devise-otp 1.1.0 → 2.0.0

data/test/models/otp_authenticatable_test.rb

@@ -6,6 +6,10 @@ class OtpAuthenticatableTest < ActiveSupport::TestCase
     new_user
   end
 
+  def teardown
+    Timecop.return
+  end
+
   test "new users do not have a secret set" do
     user = User.first
 
@@ -15,7 +19,7 @@ class OtpAuthenticatableTest < ActiveSupport::TestCase
   end
 
   test "new users have OTP disabled by default" do
-    assert !User.first.otp_enabled
+    assert_not User.first.otp_enabled
   end
 
   test "populating otp secrets should populate all required fields" do
@@ -42,8 +46,8 @@ class OtpAuthenticatableTest < ActiveSupport::TestCase
     user.enable_otp!
     user.generate_otp_challenge!
     user.update(
-      :otp_failed_attempts => 1,
-      :otp_recovery_counter => 1
+      otp_failed_attempts: 1,
+      otp_recovery_counter: 1
     )
 
 
@@ -75,7 +79,7 @@ class OtpAuthenticatableTest < ActiveSupport::TestCase
 
     u.reset_otp_persistence!
     assert(otp_auth_secret == u.otp_auth_secret)
-    assert !(otp_persistence_seed == u.otp_persistence_seed)
+    assert_not (otp_persistence_seed == u.otp_persistence_seed)
     assert u.otp_enabled
   end
 
@@ -95,7 +99,8 @@ class OtpAuthenticatableTest < ActiveSupport::TestCase
     u.populate_otp_secrets!
     u.enable_otp!
     challenge = u.generate_otp_challenge!(1.second)
-    sleep(2)
+
+    Timecop.travel(Time.now + 2)
 
     w = User.find_valid_otp_challenge(challenge)
     assert_nil w
@@ -106,7 +111,7 @@ class OtpAuthenticatableTest < ActiveSupport::TestCase
     u.populate_otp_secrets!
     u.enable_otp!
     challenge = u.generate_otp_challenge!(1.second)
-    sleep(2)
+    Timecop.travel(Time.now + 2)
     assert_equal false, u.otp_challenge_valid?
   end
 
@@ -129,17 +134,49 @@ class OtpAuthenticatableTest < ActiveSupport::TestCase
     assert_equal true, u.validate_otp_token(token)
   end
 
-  test "generated otp token, out of drift window, should be NOT valid for the user" do
+  test "generated otp token within the drift window should be valid for the user" do
     u = User.first
     u.populate_otp_secrets!
     u.enable_otp!
 
     secret = u.otp_auth_secret
+    token = ROTP::TOTP.new(secret).at(Time.now)
 
-    [3.minutes.from_now, 3.minutes.ago].each do |time|
-      token = ROTP::TOTP.new(secret).at(time)
-      assert_equal false, u.valid_otp_token?(token)
-    end
+    Timecop.freeze(Time.now + 90)
+    assert_equal true, u.valid_otp_token?(token)
+
+    Timecop.return
+    Timecop.freeze(Time.now - 90)
+    assert_equal true, u.valid_otp_token?(token)
+  end
+
+  test "generated otp token outside of drift window should NOT be valid for the user" do
+    # Since the otp_drift_window defines steps (not just time), and these steps
+    # begin at the 30 and 60 second marks of each minute, it is possible for
+    # an OTP token to be used up to 119 seconds after generation with a 3 step
+    # drift window. For example, a token generated at 12:00:00PM could be used
+    # within the timeframe for any of the following steps:
+    # - 12:00:00~12:00:29 (current step)
+    # - 12:00:30~12:00:59 (drift of 1 step)
+    # - 12:01:00~12:00:29 (drift of 2 steps)
+    # - 12:01:30~12:01:59 (drift of 3 steps)
+    #
+    # As a result, we need to test for 120 seconds to ensure that the test
+    # always passes.
+
+    u = User.first
+    u.populate_otp_secrets!
+    u.enable_otp!
+
+    secret = u.otp_auth_secret
+    token = ROTP::TOTP.new(secret).at(Time.now)
+
+    Timecop.freeze(Time.now + 120)
+    assert_equal false, u.valid_otp_token?(token)
+
+    Timecop.return
+    Timecop.freeze(Time.now - 120)
+    assert_equal false, u.valid_otp_token?(token)
   end
 
   test "recovery secrets should be valid, and valid only once" do

data/test/test_helper.rb

@@ -4,6 +4,7 @@ require "dummy/config/environment"
 require "rails/test_help"
 require "capybara/rails"
 require "minitest/reporters"
+require "timecop"
 
 Minitest::Reporters.use!
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise-otp
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Lele Forzani
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-07-20 00:00:00.000000000 Z
+date: 2025-10-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -66,14 +66,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.10
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.10
 description: OTP authentication for Devise
 email:
 - lele@windmill.it
@@ -83,8 +97,10 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".erb_lint.yml"
 - ".github/workflows/ci.yml"
 - ".gitignore"
+- ".rubocop.yml"
 - Appraisals
 - CHANGELOG.md
 - Gemfile
@@ -93,6 +109,7 @@ files:
 - Rakefile
 - app/assets/stylesheets/devise-otp.css
 - app/controllers/devise_otp/devise/otp_credentials_controller.rb
+- app/controllers/devise_otp/devise/otp_persistence_controller.rb
 - app/controllers/devise_otp/devise/otp_tokens_controller.rb
 - app/views/devise/otp_credentials/refresh.html.erb
 - app/views/devise/otp_credentials/show.html.erb
@@ -102,6 +119,8 @@ files:
 - app/views/devise/otp_tokens/recovery.html.erb
 - app/views/devise/otp_tokens/recovery_codes.text.erb
 - app/views/devise/otp_tokens/show.html.erb
+- bin/erb_lint
+- bin/rubocop
 - config/locales/en.yml
 - devise-otp.gemspec
 - gemfiles/rails_7.1.gemfile
@@ -136,8 +155,10 @@ files:
 - test/dummy/app/helpers/posts_helper.rb
 - test/dummy/app/mailers/.gitkeep
 - test/dummy/app/models/admin.rb
+- test/dummy/app/models/lockable_user.rb
 - test/dummy/app/models/non_otp_user.rb
 - test/dummy/app/models/post.rb
+- test/dummy/app/models/rememberable_user.rb
 - test/dummy/app/models/user.rb
 - test/dummy/app/views/admin_posts/index.html.erb
 - test/dummy/app/views/base/home.html.erb
@@ -148,6 +169,7 @@ files:
 - test/dummy/app/views/posts/index.html.erb
 - test/dummy/app/views/posts/new.html.erb
 - test/dummy/app/views/posts/show.html.erb
+- test/dummy/app/views/shared/_navbar.html.erb
 - test/dummy/config.ru
 - test/dummy/config/application.rb
 - test/dummy/config/boot.rb
@@ -174,6 +196,11 @@ files:
 - test/dummy/db/migrate/20240604000003_devise_otp_add_to_admins.rb
 - test/dummy/db/migrate/20250718092451_create_non_otp_users.rb
 - test/dummy/db/migrate/20250718092536_add_devise_to_non_otp_users.rb
+- test/dummy/db/migrate/20250731000001_create_lockable_users.rb
+- test/dummy/db/migrate/20250731000002_add_devise_to_lockable_users.rb
+- test/dummy/db/migrate/20250731000003_devise_otp_add_to_lockable_users.rb
+- test/dummy/db/migrate/20250817221304_create_rememberable_users.rb
+- test/dummy/db/migrate/20250818030305_add_devise_otp_to_rememberable_users.rb
 - test/dummy/db/schema.rb
 - test/dummy/db/seeds.rb
 - test/dummy/lib/assets/.gitkeep
@@ -184,9 +211,12 @@ files:
 - test/dummy/script/rails
 - test/integration/disable_token_test.rb
 - test/integration/enable_otp_form_test.rb
+- test/integration/lockable_test.rb
 - test/integration/non_otp_user_models_test.rb
+- test/integration/otp_drift_test.rb
 - test/integration/persistence_test.rb
 - test/integration/refresh_test.rb
+- test/integration/rememberable_test.rb
 - test/integration/reset_token_test.rb
 - test/integration/sign_in_test.rb
 - test/integration/trackable_test.rb