devise-otp 0.2.0 → 0.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 68e7b6bff6340dae80c51a03b25daa473524eee4
-  data.tar.gz: 1407a2855ebf8bd2df27e678bf1b360922e894eb
+  metadata.gz: b5936698b6e66c85c09d06f13df85acec3ef012b
+  data.tar.gz: 88768f71081fa8385d38aa5c035453003f7253b4
 SHA512:
-  metadata.gz: 4f233eb0d98a0ec858a27711f355d7ab6306d358b0f0ea80008616c06904ad917b7becfe6f988f51b930627bb6126fa8cc3d23e73b2deb8588fe10d2e963a454
-  data.tar.gz: fab7310046129c7f095493f0505a3b1b16906608165f0ee446c6afc3980b34e9a0683da2553ac9cec7c80baa409a09305b7abd68c985e4d397384a9d57471a38
+  metadata.gz: b7f176ffae7d15974ce50a6e60c9a169c6e03c5e0f9933b7642e893592d4691c3e7d561a7755ea011a246d7a02a6711aa9c3e0b0cd0a75de1c5312126d94b2ea
+  data.tar.gz: d1c47a4ce461d627709639a76963130b3566dda2951a2685d40551dccdad204d68ab15f0606ba31da9ba40259ceccfb21fe68bd2a3b32158292d092591a73ff7

data/.travis.yml

@@ -2,6 +2,7 @@ language: ruby
 rvm:
   - 1.9.3
   - 2.0.0
+  - 2.1.2
   - rbx-19mode
   - rbx-20mode
 script: rake test

data/README.md

@@ -4,16 +4,19 @@
 Devise OTP implements two-factors authentication for Devise, using an rfc6238 compatible Time-Based One-Time Password Algorithm.
 It uses the [rotp library](https://github.com/mdp/rotp) for generation and verification of codes.
 
+**If you are upgrading from version 0.1.x, you will need to regenerate your views.**
+
 It currently has the following features:
 
 * Url based provisioning of token devices, compatible with **Google Authenticator**.
-* Two factors authentication can be **optional** at user discretion, **recommended** (it nags the user on every sign-in) or **mandatory** (users must enroll OTP after signing-in next time, before they can navigate the site). The settings is global, or per-user.
+* Browsers can be set as 'trusted' for a limited time. During that time no OTP challenge is asked again when logging from that browser (but normal login will).
+* Two factors authentication can be **optional** at user discretion, **recommended** (it nags the user on every sign-in) or **mandatory** (users must enroll OTP after signing-in next time, before they can navigate the site). The settings is global, or per-user. ( **incomplete**, see below)
 * Optionally, users can obtain a list of HOTP recovery tokens to be used for emergency log-in in case the token device is lost or unavailable.
 
 Compatible token devices are:
 
 * [Google Authenticator](https://code.google.com/p/google-authenticator/)
-* ...
+* [FreeOTP](https://fedorahosted.org/freeotp/)
 
 ## Quick overview of Two Factors Authentication, using OTPs.
 
@@ -99,12 +102,19 @@ With this extension enabled, the following is expected behaviour:
 
 The install generator adds some options to the end of your Devise config file (config/initializers/devise.rb)
 
-* config.otp_mandatory - OTP is mandatory, users are going to be asked to enroll the next time they sign in, before they can successfully complete the session establishment.
-* config.otp_authentication_timeout - how long the user has to authenticate with their token. (defaults to 3.minutes)s
-* config.otp_drift_window - a window which provides allowance for drift between a user's token device clock (and therefore their OTP tokens) and the authentication server's clock. (default: 3)
-* config.otp_credentials_refresh - Users that have logged in longer than this time ago, or haven't refreshed, are boing to be asked their password (and an OTP token, if enabled) before they can see or change their otp informations. (defaults to 15.minutes)
-* config.recovery_tokens - Whether the users are given a list of one-time recovery tokens, for emergency access (default: true)
-* config.otp_uri_application - The name of this application, to be added to the provisioning url as '<user_email>/application_name' (defaults to the Rails application class)
+* `config.otp_mandatory` - OTP is mandatory, users are going to be asked to enroll the next time they sign in, before they can successfully complete the session establishment.
+* `config.otp_authentication_timeout` - how long the user has to authenticate with their token. (defaults to `3.minutes`)
+* `config.otp_drift_window` - a window which provides allowance for drift between a user's token device clock (and therefore their OTP tokens) and the authentication server's clock. Expressed in minutes centered at the current time. (default: `3`)
+* `config.otp_credentials_refresh` - Users that have logged in longer than this time ago, are going to be asked their password (and an OTP challenge, if enabled) before they can see or change their otp informations. (defaults to `15.minutes`)
+* `config.otp_recovery_tokens` - Whether the users are given a list of one-time recovery tokens, for emergency access (default: `10`, set to `false` to disable)
+* `config.otp_trust_persistence` - The user is allowed to set his browser as "trusted", no more OTP challenges will be asked for that browser, for a limited time. (default: `1.month`, set to false to disable setting the browser as trusted)
+* `config.otp_uri_application` - The name of this application, to be added to the provisioning url as '<user_email>/application_name' (defaults to the Rails application class)
+
+## Todo
+
+* 2D barcodes for provisioning are currently produced with the google charts api. You can, of course, use your own source in the template, but I am looking for a solution with no external dependencies (feedback welcome).
+* **recommended** mode (nag the user each time) is not fully implemented. Right now you can make 2FA mandatory, or leave it to the user.
+
 
 ## Contributing
 

data/app/controllers/devise_otp/tokens_controller.rb

@@ -4,7 +4,7 @@ class DeviseOtp::TokensController < DeviseController
   prepend_before_filter :ensure_credentials_refresh
   prepend_before_filter :authenticate_scope!
 
-  #protect_from_forgery :except => [:clear_persistence, :delete_persistence]
+  protect_from_forgery :except => [:clear_persistence, :delete_persistence]
 
   #
   # Displays the status of OTP authentication
@@ -21,14 +21,13 @@ class DeviseOtp::TokensController < DeviseController
   # Updates the status of OTP authentication
   #
   def update
-    #if resource.update_without_password(params[resource_name])
-    if resource.update_attribute(:otp_enabled, params[resource_name][:otp_enabled])
+
+    enabled =  (params[resource_name][:otp_enabled] == '1')
+    if (enabled ? resource.enable_otp! : resource.disable_otp!)
 
       otp_set_flash_message :success, :successfully_updated
-      render :show
-    else
-      render :show
     end
+    render :show
   end
 
   #
@@ -86,6 +85,7 @@ class DeviseOtp::TokensController < DeviseController
     render :recovery
   end
 
+
   private
 
   def ensure_credentials_refresh

data/app/views/devise_otp/credentials/show.html.erb

@@ -17,7 +17,7 @@
     </p>
 
 	<p><%= f.submit I18n.t('submit', {:scope => 'devise.otp.submit_token'}) %></p>
-    <%- if !@recovery && resource_class.recovery_tokens %>
+    <%- if !@recovery && recovery_enabled? %>
       <p><%= link_to I18n.t('recovery_link', {:scope => 'devise.otp.submit_token'}), otp_credential_path_for(resource_name, :challenge => @challenge, :recovery => true) %></p>
     <% end %>
  <% end %>

data/app/views/devise_otp/tokens/_trusted_devices.html.erb

@@ -0,0 +1,10 @@
+<h3><%= I18n.t('title', {:scope => 'devise.otp.trusted_devices'}) %></h3>
+<p><%= I18n.t('explain', {:scope => 'devise.otp.trusted_devices'}) %></p>
+<%- if is_otp_trusted_device_for? resource %>
+  <p><em><%= I18n.t('device_trusted', {:scope => 'devise.otp.trusted_devices'}) %></em></p>
+  <p><%= link_to I18n.t('trust_remove', {:scope => 'devise.otp.trusted_devices'}), persistence_otp_token_path_for(resource_name), :method => :post %></p>
+<% else %>
+  <p><%= I18n.t('device_not_trusted', {:scope => 'devise.otp.trusted_devices'}) %></p>
+  <p><%= link_to I18n.t('trust_add', {:scope => 'devise.otp.trusted_devices'}), persistence_otp_token_path_for(resource_name) %></p>
+<% end %>
+<p><%= link_to I18n.t('trust_clear', {:scope => 'devise.otp.trusted_devices'}), persistence_otp_token_path_for(resource_name), :method => :delete %></p>

data/app/views/devise_otp/tokens/show.html.erb

@@ -1,6 +1,4 @@
 <h2><%= I18n.t('title', {:scope => 'devise.otp.tokens'}) %></h2>
-<p><%= I18n.t('caption', {:scope => 'devise.otp.tokens'}) %></p>
-
 <p><%= I18n.t('explain', {:scope => 'devise.otp.tokens'}) %></p>
 
 <%= form_for(resource, :as => resource_name, :url => [resource_name, :otp_token], :html => { :method => :put }) do |f| %>
@@ -17,15 +15,5 @@
 
 <%- if resource.otp_enabled? %>
   <%= render :partial => 'token_secret' if resource.otp_enabled? %>
-
-  <h3><%= I18n.t('title', {:scope => 'devise.otp.trusted_devices'}) %></h3>
-  <p><%= I18n.t('explain', {:scope => 'devise.otp.trusted_devices'}) %></p>
-  <%- if is_otp_trusted_device_for? resource  %>
-    <p><em><%= I18n.t('device_trusted', {:scope => 'devise.otp.trusted_devices'}) %></em></p>
-    <p><%= link_to I18n.t('trust_remove', {:scope => 'devise.otp.trusted_devices'}), persistence_otp_token_path_for(resource_name), :method => :post %></p>
-  <% else %>
-    <p><%= I18n.t('device_not_trusted', {:scope => 'devise.otp.trusted_devices'}) %></p>
-    <p><%= link_to I18n.t('trust_add', {:scope => 'devise.otp.trusted_devices'}), persistence_otp_token_path_for(resource_name) %></p>
-  <% end %>
-  <p><%= link_to I18n.t('trust_clear', {:scope => 'devise.otp.trusted_devices'}), persistence_otp_token_path_for(resource_name), :method => :delete %></p>
+  <%= render :partial => 'trusted_devices' if trusted_devices_enabled? %>
 <% end %>

data/config/locales/en.yml

@@ -34,7 +34,7 @@ en:
 
       tokens:
         title: 'Two-factors Authentication:'
-        explain: 'Two factors does this and that and that also'
+        explain: 'Two factors authentication adds adds an additional layer of security to your account. When logging in you will be asked for a code that you can generate on a physical device, like your phone.'
         enable_request: 'Would you like to enable Two Factors Authenticator?'
 
         status: 'Enable Two-Factors Authentication.'
@@ -57,10 +57,10 @@ en:
 
 
       trusted_devices:
-        title: 'Trusted Devices'
-        explain: 'Trusted Device are ....'
-        device_trusted: 'Your device is trusted.'
-        device_not_trusted: 'Your device is not trusted.'
-        trust_remove: 'Remove this device from the list of trusted devices'
-        trust_add: 'Trust this device'
-        trust_clear: 'Clear the list of trusted devices'
+        title: 'Trusted Browsers'
+        explain: 'If you set your browser as trusted, you will not be asked to perform a 2-factors authentication when logging in from that browser, for a time of one month.'
+        device_trusted: 'Your browser is trusted.'
+        device_not_trusted: 'Your browser is not trusted.'
+        trust_remove: 'Remove this device from the list of trusted browsers'
+        trust_add: 'Trust this browser'
+        trust_clear: 'Clear the list of trusted browser'

data/lib/devise-otp.rb

@@ -28,14 +28,21 @@ module Devise
   #
   #
   #
-  mattr_accessor :recovery_tokens
-  @@recovery_tokens = 5  ## false to disable
+  mattr_accessor :otp_recovery_tokens
+  @@otp_recovery_tokens = 10  ## false to disable
+
+  #
+  # If the user is given the chance to set his browser as trusted, how long will it stay trusted.
+  # set to nil/false to disable the ability to set a device as trusted
+  #
+  mattr_accessor :otp_trust_persistence
+  @@otp_trust_persistence = 30.days
 
   #
   #
   #
  	mattr_accessor :otp_drift_window
- 	@@otp_drift_window = 3 # in seconds
+ 	@@otp_drift_window = 3 # in minutes
 
   #
   # if the user wants to change Otp settings,

data/lib/devise-otp/version.rb

@@ -1,5 +1,5 @@
 module Devise
   module Otp
-    VERSION = "0.2.0"
+    VERSION = "0.2.2"
   end
 end

data/lib/devise_otp_authenticatable/controllers/helpers.rb

@@ -27,8 +27,12 @@ module DeviseOtpAuthenticatable
       end
 
 
+      def trusted_devices_enabled?
+        resource.class.otp_trust_persistence && (resource.class.otp_trust_persistence > 0)
+      end
+
       def recovery_enabled?
-        resource_class.recovery_tokens && (resource_class.recovery_tokens > 0)
+        resource_class.otp_recovery_tokens && (resource_class.otp_recovery_tokens > 0)
       end
 
       #
@@ -67,6 +71,7 @@ module DeviseOtpAuthenticatable
       # is the current browser trusted?
       #
       def is_otp_trusted_device_for?(resource)
+        return false unless resource.class.otp_trust_persistence
         if cookies[otp_scoped_persistence_cookie].present?
           cookies.signed[otp_scoped_persistence_cookie] ==
               [resource.class.serialize_into_cookie(resource), resource.otp_persistence_seed].tap do
@@ -80,9 +85,10 @@ module DeviseOtpAuthenticatable
       # make the current browser trusted
       #
       def otp_set_trusted_device_for(resource)
+        return unless resource.class.otp_trust_persistence
         cookies.signed[otp_scoped_persistence_cookie] = {
             :httponly => true,
-            :expires => 30.days.from_now,
+            :expires => Time.now + resource.class.otp_trust_persistence,
             :value => [resource.class.serialize_into_cookie(resource), resource.otp_persistence_seed]
         }
       end

data/lib/devise_otp_authenticatable/controllers/url_helpers.rb

@@ -3,13 +3,11 @@ module DeviseOtpAuthenticatable
 
     module UrlHelpers
 
-
       def recovery_otp_token_for(resource_or_scope, opts = {})
         scope = Devise::Mapping.find_scope!(resource_or_scope)
         send("recovery_#{scope}_otp_token_path", opts)
       end
 
-
       def refresh_otp_credential_path_for(resource_or_scope, opts = {})
         scope = Devise::Mapping.find_scope!(resource_or_scope)
         send("refresh_#{scope}_otp_credential_path", opts)

data/lib/devise_otp_authenticatable/models/otp_authenticatable.rb

@@ -11,8 +11,8 @@ module Devise::Models
     end
 
     module ClassMethods
-      ::Devise::Models.config(self, :otp_authentication_timeout, :otp_drift_window,
-                                    :otp_mandatory, :otp_credentials_refresh, :otp_uri_application, :recovery_tokens)
+      ::Devise::Models.config(self, :otp_authentication_timeout, :otp_drift_window, :otp_trust_persistence,
+                                    :otp_mandatory, :otp_credentials_refresh, :otp_uri_application, :otp_recovery_tokens)
 
       def find_valid_otp_challenge(challenge)
         with_valid_otp_challenge(Time.now).where(:otp_session_challenge => challenge).first
@@ -41,9 +41,9 @@ module Devise::Models
       @recovery_otp = nil
       generate_otp_auth_secret
       reset_otp_persistence
-      update_columns(:otp_enabled => false, :otp_time_drift => 0,
-                        :otp_session_challenge => nil, :otp_challenge_expires => nil,
-                        :otp_recovery_counter => 0)
+      update(:otp_enabled => false, :otp_time_drift => 0,
+             :otp_session_challenge => nil, :otp_challenge_expires => nil,
+             :otp_recovery_counter => 0)
     end
 
     def reset_otp_credentials!
@@ -51,7 +51,6 @@ module Devise::Models
       save!
     end
 
-
     def reset_otp_persistence
       generate_otp_persistence_seed
     end
@@ -61,9 +60,17 @@ module Devise::Models
       save!
     end
 
+    def enable_otp!
+      update!(:otp_enabled => true, :otp_enabled_on => Time.now)
+    end
+
+    def disable_otp!
+      update!(:otp_enabled => false, :otp_enabled_on => nil, :otp_time_drift => 0)
+    end
+
     def generate_otp_challenge!(expires = nil)
-      update_columns(:otp_session_challenge => SecureRandom.hex,
-                     :otp_challenge_expires => DateTime.now + (expires || self.class.otp_authentication_timeout))
+      update!(:otp_session_challenge => SecureRandom.hex,
+             :otp_challenge_expires => DateTime.now + (expires || self.class.otp_authentication_timeout))
       otp_session_challenge
     end
 
@@ -91,7 +98,7 @@ module Devise::Models
     end
     alias_method :valid_otp_time_token?, :validate_otp_time_token
 
-    def next_otp_recovery_tokens(number = 5)
+    def next_otp_recovery_tokens(number = self.class.otp_recovery_tokens)
       (otp_recovery_counter..otp_recovery_counter + number).inject({}) do |h, index|
         h[index] = recovery_otp.at(index)
         h
@@ -108,21 +115,13 @@ module Devise::Models
 
 
 
-
-
     private
 
-    #
-    # refactor me, I suck
-    #
     def validate_otp_token_with_drift(token)
-      # valid_vals << ROTP::TOTP.new(otp_auth_secret).at(Time.now)
 
       # should be centered around saved drift
-      (-self.class.otp_drift_window..self.class.otp_drift_window).each do |drift|
-        return drift if(time_based_otp.verify(token, Time.now.ago(30 * drift)))
-      end
-      false
+      (-self.class.otp_drift_window..self.class.otp_drift_window).any? {|drift|
+        (time_based_otp.verify(token, Time.now.ago(30 * drift))) }
     end
 
     def generate_otp_persistence_seed

data/lib/devise_otp_authenticatable/routes.rb

@@ -11,9 +11,11 @@ module ActionDispatch::Routing
         resource :token, :only => [:show, :update, :destroy],
                  :path => mapping.path_names[:token], :controller => controllers[:otp_tokens] do
 
-          get  :persistence, :action => 'get_persistence'
-          post :persistence, :action => 'clear_persistence'
-          delete :persistence, :action => 'delete_persistence'
+          if Devise.otp_trust_persistence
+            get  :persistence, :action => 'get_persistence'
+            post :persistence, :action => 'clear_persistence'
+            delete :persistence, :action => 'delete_persistence'
+          end
 
           get  :recovery
         end

data/lib/generators/active_record/devise_otp_generator.rb

@@ -6,7 +6,7 @@ module ActiveRecord
       source_root File.expand_path("../templates", __FILE__)
 
       def copy_devise_migration
-        migration_template "migration.rb", "db/migrate/devise_otp_add_to_#{table_name}"
+        migration_template "migration.rb", "db/migrate/devise_otp_add_to_#{table_name}.rb"
       end
     end
   end

data/lib/generators/active_record/templates/migration.rb

@@ -6,7 +6,6 @@ class DeviseOtpAddTo<%= table_name.camelize %> < ActiveRecord::Migration
       t.boolean   :otp_enabled,          :default => false, :null => false
       t.boolean   :otp_mandatory,        :default => false, :null => false
       t.datetime  :otp_enabled_on
-      t.integer   :otp_time_drift,       :default => 0, :null => false
       t.integer   :otp_failed_attempts,  :default => 0, :null => false
       t.integer   :otp_recovery_counter, :default => 0, :null => false
       t.string    :otp_persistence_seed

data/lib/generators/devise_otp/install_generator.rb

@@ -13,11 +13,33 @@ content = <<-CONTENT
   # ==> Devise OTP Extension
   # Configure OTP extension for devise
 
-  # How long should the user have to enter their token. To change the default, uncomment and change the below:
-  #config.otp_authentication_timeout = 3.minutes
+  # OTP is mandatory, users are going to be asked to
+  # enroll OTP the next time they sign in, before they can successfully complete the session establishment.
+  # This is the global value, can also be set on each user.
+  #config.otp_mandatory = false
+
+  # Drift: a window which provides allowance for drift between a user's token device clock
+  # (and therefore their OTP tokens) and the authentication server's clock.
+  # Expressed in minutes centered at the current time. (Note: it's a number, *NOT* 3.minutes )
+  #config.otp_drift_window = 3
+
+  # Users that have logged in longer than this time ago, are going to be asked their password
+  # (and an OTP challenge, if enabled) before they can see or change their otp informations.
+  #config.otp_credentials_refresh = 15.minutes
+
+  # Users are given a list of one-time recovery tokens, for emergency access
+  # set to false to disable giving recovery tokens.
+  #config.recovery_tokens = 10
+
+  # The user is allowed to set his browser as "trusted", no more OTP challenges will be
+  # asked for that browser, for a limited time.
+  # set to false to disable setting the browser as trusted
+  #config.otp_trust_persistence = 1.month
+
+  # The name of this application, to be added to the provisioning
+  # url as '<user_email>/application_name' (defaults to the Rails application class)
+  #config.otp_uri_application = 'my_application'
 
-  # Change time drift settings for valid token values. To change the default, uncomment and change the below:
-  #config.otp_authentication_time_drift = 3
 CONTENT
 
         inject_into_file "config/initializers/devise.rb", content, :before => /end[ |\n|]+\Z/

data/test/integration/sign_in_test.rb

@@ -13,7 +13,7 @@ class SignInTest < ActionDispatch::IntegrationTest
     visit new_user_session_path
     fill_in 'user_email', :with => 'user@email.invalid'
     fill_in 'user_password', :with => '12345678'
-    click_button 'Sign in'
+    page.has_content?('Log in') ? click_button('Log in') : click_button('Sign in')
 
     assert_equal root_path, current_path
   end

data/test/integration/token_test.rb

@@ -0,0 +1,34 @@
+require 'test_helper'
+require 'integration_tests_helper'
+
+class TokenTest < ActionDispatch::IntegrationTest
+
+
+  def teardown
+    Capybara.reset_sessions!
+  end
+
+  test 'disabling OTP after successfully enabling' do
+
+    # log in 1fa
+    user = enable_otp_and_sign_in
+    assert_equal user_otp_credential_path, current_path
+
+    # otp 2fa
+    fill_in 'user_token', :with => ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    click_button 'Submit Token'
+    assert_equal root_path, current_path
+
+    # disable OTP
+    disable_otp
+
+    # logout
+    sign_out
+
+    # log back in 1fa
+    sign_user_in(user)
+
+    assert_equal root_path, current_path
+
+  end
+end

data/test/integration_tests_helper.rb

@@ -36,13 +36,26 @@ class ActionDispatch::IntegrationTest
     user
   end
 
+  def disable_otp
+    visit user_otp_token_path
+    uncheck 'user_otp_enabled'
+    click_button 'Continue...'
+  end
+
+  def sign_out
+    Capybara.reset_sessions!
+  end
+
   def sign_user_in(user = nil)
     user ||= create_full_user
     resource_name = user.class.name.underscore
     visit send("new_#{resource_name}_session_path")
     fill_in "#{resource_name}_email", :with => user.email
     fill_in "#{resource_name}_password", :with => user.password
-    click_button 'Sign in'
+
+    page.has_content?('Log in') ? click_button('Log in') : click_button('Sign in')
     user
   end
+
+
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise-otp
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.2
 platform: ruby
 authors:
 - Lele Forzani
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-08-12 00:00:00.000000000 Z
+date: 2014-08-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -96,6 +96,7 @@ files:
 - app/views/devise_otp/credentials/refresh.html.erb
 - app/views/devise_otp/credentials/show.html.erb
 - app/views/devise_otp/tokens/_token_secret.html.erb
+- app/views/devise_otp/tokens/_trusted_devices.html.erb
 - app/views/devise_otp/tokens/recovery.html.erb
 - app/views/devise_otp/tokens/show.html.erb
 - config/locales/en.yml
@@ -161,6 +162,7 @@ files:
 - test/dummy/script/rails
 - test/integration/refresh_test.rb
 - test/integration/sign_in_test.rb
+- test/integration/token_test.rb
 - test/integration_tests_helper.rb
 - test/model_tests_helper.rb
 - test/models/otp_authenticatable_test.rb
@@ -236,6 +238,7 @@ test_files:
 - test/dummy/script/rails
 - test/integration/refresh_test.rb
 - test/integration/sign_in_test.rb
+- test/integration/token_test.rb
 - test/integration_tests_helper.rb
 - test/model_tests_helper.rb
 - test/models/otp_authenticatable_test.rb