devise-otp 0.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: e3ae46900992f2693640f098161f369f5138706d
+  data.tar.gz: 9fe62fcb21f0faf7be427ee3e4f5e0c791fd2366
+SHA512:
+  metadata.gz: a3115df085ed880dd71795041c2650f69e830a1626173a196ea200c08af0e03a2b4b44d703d164a05f27dea21ba5c9a4062152fd178f91a7859d659d4ba32850
+  data.tar.gz: bd1fa3d6ddbb5535d640ba6b561ad85e84dd429a232e9ed5752958a8bb9402313cff5137c42f659bfc3093b2470e244641db7e32f32522f378011123636ca074

data/.gitignore

@@ -0,0 +1,42 @@
+## RubyMine
+.idea
+
+## MAC OS
+.DS_Store
+
+## TEXTMATE
+*.tmproj
+tmtags
+
+## EMACS
+*~
+\#*
+.\#*
+
+## VIM
+*.swp
+
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+
+## PROJECT::GENERAL
+_yardoc
+doc/
+coverage
+rdoc
+pkg
+spec/reports
+lib/bundler/man
+
+## PROJECT::SPECIFIC
+test/dummy/log/**
+test/dummy/tmp/**
+test/dummy/db/*.sqlite3
+
+Gemfile.lock
+
+# Generated test files
+tmp/*

data/.travis.yml

@@ -0,0 +1,11 @@
+language: ruby
+rvm:
+  - 1.9.3
+  - 2.0.0
+  - rbx-19mode
+  - rbx-20mode
+script: rake test
+env:
+  - DEVISE_ORM=active_record
+matrix:
+  allow_failures:

data/Gemfile

@@ -0,0 +1,25 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in devise-otp.gemspec
+gemspec
+
+gem "rdoc"
+
+group :test do
+  platforms :jruby do
+    gem 'activerecord-jdbcsqlite3-adapter'
+  end
+
+  platforms :ruby do
+    gem "sqlite3"
+  end
+
+  gem "rails", "~> 4.0.0"
+
+  gem "capybara"
+  gem 'shoulda'
+  gem 'selenium-webdriver'
+
+  #gem 'factory_girl_rails', '~> 1.2'
+  #gem 'rspec-rails', '~> 2.6.0'
+end

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2013 Lele Forzani
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,124 @@
+# Devise::Otp
+[![Build Status](https://travis-ci.org/wmlele/devise-otp.png?branch=master)](https://travis-ci.org/wmlele/devise-otp)
+
+Devise OTP implements two-factors authentication for Devise, using an rfc6238 compatible Time-Based One-Time Password Algorithm.
+It uses the [rotp library](https://github.com/mdp/rotp) for generation and verification of codes.
+
+It currently has the following features:
+
+* Url based provisioning of token devices, compatible with **Google Authenticator**.
+* Two factors authentication can be **optional** at user discretion, **recommended** (it nags the user on every sign-in) or **mandatory** (users must enroll OTP after signing-in next time, before they can navigate the site). The settings is global, or per-user.
+* Optionally, users can obtain a list of HOTP recovery tokens to be used for emergency log-in in case the token device is lost or unavailable.
+
+Compatible token devices are:
+
+* [Google Authenticator](https://code.google.com/p/google-authenticator/)
+* ...
+
+## Quick overview of Two Factors Authentication, using OTPs.
+
+* A shared secret is generated on the server, and stored both on the token device (ie: the phone) and the server itself.
+* The secret is used to generate short numerical tokens that are either time or sequence based.
+* Tokens can be generated on a phone without internet connectivity.
+* The token provides an additional layer of security against password theft.
+* OTP's should always be used as a second factor of authentication(if your phone is lost, you account is still secured with a password)
+* Google Authenticator allows you to store multiple OTP secrets and provision those using a QR Code
+
+Although there's an adjustable drift window, it is important that both the server and the token device (phone) have their clocks set (eg: using NTP).
+
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'devise'
+    gem 'devise-otp'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install devise-otp
+
+
+### Devise Installation
+
+To setup Devise, you need to do the following (but refer to https://github.com/plataformatec/devise for more information)
+
+Install Devise:
+
+    rails g devise:install
+
+Setup the User or Admin model
+
+    rails g devise MODEL
+
+Configure your app for authorisation, edit your Controller and add this before_filter:
+
+    before_filter :authenticate_user!
+
+Make sure your "root" route is configured in config/routes.rb
+
+### Automatic Installation
+
+Run the following generator to add the necessary configuration options to Devise's config file:
+
+    rails g devise_otp:install
+
+After you've created your Devise user models (which is usually done with a "rails g devise MODEL"), set up your Devise OTP additions:
+
+    rails g devise_otp MODEL
+
+Don't forget to migrate:
+
+    rake db:migrate
+
+### Custom Views
+
+If you want to customise your views (which you likely will want to), you can use the generator:
+
+    rails g devise_otp:views
+
+### I18n
+
+The install generator also installs an english copy of a Devise OTP i18n file. This can be modified (or used to create other language versions) and is located at: _config/locales/devise.otp.en.yml_
+
+
+## Usage
+
+With this extension enabled, the following is expected behaviour:
+
+* Users may go to _/MODEL/otp/token_ and enable their OTP state, they might be asked to provide their password again (and OTP token, if it's enabled)
+* Once enabled they're shown an alphanumeric code (for manual provisioning) and a QR code, for automatic provisioning of their authetication device (for instance, Google Authenticator)
+* If config.otp_mandatory or model_instance.otp_mandatory, users will be required to enable, and provision, next time they successfully sign-in.
+
+
+### Configuration Options
+
+The install generator adds some options to the end of your Devise config file (config/initializers/devise.rb)
+
+* config.otp_mandatory - OTP is mandatory, users are going to be asked to enroll the next time they sign in, before they can successfully complete the session establishment.
+* config.otp_authentication_timeout - how long the user has to authenticate with their token. (defaults to 3.minutes)s
+* config.otp_drift_window - a window which provides allowance for drift between a user's token device clock (and therefore their OTP tokens) and the authentication server's clock. (default: 3)
+* config.otp_credentials_refresh - Users that have logged in longer than this time ago, or haven't refreshed, are boing to be asked their password (and an OTP token, if enabled) before they can see or change their otp informations. (defaults to 15.minutes)
+* config.recovery_tokens - Whether the users are given a list of one-time recovery tokens, for emergency access (default: true)
+* config.otp_uri_application - The name of this application, to be added to the provisioning url as '<user_email>/application_name' (defaults to the Rails application class)
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request
+
+## Thanks
+
+I started this extension by forking [devise_google_authenticator](https://github.com/AsteriskLabs/devise_google_authenticator), and this project still contains some chunk of code from it, esp. in the tests and generators.
+At some point, my design goals were significantly diverging, so I refactored most of its code. Still, I want to thank the original author for his relevant contribution.
+
+## License
+
+MIT Licensed

data/Rakefile

@@ -0,0 +1,42 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Foobar'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/*_test.rb'
+  test.verbose = true
+end
+
+desc 'Run Devise tests for all ORMs.'
+task :tests do
+  Dir[File.join(File.dirname(__FILE__), 'test', 'orm', '*.rb')].each do |file|
+    orm = File.basename(file).split(".").first
+    system "rake test DEVISE_ORM=#{orm}"
+  end
+end
+
+desc 'Default: run tests for all ORMs.'
+task :default => :tests

data/app/controllers/devise_otp/credentials_controller.rb

@@ -0,0 +1,106 @@
+class DeviseOtp::CredentialsController < DeviseController
+  helper_method :new_session_path
+
+  prepend_before_filter :authenticate_scope!, :only => [:get_refresh, :set_refresh]
+  prepend_before_filter :require_no_authentication, :only => [ :show, :update ]
+
+  #
+  # show a request for the OTP token
+  #
+  def show
+    @challenge = params[:challenge]
+    @recovery =  (params[:recovery] == 'true') && recovery_enabled?
+
+    if @challenge.nil?
+      redirect_to :root
+
+    else
+      self.resource = resource_class.find_valid_otp_challenge(@challenge)
+      if resource.nil?
+        redirect_to :root
+      elsif @recovery
+        @recovery_count = resource.otp_recovery_counter
+        render :show
+      else
+        render :show
+      end
+    end
+  end
+
+  #
+  # signs the resource in, if the OTP token is valid and the user has a valid challenge
+  #
+  def update
+
+    resource = resource_class.find_valid_otp_challenge(params[resource_name][:challenge])
+    recovery = (params[resource_name][:recovery] == 'true') && recovery_enabled?
+    token = params[resource_name][:token]
+
+    if token.blank?
+      otp_set_flash_message(:alert, :token_blank)
+      redirect_to otp_credential_path_for(resource_name, :challenge => params[resource_name][:challenge],
+                                                         :recovery => recovery)
+    elsif resource.nil?
+      otp_set_flash_message(:alert, :otp_session_invalid)
+      redirect_to new_session_path(resource_name)
+    else
+      if resource.otp_challenge_valid? && resource.validate_otp_token(params[resource_name][:token], recovery)
+        set_flash_message(:success, :signed_in) if is_navigational_format?
+        sign_in(resource_name, resource)
+
+        otp_refresh_credentials_for(resource)
+        respond_with resource, :location => after_sign_in_path_for(resource)
+      else
+        otp_set_flash_message :alert, :token_invalid
+        redirect_to new_session_path(resource_name)
+      end
+    end
+  end
+
+
+  #
+  # displays the request for a credentials refresh
+  #
+  def get_refresh
+    ensure_resource!
+    render :refresh
+  end
+
+  #
+  # lets the user through is the refresh is valid
+  #
+  def set_refresh
+
+    ensure_resource!
+    # I am sure there's a much better way
+    if resource.valid_password?(params[resource_name][:refresh_password])
+      if resource.otp_enabled?
+        if resource.validate_otp_token(params[resource_name][:token].to_i)
+          done_valid_refresh
+        else
+          failed_refresh
+        end
+      else
+        done_valid_refresh
+      end
+    else
+      failed_refresh
+    end
+  end
+
+
+  private
+
+  def done_valid_refresh
+    otp_refresh_credentials_for(resource)
+    otp_set_flash_message :success, :valid_refresh if is_navigational_format?
+
+    respond_with resource, :location => otp_fetch_refresh_return_url
+  end
+
+  def failed_refresh
+    otp_set_flash_message :alert, :invalid_refresh
+    render :refresh
+  end
+
+end

data/app/controllers/devise_otp/tokens_controller.rb

@@ -0,0 +1,105 @@
+class DeviseOtp::TokensController < DeviseController
+  include Devise::Controllers::Helpers
+
+  prepend_before_filter :ensure_credentials_refresh
+  prepend_before_filter :authenticate_scope!
+
+  #protect_from_forgery :except => [:clear_persistence, :delete_persistence]
+
+  #
+  # Displays the status of OTP authentication
+  #
+  def show
+   if resource.nil?
+      redirect_to stored_location_for(scope) || :root
+    else
+      render :show
+    end
+  end
+
+  #
+  # Updates the status of OTP authentication
+  #
+  def update
+    #if resource.update_without_password(params[resource_name])
+    if resource.update_attribute(:otp_enabled, params[resource_name][:otp_enabled])
+
+      otp_set_flash_message :success, :successfully_updated
+      render :show
+    else
+      render :show
+    end
+  end
+
+  #
+  # Resets OTP authentication, generates new credentials, sets it to off
+  #
+  def destroy
+
+    if resource.reset_otp_credentials!
+      otp_set_flash_message :success, :successfully_reset_creds
+    end
+    render :show
+  end
+
+
+  #
+  # makes the current browser persistent
+  #
+  def get_persistence
+
+
+    if otp_set_trusted_device_for(resource)
+      otp_set_flash_message :success, :successfully_set_persistence
+    end
+    redirect_to :action => :show
+  end
+
+
+  #
+  # clears persistence for the current browser
+  #
+  def clear_persistence
+    if otp_clear_trusted_device_for(resource)
+      otp_set_flash_message :success, :successfully_cleared_persistence
+    end
+
+    redirect_to :action => :show
+  end
+
+
+  #
+  # rehash the persistence secret, thus, making all the persistence cookies invalid
+  #
+  def delete_persistence
+    if otp_reset_persistence_for(resource)
+      otp_set_flash_message :notice, :successfully_reset_persistence
+    end
+
+    redirect_to :action => :show
+  end
+
+  #
+  #
+  #
+  def recovery
+    render :recovery
+  end
+
+  private
+
+  def ensure_credentials_refresh
+
+    ensure_resource!
+    if needs_credentials_refresh?(resource)
+      otp_set_flash_message :notice, :need_to_refresh_credentials
+      redirect_to refresh_otp_credential_path_for(resource)
+    end
+  end
+
+  def scope
+    resource_name.to_sym
+  end
+
+
+end