
     end
   end
 end

data/lib/devise_otp_authenticatable/controllers/url_helpers.rb

@@ -11,9 +11,14 @@ module DeviseOtpAuthenticatable
         send("refresh_#{scope}_otp_credential_path", opts)
       end
 
-      def persistence_otp_token_path_for(resource_or_scope, opts = {})
+      def otp_persistence_path_for(resource_or_scope, opts = {})
         scope = ::Devise::Mapping.find_scope!(resource_or_scope)
-        send("persistence_#{scope}_otp_token_path", opts)
+        send("#{scope}_otp_persistence_path", opts)
+      end
+
+      def reset_otp_persistence_path_for(resource_or_scope, opts = {})
+        scope = ::Devise::Mapping.find_scope!(resource_or_scope)
+        send("reset_#{scope}_otp_persistence_path", opts)
       end
 
       def otp_token_path_for(resource_or_scope, opts = {})

data/lib/devise_otp_authenticatable/hooks/refreshable.rb

@@ -4,4 +4,3 @@ Warden::Manager.after_set_user except: :fetch do |record, warden, options|
     warden.session(options[:scope])["credentials_refreshed_at"] = (Time.now + record.class.otp_credentials_refresh)
   end
 end
-

data/lib/devise_otp_authenticatable/models/otp_authenticatable.rb

@@ -19,7 +19,11 @@ module Devise::Models
     end
 
     def time_based_otp
-      @time_based_otp ||= ROTP::TOTP.new(otp_auth_secret, issuer: (self.class.otp_issuer || Rails.application.class.module_parent_name).to_s)
+      @time_based_otp ||= ROTP::TOTP.new(otp_auth_secret, issuer: otp_issuer)
+    end
+
+    def otp_issuer
+      (self.class.otp_issuer || Rails.application.class.module_parent_name).to_s
     end
 
     def recovery_otp
@@ -56,13 +60,13 @@ module Devise::Models
       @recovery_otp = nil
 
       self.update!(
-        :otp_auth_secret => nil,
-        :otp_recovery_secret => nil,
-        :otp_persistence_seed => nil,
-        :otp_session_challenge => nil,
-        :otp_challenge_expires => nil,
-        :otp_failed_attempts => 0,
-        :otp_recovery_counter => 0
+        otp_auth_secret: nil,
+        otp_recovery_secret: nil,
+        otp_persistence_seed: nil,
+        otp_session_challenge: nil,
+        otp_challenge_expires: nil,
+        otp_failed_attempts: 0,
+        otp_recovery_counter: 0
       )
     end
 
@@ -116,10 +120,12 @@ module Devise::Models
     private
 
     def validate_otp_token_with_drift(token)
-      # should be centered around saved drift
-      (-self.class.otp_drift_window..self.class.otp_drift_window).any? { |drift|
-        time_based_otp.verify(token, at: Time.now.ago(30 * drift))
-      }
+      verified_token_time = time_based_otp.verify(token,
+        drift_behind: self.class.otp_drift_window * 30,
+        drift_ahead: self.class.otp_drift_window * 30,
+      )
+
+      verified_token_time.present?
     end
 
     def generate_otp_persistence_seed

data/lib/devise_otp_authenticatable/routes.rb

@@ -6,22 +6,22 @@ module ActionDispatch::Routing
       namespace :otp, module: :devise_otp do
         resource :token, only: [:show, :edit, :update, :destroy],
           path: mapping.path_names[:token], controller: controllers[:otp_tokens] do
-          if Devise.otp_trust_persistence
-            get :persistence, action: "get_persistence"
-            post :persistence, action: "clear_persistence"
-            delete :persistence, action: "delete_persistence"
-          end
-
           get :recovery
           post :reset
         end
 
+        if Devise.otp_trust_persistence
+          resource :persistence, :only => [:create, :destroy],
+            path: mapping.path_names[:persistence], controller: controllers[:otp_persistence] do
+            delete :reset
+          end
+        end
+
         resource :credential, only: [:show, :update],
           path: mapping.path_names[:credentials], controller: controllers[:otp_credentials] do
           get :refresh, action: "get_refresh"
           put :refresh, action: "set_refresh"
         end
-
       end
     end
   end

data/test/dummy/app/controllers/admin_posts_controller.rb

@@ -9,5 +9,4 @@ class AdminPostsController < ApplicationController
       format.json { render json: @posts }
     end
   end
-
 end

data/test/dummy/app/controllers/base_controller.rb

@@ -1,6 +1,4 @@
 class BaseController < ApplicationController
-
   def home
   end
-
 end

data/test/dummy/app/controllers/non_otp_posts_controller.rb

@@ -9,5 +9,4 @@ class NonOtpPostsController < ApplicationController
       format.json { render json: @posts }
     end
   end
-
 end

data/test/dummy/app/models/admin.rb

@@ -9,5 +9,4 @@ class Admin < ActiveRecord::Base
   def self.otp_mandatory
     true
   end
-
 end

data/test/dummy/app/models/lockable_user.rb

@@ -0,0 +1,8 @@
+class LockableUser < ActiveRecord::Base
+  devise :otp_authenticatable, :database_authenticatable, :registerable,
+    :trackable, :validatable, :lockable
+
+  # Setup accessible (or protected) attributes for your model
+  # attr_accessible :otp_enabled, :otp_mandatory, :as => :otp_privileged
+  # attr_accessible :email, :password, :password_confirmation, :remember_me
+end

data/test/dummy/app/models/non_otp_user.rb

@@ -1,4 +1,3 @@
 class NonOtpUser < ActiveRecord::Base
   devise :database_authenticatable, :registerable, :trackable, :validatable
-
 end

data/test/dummy/app/models/rememberable_user.rb

@@ -0,0 +1,8 @@
+class RememberableUser < ActiveRecord::Base
+  devise :otp_authenticatable, :database_authenticatable, :registerable,
+    :trackable, :validatable, :rememberable
+
+  # Setup accessible (or protected) attributes for your model
+  # attr_accessible :otp_enabled, :otp_mandatory, :as => :otp_privileged
+  # attr_accessible :email, :password, :password_confirmation, :remember_me
+end

data/test/dummy/app/views/layouts/application.html.erb

@@ -2,15 +2,17 @@
 <html>
 <head>
   <title>Dummy</title>
-  <%= stylesheet_link_tag    "application", :media => "all" %>
+  <%= stylesheet_link_tag "application", media: "all" %>
   <%= javascript_include_tag "application" %>
   <%= csrf_meta_tags %>
 </head>
 <body>
 
+  <%= render "shared/navbar" %>
+
   <div id="alerts">
     <% flash.keys.each do |key| %>
-      <%= content_tag :p, flash[key], :id => key %>
+      <%= content_tag :p, flash[key], id: key %>
     <% end %>
   </div>
 

data/test/dummy/app/views/posts/show.html.erb

@@ -10,6 +10,5 @@
   <%= @post.body %>
 </p>
 
-
 <%= link_to 'Edit', edit_post_path(@post) %> |
 <%= link_to 'Back', posts_path %>

data/test/dummy/app/views/shared/_navbar.html.erb

@@ -0,0 +1,15 @@
+<nav>
+  <div style="float: right;">
+    <% if current_user.present? %>
+      <%= button_to "Sign Out", destroy_user_session_path, method: :delete, data: { turbo_method: :delete } %>
+    <% elsif current_admin.present? %>
+      <%= button_to "Sign Out", destroy_admin_session_path, method: :delete, data: { turbo_method: :delete } %>
+    <% elsif current_lockable_user.present? %>
+      <%= button_to "Sign Out", destroy_lockable_user_session_path, method: :delete, data: { turbo_method: :delete } %>
+    <% elsif current_non_otp_user.present? %>
+      <%= button_to "Sign Out", destroy_non_otp_user_session_path, method: :delete, data: { turbo_method: :delete } %>
+    <% elsif current_rememberable_user.present? %>
+      <%= button_to "Sign Out", destroy_rememberable_user_session_path, method: :delete, data: { turbo_method: :delete } %>
+    <% end %>
+  </div>
+</nav>

data/test/dummy/config/application.rb

@@ -56,5 +56,8 @@ module Dummy
 
     # Version of your assets, change this if you want to expire all your assets
     config.assets.version = "1.0"
+
+    # Default URL for Devise
+    config.action_mailer.default_url_options = { host: 'localhost', port: 3000 }
   end
 end

data/test/dummy/config/initializers/devise.rb

@@ -143,7 +143,7 @@ Devise.setup do |config|
   # Defines which strategy will be used to lock an account.
   # :failed_attempts = Locks an account after a number of failed attempts to sign in.
   # :none            = No lock strategy. You should handle locking by yourself.
-  # config.lock_strategy = :failed_attempts
+  config.lock_strategy = :failed_attempts
 
   # Defines which key will be used when locking and unlocking an account
   # config.unlock_keys = [ :email ]
@@ -157,7 +157,7 @@ Devise.setup do |config|
 
   # Number of authentication tries before locking an account if lock_strategy
   # is failed attempts.
-  # config.maximum_attempts = 20
+  config.maximum_attempts = 5
 
   # Time interval to unlock the account if :time is enabled as unlock_strategy.
   # config.unlock_in = 1.hour

data/test/dummy/config/routes.rb

@@ -1,7 +1,10 @@
 Dummy::Application.routes.draw do
   devise_for :admins
   devise_for :users
+
+  devise_for :lockable_users
   devise_for :non_otp_users
+  devise_for :rememberable_users
 
   resources :posts
   resources :admin_posts

data/test/dummy/db/migrate/20250731000001_create_lockable_users.rb

@@ -0,0 +1,9 @@
+class CreateLockableUsers < ActiveRecord::Migration[5.0]
+  def change
+    create_table :lockable_users do |t|
+      t.string :name
+
+      t.timestamps
+    end
+  end
+end

data/test/dummy/db/migrate/20250731000002_add_devise_to_lockable_users.rb

@@ -0,0 +1,52 @@
+class AddDeviseToLockableUsers < ActiveRecord::Migration[5.0]
+  def self.up
+    change_table(:lockable_users) do |t|
+      ## Database authenticatable
+      t.string :email, null: false, default: ""
+      t.string :encrypted_password, null: false, default: ""
+
+      ## Recoverable
+      t.string :reset_password_token
+      t.datetime :reset_password_sent_at
+
+      ## Rememberable
+      t.datetime :remember_created_at
+
+      ## Trackable
+      t.integer :sign_in_count, default: 0
+      t.datetime :current_sign_in_at
+      t.datetime :last_sign_in_at
+      t.string :current_sign_in_ip
+      t.string :last_sign_in_ip
+
+      ## Confirmable
+      # t.string   :confirmation_token
+      # t.datetime :confirmed_at
+      # t.datetime :confirmation_sent_at
+      # t.string   :unconfirmed_email # Only if using reconfirmable
+
+      ## Lockable
+      t.integer :failed_attempts, default: 0 # Only if lock strategy is :failed_attempts
+      t.string :unlock_token # Only if unlock strategy is :email or :both
+      t.datetime :locked_at
+
+      ## Token authenticatable
+      t.string :authentication_token
+
+      # Uncomment below if timestamps were not included in your original model.
+      # t.timestamps
+    end
+
+    add_index :lockable_users, :email, unique: true
+    add_index :lockable_users, :reset_password_token, unique: true
+    # add_index :lockable_users, :confirmation_token,   :unique => true
+    add_index :lockable_users, :unlock_token, unique: true
+    add_index :lockable_users, :authentication_token, unique: true
+  end
+
+  def self.down
+    # By default, we don't want to make any assumption about how to roll back a migration when your
+    # model already existed. Please edit below which fields you would like to remove in this migration.
+    raise ActiveRecord::IrreversibleMigration
+  end
+end

data/test/dummy/db/migrate/20250731000003_devise_otp_add_to_lockable_users.rb

@@ -0,0 +1,28 @@
+class DeviseOtpAddToLockableUsers < ActiveRecord::Migration[5.0]
+  def self.up
+    change_table :lockable_users do |t|
+      t.string :otp_auth_secret
+      t.string :otp_recovery_secret
+      t.boolean :otp_enabled, default: false, null: false
+      t.boolean :otp_mandatory, default: false, null: false
+      t.datetime :otp_enabled_on
+      t.integer :otp_time_drift, default: 0, null: false
+      t.integer :otp_failed_attempts, default: 0, null: false
+      t.integer :otp_recovery_counter, default: 0, null: false
+      t.string :otp_persistence_seed
+
+      t.string :otp_session_challenge
+      t.datetime :otp_challenge_expires
+    end
+
+    add_index :lockable_users, :otp_session_challenge, unique: true
+    add_index :lockable_users, :otp_challenge_expires
+  end
+
+  def self.down
+    change_table :lockable_users do |t|
+      t.remove :otp_auth_secret, :otp_recovery_secret, :otp_enabled, :otp_mandatory, :otp_enabled_on, :otp_session_challenge,
+        :otp_challenge_expires, :otp_time_drift, :otp_failed_attempts, :otp_recovery_counter, :otp_persistence_seed
+    end
+  end
+end

data/test/dummy/db/migrate/20250817221304_create_rememberable_users.rb

@@ -0,0 +1,50 @@
+class CreateRememberableUsers < ActiveRecord::Migration[7.0]
+  def change
+    create_table :rememberable_users do |t|
+      t.string :name
+
+      ## Database authenticatable
+      t.string :email, null: false, default: ""
+      t.string :encrypted_password, null: false, default: ""
+
+      ## Recoverable
+      t.string :reset_password_token
+      t.datetime :reset_password_sent_at
+
+      ## Rememberable
+      t.datetime :remember_created_at
+
+      ## Trackable
+      t.integer :sign_in_count, default: 0
+      t.datetime :current_sign_in_at
+      t.datetime :last_sign_in_at
+      t.string :current_sign_in_ip
+      t.string :last_sign_in_ip
+
+      ## Confirmable
+      # t.string   :confirmation_token
+      # t.datetime :confirmed_at
+      # t.datetime :confirmation_sent_at
+      # t.string   :unconfirmed_email # Only if using reconfirmable
+
+      ## Lockable
+      # t.integer :failed_attempts, default: 0 # Only if lock strategy is :failed_attempts
+      # t.string :unlock_token # Only if unlock strategy is :email or :both
+      # t.datetime :locked_at
+
+      ## Token authenticatable
+      # t.string :authentication_token
+
+      # Uncomment below if timestamps were not included in your original model.
+      # t.timestamps
+    end
+
+    add_index :rememberable_users, :email, unique: true
+    add_index :rememberable_users, :reset_password_token, unique: true
+    # add_index :rememberable_users, :confirmation_token,   :unique => true
+    # add_index :rememberable_users, :unlock_token, unique: true
+    # add_index :rememberable_users, :authentication_token, unique: true
+    #   t.timestamps
+    # end
+  end
+end

data/test/dummy/db/migrate/20250818030305_add_devise_otp_to_rememberable_users.rb

@@ -0,0 +1,28 @@
+class AddDeviseOtpToRememberableUsers < ActiveRecord::Migration[7.0]
+  def self.up
+    change_table :rememberable_users do |t|
+      t.string :otp_auth_secret
+      t.string :otp_recovery_secret
+      t.boolean :otp_enabled, default: false, null: false
+      t.boolean :otp_mandatory, default: false, null: false
+      t.datetime :otp_enabled_on
+      t.integer :otp_time_drift, default: 0, null: false
+      t.integer :otp_failed_attempts, default: 0, null: false
+      t.integer :otp_recovery_counter, default: 0, null: false
+      t.string :otp_persistence_seed
+
+      t.string :otp_session_challenge
+      t.datetime :otp_challenge_expires
+    end
+
+    add_index :rememberable_users, :otp_session_challenge, unique: true
+    add_index :rememberable_users, :otp_challenge_expires
+  end
+
+  def self.down
+    change_table :rememberable_users do |t|
+      t.remove :otp_auth_secret, :otp_recovery_secret, :otp_enabled, :otp_mandatory, :otp_enabled_on, :otp_session_challenge,
+        :otp_challenge_expires, :otp_time_drift, :otp_failed_attempts, :otp_recovery_counter, :otp_persistence_seed
+    end
+  end
+end

data/test/dummy/db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[8.0].define(version: 2025_07_18_092536) do
+ActiveRecord::Schema[8.0].define(version: 2025_08_18_030305) do
   create_table "admins", force: :cascade do |t|
     t.string "name"
     t.datetime "created_at", precision: nil, null: false
@@ -48,6 +48,43 @@ ActiveRecord::Schema[8.0].define(version: 2025_07_18_092536) do
     t.index ["unlock_token"], name: "index_admins_on_unlock_token", unique: true
   end
 
+  create_table "lockable_users", force: :cascade do |t|
+    t.string "name"
+    t.datetime "created_at", precision: nil, null: false
+    t.datetime "updated_at", precision: nil, null: false
+    t.string "email", default: "", null: false
+    t.string "encrypted_password", default: "", null: false
+    t.string "reset_password_token"
+    t.datetime "reset_password_sent_at", precision: nil
+    t.datetime "remember_created_at", precision: nil
+    t.integer "sign_in_count", default: 0
+    t.datetime "current_sign_in_at", precision: nil
+    t.datetime "last_sign_in_at", precision: nil
+    t.string "current_sign_in_ip"
+    t.string "last_sign_in_ip"
+    t.integer "failed_attempts", default: 0
+    t.string "unlock_token"
+    t.datetime "locked_at", precision: nil
+    t.string "authentication_token"
+    t.string "otp_auth_secret"
+    t.string "otp_recovery_secret"
+    t.boolean "otp_enabled", default: false, null: false
+    t.boolean "otp_mandatory", default: false, null: false
+    t.datetime "otp_enabled_on", precision: nil
+    t.integer "otp_time_drift", default: 0, null: false
+    t.integer "otp_failed_attempts", default: 0, null: false
+    t.integer "otp_recovery_counter", default: 0, null: false
+    t.string "otp_persistence_seed"
+    t.string "otp_session_challenge"
+    t.datetime "otp_challenge_expires", precision: nil
+    t.index ["authentication_token"], name: "index_lockable_users_on_authentication_token", unique: true
+    t.index ["email"], name: "index_lockable_users_on_email", unique: true
+    t.index ["otp_challenge_expires"], name: "index_lockable_users_on_otp_challenge_expires"
+    t.index ["otp_session_challenge"], name: "index_lockable_users_on_otp_session_challenge", unique: true
+    t.index ["reset_password_token"], name: "index_lockable_users_on_reset_password_token", unique: true
+    t.index ["unlock_token"], name: "index_lockable_users_on_unlock_token", unique: true
+  end
+
   create_table "non_otp_users", force: :cascade do |t|
     t.string "name"
     t.datetime "created_at", null: false
@@ -79,6 +116,35 @@ ActiveRecord::Schema[8.0].define(version: 2025_07_18_092536) do
     t.datetime "updated_at", precision: nil, null: false
   end
 
+  create_table "rememberable_users", force: :cascade do |t|
+    t.string "name"
+    t.string "email", default: "", null: false
+    t.string "encrypted_password", default: "", null: false
+    t.string "reset_password_token"
+    t.datetime "reset_password_sent_at"
+    t.datetime "remember_created_at"
+    t.integer "sign_in_count", default: 0
+    t.datetime "current_sign_in_at"
+    t.datetime "last_sign_in_at"
+    t.string "current_sign_in_ip"
+    t.string "last_sign_in_ip"
+    t.string "otp_auth_secret"
+    t.string "otp_recovery_secret"
+    t.boolean "otp_enabled", default: false, null: false
+    t.boolean "otp_mandatory", default: false, null: false
+    t.datetime "otp_enabled_on"
+    t.integer "otp_time_drift", default: 0, null: false
+    t.integer "otp_failed_attempts", default: 0, null: false
+    t.integer "otp_recovery_counter", default: 0, null: false
+    t.string "otp_persistence_seed"
+    t.string "otp_session_challenge"
+    t.datetime "otp_challenge_expires"
+    t.index ["email"], name: "index_rememberable_users_on_email", unique: true
+    t.index ["otp_challenge_expires"], name: "index_rememberable_users_on_otp_challenge_expires"
+    t.index ["otp_session_challenge"], name: "index_rememberable_users_on_otp_session_challenge", unique: true
+    t.index ["reset_password_token"], name: "index_rememberable_users_on_reset_password_token", unique: true
+  end
+
   create_table "users", force: :cascade do |t|
     t.string "name"
     t.datetime "created_at", precision: nil, null: false