devise-otp 0.8.0 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 95e8a170c1942c78dae2cb24c06a818c6e91854268acf78df61b83e22fd18726
-  data.tar.gz: 409a75794455459fa1c88892216d556b138cf1a40f4bfe0a06f3ce65a47a528e
+  metadata.gz: 7a2884c76d255b2c2bb3b40859db7018c5668d49fcb6897141dacd8d7df0bc62
+  data.tar.gz: 3c7ee30dd96a9711b4b4194cb2b94cea6abb06113dda2ef58b70c9a96c998ec4
 SHA512:
-  metadata.gz: 45d13d374f2a2504fcee11d81f8771712ae706d138725e3bb777470b099b106cb09ffdb4e2132b6ac5c837b00bb341ff9b5fc56ce5981ff144b358d1e8ed4338
-  data.tar.gz: b946e7a0551ba464285e324559f287a9765657258159e508fe08f4b22068548a4be6602d3173a6fac46638130e5795c69bdbdd4b28031d48cfaa592b87eef9da
+  metadata.gz: b099c20c5c6d76fc2e1226511615bb43f2b081620f01bbf1bcc939cec66e286aa3536f8a654495907607e42d23e7f3efd9bb3377ed3a1a8a6ef522ec5e9568e1
+  data.tar.gz: 731d1dc34877d0fe91bb092b33ce4ee7c302c4cb75183daa3ff67a0df7f6d242bc86b3ab4e0923683b8408c8f1e6bab8e8a1d1c5fa10b9b0e104617a9b87ded7

data/.github/workflows/ci.yml

@@ -16,6 +16,17 @@ jobs:
           - '3.2'
           - '3.1'
           - 'head'
+        rails:
+          - rails_8.0
+          - rails_7.2
+          - rails_7.1
+          - rails_7.0
+        exclude:
+          - ruby: '3.1'
+            rails: 'rails_8.0'
+
+    env: # $BUNDLE_GEMFILE must be set at the job level, so it is set for all steps
+      BUNDLE_GEMFILE: ${{ github.workspace }}/gemfiles/${{ matrix.rails }}.gemfile
 
     steps:
       - name: Checkout

data/.gitignore

@@ -38,7 +38,9 @@ test/dummy/db/*.sqlite3
 test/dummy/db/*.sqlite3-shm
 test/dummy/db/*.sqlite3-wal
 
+# Ignore Gemfile.lock
 Gemfile.lock
+gemfiles/*.lock
 
 # Generated test files
 tmp/*

data/Appraisals

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+appraise 'rails_7.0' do
+  gem 'rails', '~> 7.0.0'
+  gem 'sqlite3', '~> 1.5.0'
+
+  # Fix: LoadError: cannot load such file -- base64
+  install_if '-> { Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.3.0") }' do
+    gem 'base64'
+    gem 'bigdecimal'
+    gem 'mutex_m'
+    gem 'drb'
+    gem 'logger'
+  end
+end
+
+appraise 'rails_7.1' do
+  gem 'rails', '~> 7.1.0'
+  gem 'sqlite3', '~> 1.5.0'
+
+  # Fix:
+  # warning: logger was loaded from the standard library, but will no longer be part of the default gems since Ruby 3.5.0.
+  # Add logger to your Gemfile or gemspec.
+  install_if '-> { Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.4.0") }' do
+    gem 'logger'
+  end
+end
+
+appraise 'rails_7.2' do
+  gem 'rails', '~> 7.2.0'
+  gem 'sqlite3', '~> 1.5.0'
+end
+
+appraise 'rails_8.0' do
+  gem 'rails', '~> 8.0.0'
+end

data/Gemfile

@@ -3,6 +3,8 @@ source "https://rubygems.org"
 # Specify your gem's dependencies in devise-otp.gemspec
 gemspec
 
+gem "appraisal", git: "https://github.com/thoughtbot/appraisal.git"
+
 gem "capybara"
 gem "minitest-reporters", ">= 0.5.0"
 gem "puma"
@@ -10,5 +12,5 @@ gem "rake"
 gem "rdoc"
 gem "shoulda"
 gem "sprockets-rails"
-gem "sqlite3", "~> 1.4"
+gem "sqlite3", "~> 2.1"
 gem "standardrb"

data/README.md

@@ -13,7 +13,7 @@ Some of the compatible token devices are:
 * [Google Authenticator](https://code.google.com/p/google-authenticator/)
 * [FreeOTP](https://fedorahosted.org/freeotp/)
 
-Device OTP was recently updated to work with Rails 7 and Turbo.
+Device OTP was recently updated to work with Rails 7+ and Turbo.
 
 ## Sponsor
 
@@ -58,10 +58,13 @@ Don't forget to migrate:
 
     rake db:migrate
 
-Add the gem's JavaScript to you `application.js`:
+### Default CSS
 
-    //= require devise-otp
+To use the default CSS for devise-otp, just require the devise-otp.css file as usual in your application.css file (or equivalent):
 
+    *= require devise-otp
+
+It might be even easier to just copy the styles to your project.
 
 ### Custom views
 
@@ -77,9 +80,7 @@ The install generator also installs an english copy of a Devise OTP i18n file. T
 
 ### QR codes
 
-By default, Devise OTP assumes that you use [Sprockets](https://github.com/rails/sprockets) to render assets and so will use the ([qrcode.js](/app/assets/javascripts/qrcode.js)) embeded library to render the QR code.
-
-If you need something more, have a look at [QR codes](/docs/QR_CODES.md) documentation file.
+Devise OTP generates QR Codes directly as SVG's via the [rqrcode](https://github.com/whomwah/rqrcode), so there are no JavaScript (or Sprockets) dependencies.
 
 ## Configuration
 
@@ -102,7 +103,7 @@ Enforcing mandatory OTP requires adding the ensure\_mandatory\_{scope}\_otp! met
 
 ## Authors
 
-The project was originally started by Lele Forzani by forking [devise_google_authenticator](https://github.com/AsteriskLabs/devise_google_authenticator) and still contains some devise_google_authenticator code. It's now maintained by [Josef Strzibny](https://github.com/strzibny/).
+The project was originally started by Lele Forzani by forking [devise_google_authenticator](https://github.com/AsteriskLabs/devise_google_authenticator) and still contains some devise_google_authenticator code. It's now maintained by [Josef Strzibny](https://github.com/strzibny/) and [Laney Stroup](https://github.com/strouptl).
 
 Contributions are welcome!
 

data/app/assets/stylesheets/devise-otp.css

@@ -0,0 +1,4 @@
+.qrcode-container {
+  max-width: 300px;
+  margin: 0 auto;
+}

data/app/controllers/devise_otp/devise/otp_credentials_controller.rb

@@ -26,17 +26,15 @@ module DeviseOtp
       # signs the resource in, if the OTP token is valid and the user has a valid challenge
       #
       def update
-        if @token.blank?
-          otp_set_flash_message(:alert, :token_blank)
-          redirect_to otp_credential_path_for(resource_name, challenge: @challenge, recovery: @recovery)
-        elsif resource.otp_challenge_valid? && resource.validate_otp_token(@token, @recovery)
+        if resource.otp_challenge_valid? && resource.validate_otp_token(@token, @recovery)
           sign_in(resource_name, resource)
 
           otp_set_trusted_device_for(resource) if params[:enable_persistence] == "true"
           otp_refresh_credentials_for(resource)
           respond_with resource, location: after_sign_in_path_for(resource)
         else
-          otp_set_flash_message :alert, :token_invalid
+          kind = (@token.blank? ? :token_blank : :token_invalid)
+          otp_set_flash_message :alert, kind, :now => true
           render :show
         end
       end
@@ -103,7 +101,7 @@ module DeviseOtp
       end
 
       def failed_refresh
-        otp_set_flash_message :alert, :invalid_refresh
+        otp_set_flash_message :alert, :invalid_refresh, :now => true
         render :refresh
       end
 

data/app/controllers/devise_otp/devise/otp_tokens_controller.rb

@@ -35,7 +35,7 @@ module DeviseOtp
           otp_set_flash_message :success, :successfully_updated
           redirect_to otp_token_path_for(resource)
         else
-          otp_set_flash_message :danger, :could_not_confirm
+          otp_set_flash_message :danger, :could_not_confirm, :now => true
           render :edit
         end
       end
@@ -109,7 +109,6 @@ module DeviseOtp
         ensure_resource!
 
         if needs_credentials_refresh?(resource)
-          otp_set_flash_message :notice, :need_to_refresh_credentials
           redirect_to refresh_otp_credential_path_for(resource)
         end
       end

data/config/locales/en.yml

@@ -14,7 +14,6 @@ en:
         otp_session_invalid: Session invalid. Please start again.
         token_invalid: 'The token you provided was invalid.'
         token_blank: 'You need to type in the token you generated with your device.'
-        need_to_refresh_credentials: 'We need to check your credentials before you can change these settings.'
         valid_refresh: 'Thank you, your credentials were accepted.'
         invalid_refresh: 'Sorry, you provided the wrong credentials.'
       credentials_refresh:
@@ -41,7 +40,6 @@ en:
         successfully_set_persistence: 'Your device is now trusted.'
         successfully_cleared_persistence: 'Your device has been removed from the list of trusted devices.'
         successfully_reset_persistence: 'Your list of trusted devices has been cleared.'
-        need_to_refresh_credentials: 'We need to check your credentials before you can change these settings.'
         recovery:
           title: 'Your Emergency Recovery Codes'
           explain: 'Take note or print these recovery codes. The will allow you to log back in in case your token device is lost, stolen, or unavailable.'

data/devise-otp.gemspec

@@ -5,16 +5,17 @@ require_relative "lib/devise-otp/version"
 Gem::Specification.new do |gem|
   gem.name = "devise-otp"
   gem.version = Devise::OTP::VERSION
-  gem.authors = ["Lele Forzani", "Josef Strzibny"]
-  gem.email = ["lele@windmill.it", "strzibny@strzibny.name"]
-  gem.description = "Time Based OTP/rfc6238 compatible authentication for Devise"
+  gem.authors = ["Lele Forzani", "Josef Strzibny", "Laney Stroup"]
+  gem.email = ["lele@windmill.it", "strzibny@strzibny.name", "laney@stroupsolutions.com"]
+  gem.description = "OTP authentication for Devise"
   gem.summary = "Time Based OTP/rfc6238 compatible authentication for Devise"
-  gem.homepage = "http://git.windmill.it/wm/devise-otp"
+  gem.homepage = "https://github.com/wmlele/devise-otp"
 
   gem.files = `git ls-files`.split($/)
   gem.require_paths = ["lib"]
 
-  gem.add_dependency "rails", ">= 7.0", "< 8.0"
+  gem.add_dependency "rails", ">= 7.0"
   gem.add_dependency "devise", ">= 4.8.0", "< 5.0"
   gem.add_dependency "rotp", ">= 2.0.0"
+  gem.add_dependency "rqrcode", "~> 2.0"
 end

data/gemfiles/rails_7.0.gemfile

@@ -0,0 +1,25 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "appraisal", git: "https://github.com/thoughtbot/appraisal.git"
+gem "capybara"
+gem "minitest-reporters", ">= 0.5.0"
+gem "puma"
+gem "rake"
+gem "rdoc"
+gem "shoulda"
+gem "sprockets-rails"
+gem "sqlite3", "~> 1.5.0"
+gem "standardrb"
+gem "rails", "~> 7.0.0"
+
+install_if -> { Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.3.0") } do
+  gem "base64"
+  gem "bigdecimal"
+  gem "mutex_m"
+  gem "drb"
+  gem "logger"
+end
+
+gemspec path: "../"

data/gemfiles/rails_7.1.gemfile

@@ -0,0 +1,21 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "appraisal", git: "https://github.com/thoughtbot/appraisal.git"
+gem "capybara"
+gem "minitest-reporters", ">= 0.5.0"
+gem "puma"
+gem "rake"
+gem "rdoc"
+gem "shoulda"
+gem "sprockets-rails"
+gem "sqlite3", "~> 1.5.0"
+gem "standardrb"
+gem "rails", "~> 7.1.0"
+
+install_if -> { Gem::Version.new(RUBY_VERSION) >= Gem::Version.new("3.4.0") } do
+  gem "logger"
+end
+
+gemspec path: "../"

data/gemfiles/rails_7.2.gemfile

@@ -0,0 +1,17 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "appraisal", git: "https://github.com/thoughtbot/appraisal.git"
+gem "capybara"
+gem "minitest-reporters", ">= 0.5.0"
+gem "puma"
+gem "rake"
+gem "rdoc"
+gem "shoulda"
+gem "sprockets-rails"
+gem "sqlite3", "~> 1.5.0"
+gem "standardrb"
+gem "rails", "~> 7.2.0"
+
+gemspec path: "../"

data/gemfiles/rails_8.0.gemfile

@@ -0,0 +1,17 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "appraisal", git: "https://github.com/thoughtbot/appraisal.git"
+gem "capybara"
+gem "minitest-reporters", ">= 0.5.0"
+gem "puma"
+gem "rake"
+gem "rdoc"
+gem "shoulda"
+gem "sprockets-rails"
+gem "sqlite3", "~> 2.1"
+gem "standardrb"
+gem "rails", "~> 8.0.0"
+
+gemspec path: "../"

data/lib/devise-otp/version.rb

@@ -1,5 +1,5 @@
 module Devise
   module OTP
-    VERSION = "0.8.0"
+    VERSION = "1.0.0"
   end
 end

data/lib/devise_otp_authenticatable/controllers/helpers.rb

@@ -1,3 +1,5 @@
+require "rqrcode"
+
 module DeviseOtpAuthenticatable
   module Controllers
     module Helpers
@@ -12,11 +14,8 @@ module DeviseOtpAuthenticatable
       #
       def otp_set_flash_message(key, kind, options = {})
         options[:scope] ||= "devise.otp.#{controller_name}"
-        options[:default] = Array(options[:default]).unshift(kind.to_sym)
-        options[:resource_name] = resource_name
-        options = devise_i18n_options(options) if respond_to?(:devise_i18n_options, true)
-        message = I18n.t("#{options[:resource_name]}.#{kind}", **options)
-        flash[key] = message if message.present?
+
+        set_flash_message(key, kind, options)
       end
 
       def otp_t
@@ -122,33 +121,11 @@ module DeviseOtpAuthenticatable
       # returns the URL for the QR Code to initialize the Authenticator device
       #
       def otp_authenticator_token_image(resource)
-        otp_authenticator_token_image_js(resource.otp_provisioning_uri)
-      end
-
-      private
-
-      def otp_authenticator_token_image_js(otp_url)
         content_tag(:div, class: "qrcode-container") do
-          content_tag(:div, id: "qrcode", class: "qrcode") do
-            javascript_tag(%[
-              new QRCode("qrcode", {
-                text: "#{otp_url}",
-                width: 256,
-                height: 256,
-                colorDark : "#000000",
-                colorLight : "#ffffff",
-                correctLevel : QRCode.CorrectLevel.H
-              });
-            ])
-          end
+          raw RQRCode::QRCode.new(resource.otp_provisioning_uri).as_svg(:module_size => 5, :viewbox => true, :use_path => true)
         end
       end
 
-      def otp_authenticator_token_image_google(otp_url)
-        otp_url = Rack::Utils.escape(otp_url)
-        url = "https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl=#{otp_url}"
-        image_tag(url, alt: "OTP Url QRCode")
-      end
     end
   end
 end

data/test/dummy/app/assets/javascripts/application.js

@@ -11,4 +11,3 @@
 // GO AFTER THE REQUIRES BELOW.
 //
 //= require_tree .
-//= require devise-otp

data/test/dummy/app/assets/stylesheets/application.css

@@ -8,6 +8,7 @@
  * You're free to add application-wide styles to this file and they'll appear at the top of the
  * compiled file, but it's generally better to create a new file per style scope.
  *
+ *= require devise-otp
  *= require_self
  *= require_tree .
  */

data/test/dummy/app/views/layouts/application.html.erb

@@ -8,7 +8,13 @@
 </head>
 <body>
 
-<%= yield %>
+  <div id="alerts">
+    <% flash.keys.each do |key| %>
+      <%= content_tag :p, flash[key], :id => key %>
+    <% end %>
+  </div>
+
+  <%= yield %>
 
 </body>
 </html>

data/test/dummy/db/migrate/20240604000001_create_admins.rb

@@ -1,4 +1,4 @@
-class CreateAdmins < ActiveRecord::Migration[7.1]
+class CreateAdmins < ActiveRecord::Migration[5.0]
   def change
     create_table :admins do |t|
       t.string :name

data/test/integration/disable_token_test.rb

@@ -23,6 +23,9 @@ class DisableTokenTest < ActionDispatch::IntegrationTest
     disable_otp
 
     assert page.has_content? "Disabled"
+    within "#alerts" do
+      assert page.has_content? 'Two-Factor Authentication has been disabled.'
+    end
 
     # logout
     sign_out

data/test/integration/enable_otp_form_test.rb

@@ -20,6 +20,10 @@ class EnableOtpFormTest < ActionDispatch::IntegrationTest
     assert_equal user_otp_token_path, current_path
     assert page.has_content?("Enabled")
 
+    within "#alerts" do
+      assert page.has_content? 'Your Two-Factor Authentication settings have been updated.'
+    end
+
     user.reload
     assert user.otp_enabled?
   end
@@ -37,6 +41,15 @@ class EnableOtpFormTest < ActionDispatch::IntegrationTest
 
     user.reload
     assert_not user.otp_enabled?
+
+    within "#alerts" do
+      assert page.has_content? 'The Confirmation Code you entered did not match the QR code shown below.'
+    end
+
+    visit "/"
+    within "#alerts" do
+      assert !page.has_content?('The Confirmation Code you entered did not match the QR code shown below.')
+    end
   end
 
   test "a user should not be able enable their OTP authentication with a blank confirmation code" do
@@ -50,6 +63,10 @@ class EnableOtpFormTest < ActionDispatch::IntegrationTest
 
     assert page.has_content?("To Enable Two-Factor Authentication")
 
+    within "#alerts" do
+      assert page.has_content? 'The Confirmation Code you entered did not match the QR code shown below.'
+    end
+
     user.reload
     assert_not user.otp_enabled?
   end

data/test/integration/persistence_test.rb

@@ -36,6 +36,9 @@ class PersistenceTest < ActionDispatch::IntegrationTest
 
     click_link("Trust this browser")
     assert_text "Your browser is trusted."
+    within "#alerts" do
+      assert page.has_content? 'Your device is now trusted.'
+    end
     sign_out
 
     sign_user_in

data/test/integration/refresh_test.rb

@@ -60,6 +60,15 @@ class RefreshTest < ActionDispatch::IntegrationTest
     fill_in "user_refresh_password", with: "12345670"
     click_button "Continue..."
     assert_equal refresh_user_otp_credential_path, current_path
+
+    within "#alerts" do
+      assert page.has_content? 'Sorry, you provided the wrong credentials.'
+    end
+
+    visit "/"
+    within "#alerts" do
+      assert !page.has_content?('Sorry, you provided the wrong credentials.')
+    end
   end
 
   test "user should be finally be able to access their settings, and just password is enough" do

data/test/integration/reset_token_test.rb

@@ -23,6 +23,9 @@ class ResetTokenTest < ActionDispatch::IntegrationTest
     reset_otp
 
     assert_equal "/users/otp/token/edit", current_path
+    within "#alerts" do
+      assert page.has_content? 'Your token secret has been reset. Please confirm your new token secret below.'
+    end
   end
 
   test "generates new token secrets" do

data/test/integration/sign_in_test.rb

@@ -43,6 +43,7 @@ class SignInTest < ActionDispatch::IntegrationTest
     click_button "Submit Token"
 
     assert_equal user_otp_credential_path, current_path
+    assert page.has_content? "The token you provided was invalid."
   end
 
   test "fail blank token authentication" do
@@ -53,6 +54,7 @@ class SignInTest < ActionDispatch::IntegrationTest
     click_button "Submit Token"
 
     assert_equal user_otp_credential_path, current_path
+    assert page.has_content? "You need to type in the token you generated with your device."
   end
 
   test "successful token authentication" do
@@ -78,4 +80,32 @@ class SignInTest < ActionDispatch::IntegrationTest
     User.otp_authentication_timeout = old_timeout
     assert_equal new_user_session_path, current_path
   end
+
+  test "blank token flash message does not persist to successful authentication redirect." do
+    user = enable_otp_and_sign_in
+
+    fill_in "token", with: "123456"
+    click_button "Submit Token"
+
+    assert page.has_content?("The token you provided was invalid.")
+
+    fill_in "token", with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    click_button "Submit Token"
+
+    assert !page.has_content?("The token you provided was invalid.")
+  end
+
+  test "invalid token flash message does not persist to successful authentication redirect." do
+    user = enable_otp_and_sign_in
+
+    fill_in "token", with: ""
+    click_button "Submit Token"
+
+    assert page.has_content?("You need to type in the token you generated with your device.")
+
+    fill_in "token", with: ROTP::TOTP.new(user.otp_auth_secret).at(Time.now)
+    click_button "Submit Token"
+
+    assert !page.has_content?("You need to type in the token you generated with your device.")
+  end
 end