devise-two-factor 2.1.0 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.


This version of devise-two-factor might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 8b48e2ba9c00be8daeb003205e6e0eb391541a0d
4
- data.tar.gz: fddf7caf9e1ac9bcf03c4f9b9a41e481001ab13b
3
+ metadata.gz: 49da530a07a8536cd97a273716ac420983b6d5c5
4
+ data.tar.gz: 096e65bcf25b0a075c86f759ff8d96c1ac74e1e0
5
5
  SHA512:
6
- metadata.gz: 2066c0f7459ad2b244d1fba4cfa0f6fbd3d7f6c421eee04a716b3a9c874afa7c986230b1adf919fd67f9e19476f68616d2a5048ce393b359ca5261c5905388ce
7
- data.tar.gz: 69801b25f82ee866d7e843a326640aab0e566f37a1b54603be2df11b02caf0040ee81b2ab5c7256f7c0fca23eeb493f123e0c98ca05095aa0dc15c65701d7b38
6
+ metadata.gz: bb74672142accc67af59a6f4af54b7984e2e7ef72649c5cc089bf55702c9c7fb6443b4c07adcffce8ed8a78b9bb928c557c674fd1ca6b08587c146a4ecbc05fc
7
+ data.tar.gz: 2e5de1659867d6308c2987eb05dddda217ac9165d81e70b1fb036d8b4d2dbc8832dd24fa4c21c1b189935b9b941face1144cce62191af2a8be9cc42a0cc51de2
Binary file
data.tar.gz.sig CHANGED
Binary file
@@ -5,8 +5,7 @@ before_install:
5
5
  - gem update --system
6
6
  - gem update bundler
7
7
  rvm:
8
- - "1.9.3"
9
8
  - "2.0.0"
10
9
  - "2.1"
11
10
  - "2.2"
12
- - jruby-19mode # JRuby in 1.9 mode
11
+ - "2.3.0"
@@ -1,3 +1,21 @@
1
+ # Guide to upgrading from 2.x to 3.x
2
+
3
+ Pull request #73 allows for compatibility with `attr_encrypted` 2.0. This version changes many of the defaults which must be taken into account to avoid corrupted OTP secrets on your model.
4
+
5
+ Due to new security practices in `attr_encrypted` an encryption key with insufficient length will cause an error. If you run into this, you may set `insecure_mode: true` in the `attr_encrypted` options.
6
+
7
+ You should initially add compatibility by specifying the `attr_encrypted` attribute in your model (`User` for these examples) with the old default encryption algorithm before invoking `devise :two_factor_authenticatable`:
8
+ ```ruby
9
+ class User < ActiveRecord::Base
10
+ attr_encrypted :otp_secret,
11
+ :key => self.otp_secret_encryption_key,
12
+ :mode => :per_attribute_iv_and_salt,
13
+ :algorithm => 'aes-256-cbc'
14
+
15
+ devise :two_factor_authenticatable,
16
+ :otp_secret_encryption_key => ENV['DEVISE_TWO_FACTOR_ENCRYPTION_KEY']
17
+ ```
18
+
1
19
  # Guide to upgrading from 1.x to 2.x
2
20
 
3
21
  Pull request #43 added a new field to protect against "shoulder-surfing" attacks. If upgrading, you'll need to add the `:consumed_timestep` column to your `Users` model.
@@ -26,7 +26,7 @@ Gem::Specification.new do |s|
26
26
 
27
27
  s.add_runtime_dependency 'railties'
28
28
  s.add_runtime_dependency 'activesupport'
29
- s.add_runtime_dependency 'attr_encrypted', '~> 1.3'
29
+ s.add_runtime_dependency 'attr_encrypted', '>= 1.3', '< 4'
30
30
  s.add_runtime_dependency 'devise', '~> 3.5'
31
31
  s.add_runtime_dependency 'rotp', '~> 2.0'
32
32
 
@@ -5,7 +5,7 @@ require 'devise_two_factor/strategies'
5
5
  module Devise
6
6
  # The length of generated OTP secrets
7
7
  mattr_accessor :otp_secret_length
8
- @@otp_secret_length = 128
8
+ @@otp_secret_length = 24
9
9
 
10
10
  # The number of seconds before and after the current
11
11
  # time for which codes will be accepted
@@ -8,8 +8,15 @@ module Devise
8
8
  include Devise::Models::DatabaseAuthenticatable
9
9
 
10
10
  included do
11
- attr_encrypted :otp_secret, :key => self.otp_secret_encryption_key,
12
- :mode => :per_attribute_iv_and_salt unless self.attr_encrypted?(:otp_secret)
11
+ unless singleton_class.ancestors.include?(AttrEncrypted)
12
+ extend AttrEncrypted
13
+ end
14
+
15
+ unless attr_encrypted?(:otp_secret)
16
+ attr_encrypted :otp_secret,
17
+ :key => self.otp_secret_encryption_key,
18
+ :mode => :per_attribute_iv_and_salt unless self.attr_encrypted?(:otp_secret)
19
+ end
13
20
 
14
21
  attr_accessor :otp_attempt
15
22
  end
@@ -1,3 +1,3 @@
1
1
  module DeviseTwoFactor
2
- VERSION = '2.1.0'.freeze
2
+ VERSION = '2.2.0'.freeze
3
3
  end
@@ -8,7 +8,32 @@ class TwoFactorAuthenticatableDouble
8
8
 
9
9
  define_model_callbacks :update
10
10
 
11
- devise :two_factor_authenticatable, :otp_secret_encryption_key => 'test-key'
11
+ devise :two_factor_authenticatable, :otp_secret_encryption_key => 'test-key'*4
12
+
13
+ attr_accessor :consumed_timestep
14
+
15
+ def save(validate)
16
+ # noop for testing
17
+ true
18
+ end
19
+ end
20
+
21
+ class TwoFactorAuthenticatableWithCustomizeAttrEncryptedDouble
22
+ extend ::ActiveModel::Callbacks
23
+ include ::ActiveModel::Validations::Callbacks
24
+
25
+ # like https://github.com/tinfoil/devise-two-factor/blob/cf73e52043fbe45b74d68d02bc859522ad22fe73/UPGRADING.md#guide-to-upgrading-from-2x-to-3x
26
+ extend ::AttrEncrypted
27
+ attr_encrypted :otp_secret,
28
+ :key => 'test-key'*8,
29
+ :mode => :per_attribute_iv_and_salt,
30
+ :algorithm => 'aes-256-cbc'
31
+
32
+ extend ::Devise::Models
33
+
34
+ define_model_callbacks :update
35
+
36
+ devise :two_factor_authenticatable, :otp_secret_encryption_key => 'test-key'*4
12
37
 
13
38
  attr_accessor :consumed_timestep
14
39
 
@@ -25,3 +50,30 @@ describe ::Devise::Models::TwoFactorAuthenticatable do
25
50
  it_behaves_like 'two_factor_authenticatable'
26
51
  end
27
52
  end
53
+
54
+ describe ::Devise::Models::TwoFactorAuthenticatable do
55
+ context 'When included in a class' do
56
+ subject { TwoFactorAuthenticatableWithCustomizeAttrEncryptedDouble.new }
57
+
58
+ it_behaves_like 'two_factor_authenticatable'
59
+
60
+ before :each do
61
+ subject.otp_secret = subject.class.generate_otp_secret
62
+ subject.consumed_timestep = nil
63
+ end
64
+
65
+ describe 'otp_secret options' do
66
+ it 'should be of the key' do
67
+ expect(subject.encrypted_attributes[:otp_secret][:key]).to eq('test-key'*8)
68
+ end
69
+
70
+ it 'should be of the mode' do
71
+ expect(subject.encrypted_attributes[:otp_secret][:mode]).to eq(:per_attribute_iv_and_salt)
72
+ end
73
+
74
+ it 'should be of the mode' do
75
+ expect(subject.encrypted_attributes[:otp_secret][:algorithm]).to eq('aes-256-cbc')
76
+ end
77
+ end
78
+ end
79
+ end
@@ -9,7 +9,7 @@ class TwoFactorBackupableDouble
9
9
  define_model_callbacks :update
10
10
 
11
11
  devise :two_factor_authenticatable, :two_factor_backupable,
12
- :otp_secret_encryption_key => 'test-key'
12
+ :otp_secret_encryption_key => 'test-key'*4
13
13
 
14
14
  attr_accessor :otp_backup_codes
15
15
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: devise-two-factor
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.1.0
4
+ version: 2.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Shane Wilton
@@ -84,7 +84,7 @@ cert_chain:
84
84
  5C31v4YyRBnNCp0pN66nxYX2avEiQ8riTBP5mlkPPOhsIoYQHHe2Uj75aVpu0LZ3
85
85
  cdFzuO4GC1dV0Wv+dsDm+MyF7DT5E9pUPXpnMJuPvPrFpCb+wrFlszW9hGjXbQ==
86
86
  -----END CERTIFICATE-----
87
- date: 2016-03-23 00:00:00.000000000 Z
87
+ date: 2016-05-11 00:00:00.000000000 Z
88
88
  dependencies:
89
89
  - !ruby/object:Gem::Dependency
90
90
  name: railties
@@ -118,16 +118,22 @@ dependencies:
118
118
  name: attr_encrypted
119
119
  requirement: !ruby/object:Gem::Requirement
120
120
  requirements:
121
- - - "~>"
121
+ - - ">="
122
122
  - !ruby/object:Gem::Version
123
123
  version: '1.3'
124
+ - - "<"
125
+ - !ruby/object:Gem::Version
126
+ version: '4'
124
127
  type: :runtime
125
128
  prerelease: false
126
129
  version_requirements: !ruby/object:Gem::Requirement
127
130
  requirements:
128
- - - "~>"
131
+ - - ">="
129
132
  - !ruby/object:Gem::Version
130
133
  version: '1.3'
134
+ - - "<"
135
+ - !ruby/object:Gem::Version
136
+ version: '4'
131
137
  - !ruby/object:Gem::Dependency
132
138
  name: devise
133
139
  requirement: !ruby/object:Gem::Requirement
@@ -293,7 +299,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
293
299
  version: '0'
294
300
  requirements: []
295
301
  rubyforge_project: devise-two-factor
296
- rubygems_version: 2.4.5.1
302
+ rubygems_version: 2.6.3
297
303
  signing_key:
298
304
  specification_version: 4
299
305
  summary: Barebones two-factor authentication with Devise
metadata.gz.sig CHANGED
Binary file