devise-suspicious_login 0.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 0222b12b1368c6bd070e59a5e8f5a85711cc16f9fe9f2565a9ae8f10c7172055
+  data.tar.gz: b216d35f79d6d79f85cd01cfeba1ae2e13ddb61e6b35acf3edc8b826d9f7036d
+SHA512:
+  metadata.gz: 4fbaf798720e48198aade72a7a21be195bdec0776e878d0424fb1ff342f3986d4fe6492e537cbdeffa0bbbcbdae49661660bfaa7ef92c09388d6de09448da16d
+  data.tar.gz: 6f3ff5333a4ca4dfc6f2b85747bdb6345a1659445078c6e2aa8ce60a7d98c9f3d84155cfef1b023becedf4f5023f8988450850cc02c8519f253df334e3171eb4

data/.gitignore

@@ -0,0 +1,10 @@
+.bundle/
+log/*.log
+pkg/
+test/tmp
+test/dummy/db/*.sqlite3
+test/dummy/db/*.sqlite3-journal
+test/dummy/log/*.log
+test/dummy/tmp/
+Gemfile.lock
+*.gem

data/Gemfile

@@ -0,0 +1,2 @@
+source "https://rubygems.org"
+gemspec

data/README.md

@@ -0,0 +1,111 @@
+# devise-suspicious_login
+
+A devise extension that helps protect again suspicious logins.
+
+## Getting started
+
+```ruby
+gem 'devise-suspicious_login
+```
+
+Run `bundle` command to install.
+
+
+### Quick Installation
+
+Quick Installation should work on most default rails apps.
+
+Run the install generator:
+
+`rails generate suspicious_login:install`
+
+to install the relevant config files `config/initializers/suspicious_login.rb` with default settings.
+
+Next run the ActiveRecord generator for each model you want to enable suspicious_login detection for.
+
+`rails generate active_record:suspicious_login User`
+
+will update and configure the User model automatically. This will also automatically create a database migration that adds the necessary fields to the User model.
+
+Run this migration wih
+
+`rails db:migrate`
+
+By default only dormant users (3 months without a login by default setting) are considered suspicious. Suspicious check for dormant users can be turned of by setting:
+
+```ruby
+config.dormant_sign_in after = nil
+```
+
+To add a custom suspicious check for a model simply define a method `suspicious_login_attempt?(request)` eg:
+
+```ruby
+# request parameter contains the contents of the rails request
+def suspicious_login_attempt?(request)
+  if request.ip.botnet? return true
+  false
+end
+```
+
+
+### Manual Installation
+
+Once installed you need to add `login_token` and `login_token_sent_at` fields to any resources (eg User) that will use need this feature. Below shows how to add this to the `User` model.
+
+
+```ruby
+# For a new migration for the users table, define a migration as follows:
+create_table :users do |t|
+  t.login_token
+end
+```
+
+```ruby
+# If the table already exists, define a migration and add the following:
+change_table :users do |t|
+  t.string login_token
+  t.datetime :login_token_sent_at
+end
+```
+
+Add the `:suspicious_login` module to the resource.
+This extension requires the resource to have the native devise modules `:trackable` and `:recoverable` attached to it eg:
+
+```ruby
+class User < ApplicationRecord
+  devise :database_authenticatable, :recoverable, :registerable, :authenticatable, :trackable, :suspicious_login
+end
+```
+
+## Configuration
+
+```ruby
+Devise.setup do |config|
+  # Period of time to expire token after login_tokens
+  # config.expire_login_token_after = 10.minutes
+
+  # Period of time to wait before resending another email for a suspicious login
+  # config.resend_login_token_after = 1.minute
+
+  # Period of time after which a user is considered to be dormant and a login treated as suspicious
+  # dormant_sign_in_after = 3.months
+
+  # Column to store login token for resource
+  # config.token_field_name = :login_token
+
+  # Column to store login token create time for resource
+  # config.token_created_at_field_name = :login_token_sent_at
+
+  # Clear token on login (allows tokens to be one time use only)
+  # config.clear_token_on_login = true
+end
+```
+
+Be sure to set all of your devise login failure messages to be the same otherwise an attack will know if the login credentials are correct depending on the failure message returned!
+
+See (test/dummy/config/locales/devise.en.yml)
+
+## Requirements
+
+* Devise (https://github.com/plataformatec/devise)
+* Rails 5.1 onwards (http://github.com/rails/rails)

data/Rakefile

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+begin
+  require "bundler/setup"
+  require "bundler/gem_tasks"
+rescue LoadError
+  puts "You must `gem install bundler` and `bundle install` to run rake tasks"
+end
+
+require "rdoc/task"
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = "rdoc"
+  rdoc.title    = "Devise::SuspiciousLogin"
+  rdoc.options << "--line-numbers"
+  rdoc.rdoc_files.include("README.md")
+  rdoc.rdoc_files.include("lib/**/*.rb")
+end
+
+
+
+
+
+
+require "bundler/gem_tasks"
+
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.pattern = "test/**/*_test.rb"
+  t.verbose = false
+end
+
+
+task default: :test

data/app/views/devise/mailer/suspicious_login_instructions.html.erb

@@ -0,0 +1,7 @@
+<h2><%= "Hi #{@resource.email}" %></h2>
+<p>We noticed a new login to your account</p>
+<h4>If this was you:</h4>
+<p>Click the login link below to config and log in</p>
+<p><%= link_to("Log in", root_url(login_token: @token, email: @resource.email)) %></p>
+<h4>If this wasn't you:</h4>
+<p>Your account may have been compromised and you should <%= link_to("reset your password now.", edit_user_password_url(@resource, reset_password_token: @reset_password_token)) %></p>

data/bin/test

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+$: << File.expand_path(File.expand_path("../../spec", __FILE__))
+
+require "bundler/setup"
+require "rails/plugin/test"

data/config/locales/en.yml

@@ -0,0 +1,10 @@
+en:
+  devise:
+    installer:
+      missing_modules:
+        one: "The following devise module is missing from your model and has been automatically added -> :%{missing_modules}.\n\n"
+        other: "The following devise modules are missing from your model and have been automatically added -> :%{missing_modules}.\n\n"
+      missing_model: "Model %{name} does not exist."
+      devise_missing: "Devise not found on %{name}"
+    failure:
+      suspicious_login: "Your email or password are invalid, OR we need to verify your sign in. If you have received an email from us, please follow the instructions to complete your sign in."

data/devise-suspicious_login.gemspec

@@ -0,0 +1,26 @@
+$LOAD_PATH.push File.expand_path('../lib', __FILE__)
+
+# Maintain your gem's version:
+require "suspicious_login/version"
+
+# Describe your gem and declare its dependencies:
+Gem::Specification.new do |s|
+  s.name        = "devise-suspicious_login"
+  s.version     = SuspiciousLogin::VERSION.dup
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ["ceres629"]
+  s.email       = ["ceres629@gmail.com"]
+  s.summary     = "Devise extension that check for suspicious logins"
+  s.summary     = "Devise extension that check for suspicious logins"
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- test/*`.split("\n")
+  s.require_paths = ['lib']
+
+  s.add_runtime_dependency "devise", ">= 4"
+  s.add_development_dependency "colorize"
+  s.add_development_dependency 'rails', '>= 5.0', '< 6.0'
+  s.add_development_dependency 'minitest'
+  s.add_development_dependency "rake"
+  s.add_development_dependency "sqlite3"
+  s.add_development_dependency "factory_bot_rails"
+end

data/lib/generators/active_record/suspicious_login_generator.rb

@@ -0,0 +1,97 @@
+require 'generators/active_record/devise_generator'
+require 'generators/suspicious_login/orm_helpers'
+
+module ActiveRecord
+  module Generators
+    class SuspiciousLoginGenerator < ActiveRecord::Generators::Base
+      argument :attributes, type: :array, default: [], banner: "field:type field:type"
+      include SuspiciousLogin::Generators::OrmHelpers
+      source_root File.expand_path("../templates", __FILE__)
+
+      @required_devise_modules = [:trackable, :recoverable]
+
+      def generate_model
+        class_path = namespaced? ? class_name.to_s.split("::") : [class_name]
+
+        if behavior == :invoke && !model_exists?
+          if Rails.env.test?
+            invoke "active_record:model", [name], migration: false
+          else
+            raise(SuspiciousLogin::MissingModelError, I18n.t('devise.installer.missing_model', name: class_path.last))
+          end
+        elsif behavior == :revoke
+          return
+        end
+      end
+
+      def copy_devise_migration
+        if (behavior == :invoke && model_exists?) || (behavior == :revoke && migration_exists?(table_name))
+          migration_template "migration_existing.rb", "#{migration_path}/add_devise_suspicious_login_to_#{table_name}.rb", migration_version: migration_version
+        else
+          migration_template "migration.rb", "#{migration_path}/devise_create_#{table_name}.rb", migration_version: migration_version
+        end
+      end
+
+      def add_warden_strategy
+        template('../../templates/suspicious_login.rb', 'config/initializers/suspicious_login.rb') unless File.exist?(File.join(destination_root, 'config/initializers/suspicious_login.rb'))
+
+        content = File.read(File.join(destination_root, 'config/initializers/suspicious_login.rb'))
+
+        if content.include?("config.warden do |manager|\n")
+          inject_into_file 'config/initializers/suspicious_login.rb', :after => "config.warden do |manager|\n" do
+            "    manager.default_strategies(:scope => :#{name.downcase.to_sym}).unshift :suspicious_login_token\n"
+          end
+        else
+          inject_into_file 'config/initializers/suspicious_login.rb', :after => "Devise.setup do |config|" do
+            """  config.warden do |manager|
+                manager.default_strategies(:scope => :#{name.downcase.to_sym}).unshift :suspicious_login_token
+              end
+            """
+          end
+        end
+      end
+
+      def migration_data
+<<RUBY
+t.string #{Devise.token_field_name}
+      t.datetime #{Devise.token_created_at_field_name}
+RUBY
+      end
+
+      def inject_devise_content
+        devise_modules_re = /devise((\s*)(:\S*))+/
+        suspicious_login_re = /devise(?:(?:\s*)(?::\S*))+(,\s*:suspicious_login)/
+        content = File.read(File.join(destination_root, model_path))
+
+        if model_exists?
+          class_path = namespaced? ? class_name.to_s.split("::") : [class_name]
+
+          if behavior == :invoke
+            devise_content = devise_modules_re.match(content)&.[](0)
+            devise_missing_modules = missing_modules(devise_content)
+            if devise_content && devise_missing_modules
+              updated_devise_content = devise_missing_modules.reduce(devise_content) { |acc, mod| "#{acc}, :#{mod.to_s}" }
+              puts I18n.t('devise.installer.missing_modules', missing_modules: devise_missing_modules.join(', '), count: devise_missing_modules.length) if devise_missing_modules.any? && gsub_file(model_path, devise_modules_re, updated_devise_content) > 0
+              puts "\n"
+            else
+              raise(SuspiciousLogin::DeviseMissingFromModel, I18n.t('devise.installer.devise_missing', name: class_path.last)) if !Rails.env.test?
+            end
+          elsif behavior == :revoke
+            chop_content = suspicious_login_re.match(content)&.[](1)
+            force_gsub_file(model_path, chop_content, "") if chop_content
+          end
+        end
+      end
+
+      def rails5?
+        Rails.version.start_with? '5'
+      end
+
+      def migration_version
+        if rails5?
+          "[#{Rails::VERSION::MAJOR}.#{Rails::VERSION::MINOR}]"
+        end
+      end
+    end
+  end
+end

data/lib/generators/active_record/templates/migration.rb

@@ -0,0 +1,11 @@
+class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration<%= migration_version %>
+  def change
+    create_table :<%= table_name %><%= primary_key_type %> do |t|
+<%= migration_data -%>
+
+<% attributes.each do |attribute| -%>
+      t.<%= attribute.type %> :<%= attribute.name %>
+<% end -%>
+    end
+  end
+end

data/lib/generators/active_record/templates/migration_existing.rb

@@ -0,0 +1,13 @@
+class AddDeviseSuspiciousLoginTo<%= table_name.camelize %> < ActiveRecord::Migration<%= migration_version %>
+  def self.up
+    change_table :<%= table_name %> do |t|
+      <%= migration_data -%>
+    end
+  end
+
+  def self.down
+    # By default, we don't want to make any assumption about how to roll back a migration when your
+    # model already existed. Please edit below which fields you would like to remove in this migration.
+    raise ActiveRecord::IrreversibleMigration
+  end
+end

data/lib/generators/suspicious_login/install_generator.rb

@@ -0,0 +1,23 @@
+module SuspiciousLogin
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+
+      source_root File.expand_path("../../templates", __FILE__)
+      desc "Add SuspiciousLogin config variables and files to rails project"
+      def create_initializer
+        template('suspicious_login.rb', 'config/initializers/suspicious_login.rb')
+      end
+
+      def copy_locale
+        copy_file "../../../config/locales/en.yml", "config/locales/suspicious_login.en.yml"
+        puts "\n*** IMPORTANT: Be sure to set all devise authentication failure messages to be the same as 'devise.failure.suspicious_login' ***".red
+        puts "See https://github.com/ceres629/devise-suspicious_login/blob/master/test/dummy/config/locales/devise.en.yml for an example devise.en.yml.".yellow
+      end
+
+      def prepend_application_file
+        create_file "config/application.rb", "module Rails\n  class Application < Rails::Application\n  end\nend" if Rails.env.test?
+        application "require 'suspicious_login'"
+      end
+    end
+  end
+end

data/lib/generators/suspicious_login/orm_helpers.rb

@@ -0,0 +1,56 @@
+module SuspiciousLogin
+  module Generators
+    module OrmHelpers
+      def force_gsub_file(path, flag, *args, &block)
+        config = args.last.is_a?(Hash) ? args.pop : {}
+
+        path = File.expand_path(path, destination_root)
+        say_status :gsub, relative_to_original_destination_root(path), config.fetch(:verbose, true)
+
+        unless options[:pretend]
+          content = File.binread(path)
+          content.gsub!(flag, *args, &block)
+          File.open(path, "wb") { |file| file.write(content) }
+        end
+      end
+
+      def required_devise_modules
+        [:trackable, :recoverable, :suspicious_login]
+      end
+
+      def missing_modules(devise_content)
+        missing_modules = []
+        required_devise_modules.each { |mod| missing_modules << mod unless devise_content&.include?(mod.to_s)}
+        missing_modules
+      end
+
+      def devise_module_exists?(devise_content, module_name)
+        devise_content.include?(module_name)
+      end
+
+      def append_devise_module(devise_content, module_name)
+       (devise_content.blank? || devise_content.include?(module_name.to_s)) ? devise_content : devise_content + ", :#{module_name.to_s}"
+      end
+
+      def model_exists?
+        File.exist?(File.join(destination_root, model_path))
+      end
+
+      def migration_exists?(table_name)
+        Dir.glob("#{File.join(destination_root, migration_path)}/[0-9]*_*.rb").grep(/\d+_add_devise_suspicious_login_to_#{table_name}.rb$/).first
+      end
+
+      def migration_path
+        if Rails.version >= '5.0.3'
+          db_migrate_path
+        else
+          @migration_path ||= File.join("db", "migrate")
+        end
+      end
+
+      def model_path
+        @model_path ||= File.join("app", "models", "#{file_path}.rb")
+      end
+    end
+  end
+end

data/lib/generators/templates/suspicious_login.rb

@@ -0,0 +1,26 @@
+Devise.setup do |config|
+  # ==> SuspiciousLogin Extension
+
+  # Configure suspicious extension for devise
+
+  # Period of time after which tokens expire
+  # config.expire_login_token_after = 10.minutes
+
+  # Minimum period of time before another token can be resent
+  # config.resend_login_token_after = 1.minute
+
+  # Period of time after which a user is considered to be dormant
+  # config.dormant_sign_in_after = 3.months
+
+  # Resource field that will be used to store the login_token
+  # config.token_field_name = :login_token
+
+  # Resource field that will be used to store the token_created_at time
+  # config.token_created_at_field_name = :login_token_sent_at
+
+  # Clear login_token after user login (true means each token can only be used once)
+  # config.clear_token_on_login = true
+
+  config.warden do |manager|
+  end
+end