devise-two-factor 2.1.0 → 2.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of devise-two-factor might be problematic. Click here for more details.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/.travis.yml +1 -2
- data/UPGRADING.md +18 -0
- data/devise-two-factor.gemspec +1 -1
- data/lib/devise-two-factor.rb +1 -1
- data/lib/devise_two_factor/models/two_factor_authenticatable.rb +9 -2
- data/lib/devise_two_factor/version.rb +1 -1
- data/spec/devise/models/two_factor_authenticatable_spec.rb +53 -1
- data/spec/devise/models/two_factor_backupable_spec.rb +1 -1
- metadata +11 -5
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 49da530a07a8536cd97a273716ac420983b6d5c5
|
4
|
+
data.tar.gz: 096e65bcf25b0a075c86f759ff8d96c1ac74e1e0
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: bb74672142accc67af59a6f4af54b7984e2e7ef72649c5cc089bf55702c9c7fb6443b4c07adcffce8ed8a78b9bb928c557c674fd1ca6b08587c146a4ecbc05fc
|
7
|
+
data.tar.gz: 2e5de1659867d6308c2987eb05dddda217ac9165d81e70b1fb036d8b4d2dbc8832dd24fa4c21c1b189935b9b941face1144cce62191af2a8be9cc42a0cc51de2
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data.tar.gz.sig
CHANGED
Binary file
|
data/.travis.yml
CHANGED
data/UPGRADING.md
CHANGED
@@ -1,3 +1,21 @@
|
|
1
|
+
# Guide to upgrading from 2.x to 3.x
|
2
|
+
|
3
|
+
Pull request #73 allows for compatibility with `attr_encrypted` 2.0. This version changes many of the defaults which must be taken into account to avoid corrupted OTP secrets on your model.
|
4
|
+
|
5
|
+
Due to new security practices in `attr_encrypted` an encryption key with insufficient length will cause an error. If you run into this, you may set `insecure_mode: true` in the `attr_encrypted` options.
|
6
|
+
|
7
|
+
You should initially add compatibility by specifying the `attr_encrypted` attribute in your model (`User` for these examples) with the old default encryption algorithm before invoking `devise :two_factor_authenticatable`:
|
8
|
+
```ruby
|
9
|
+
class User < ActiveRecord::Base
|
10
|
+
attr_encrypted :otp_secret,
|
11
|
+
:key => self.otp_secret_encryption_key,
|
12
|
+
:mode => :per_attribute_iv_and_salt,
|
13
|
+
:algorithm => 'aes-256-cbc'
|
14
|
+
|
15
|
+
devise :two_factor_authenticatable,
|
16
|
+
:otp_secret_encryption_key => ENV['DEVISE_TWO_FACTOR_ENCRYPTION_KEY']
|
17
|
+
```
|
18
|
+
|
1
19
|
# Guide to upgrading from 1.x to 2.x
|
2
20
|
|
3
21
|
Pull request #43 added a new field to protect against "shoulder-surfing" attacks. If upgrading, you'll need to add the `:consumed_timestep` column to your `Users` model.
|
data/devise-two-factor.gemspec
CHANGED
@@ -26,7 +26,7 @@ Gem::Specification.new do |s|
|
|
26
26
|
|
27
27
|
s.add_runtime_dependency 'railties'
|
28
28
|
s.add_runtime_dependency 'activesupport'
|
29
|
-
s.add_runtime_dependency 'attr_encrypted', '
|
29
|
+
s.add_runtime_dependency 'attr_encrypted', '>= 1.3', '< 4'
|
30
30
|
s.add_runtime_dependency 'devise', '~> 3.5'
|
31
31
|
s.add_runtime_dependency 'rotp', '~> 2.0'
|
32
32
|
|
data/lib/devise-two-factor.rb
CHANGED
@@ -5,7 +5,7 @@ require 'devise_two_factor/strategies'
|
|
5
5
|
module Devise
|
6
6
|
# The length of generated OTP secrets
|
7
7
|
mattr_accessor :otp_secret_length
|
8
|
-
@@otp_secret_length =
|
8
|
+
@@otp_secret_length = 24
|
9
9
|
|
10
10
|
# The number of seconds before and after the current
|
11
11
|
# time for which codes will be accepted
|
@@ -8,8 +8,15 @@ module Devise
|
|
8
8
|
include Devise::Models::DatabaseAuthenticatable
|
9
9
|
|
10
10
|
included do
|
11
|
-
|
12
|
-
|
11
|
+
unless singleton_class.ancestors.include?(AttrEncrypted)
|
12
|
+
extend AttrEncrypted
|
13
|
+
end
|
14
|
+
|
15
|
+
unless attr_encrypted?(:otp_secret)
|
16
|
+
attr_encrypted :otp_secret,
|
17
|
+
:key => self.otp_secret_encryption_key,
|
18
|
+
:mode => :per_attribute_iv_and_salt unless self.attr_encrypted?(:otp_secret)
|
19
|
+
end
|
13
20
|
|
14
21
|
attr_accessor :otp_attempt
|
15
22
|
end
|
@@ -8,7 +8,32 @@ class TwoFactorAuthenticatableDouble
|
|
8
8
|
|
9
9
|
define_model_callbacks :update
|
10
10
|
|
11
|
-
devise :two_factor_authenticatable, :otp_secret_encryption_key => 'test-key'
|
11
|
+
devise :two_factor_authenticatable, :otp_secret_encryption_key => 'test-key'*4
|
12
|
+
|
13
|
+
attr_accessor :consumed_timestep
|
14
|
+
|
15
|
+
def save(validate)
|
16
|
+
# noop for testing
|
17
|
+
true
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
class TwoFactorAuthenticatableWithCustomizeAttrEncryptedDouble
|
22
|
+
extend ::ActiveModel::Callbacks
|
23
|
+
include ::ActiveModel::Validations::Callbacks
|
24
|
+
|
25
|
+
# like https://github.com/tinfoil/devise-two-factor/blob/cf73e52043fbe45b74d68d02bc859522ad22fe73/UPGRADING.md#guide-to-upgrading-from-2x-to-3x
|
26
|
+
extend ::AttrEncrypted
|
27
|
+
attr_encrypted :otp_secret,
|
28
|
+
:key => 'test-key'*8,
|
29
|
+
:mode => :per_attribute_iv_and_salt,
|
30
|
+
:algorithm => 'aes-256-cbc'
|
31
|
+
|
32
|
+
extend ::Devise::Models
|
33
|
+
|
34
|
+
define_model_callbacks :update
|
35
|
+
|
36
|
+
devise :two_factor_authenticatable, :otp_secret_encryption_key => 'test-key'*4
|
12
37
|
|
13
38
|
attr_accessor :consumed_timestep
|
14
39
|
|
@@ -25,3 +50,30 @@ describe ::Devise::Models::TwoFactorAuthenticatable do
|
|
25
50
|
it_behaves_like 'two_factor_authenticatable'
|
26
51
|
end
|
27
52
|
end
|
53
|
+
|
54
|
+
describe ::Devise::Models::TwoFactorAuthenticatable do
|
55
|
+
context 'When included in a class' do
|
56
|
+
subject { TwoFactorAuthenticatableWithCustomizeAttrEncryptedDouble.new }
|
57
|
+
|
58
|
+
it_behaves_like 'two_factor_authenticatable'
|
59
|
+
|
60
|
+
before :each do
|
61
|
+
subject.otp_secret = subject.class.generate_otp_secret
|
62
|
+
subject.consumed_timestep = nil
|
63
|
+
end
|
64
|
+
|
65
|
+
describe 'otp_secret options' do
|
66
|
+
it 'should be of the key' do
|
67
|
+
expect(subject.encrypted_attributes[:otp_secret][:key]).to eq('test-key'*8)
|
68
|
+
end
|
69
|
+
|
70
|
+
it 'should be of the mode' do
|
71
|
+
expect(subject.encrypted_attributes[:otp_secret][:mode]).to eq(:per_attribute_iv_and_salt)
|
72
|
+
end
|
73
|
+
|
74
|
+
it 'should be of the mode' do
|
75
|
+
expect(subject.encrypted_attributes[:otp_secret][:algorithm]).to eq('aes-256-cbc')
|
76
|
+
end
|
77
|
+
end
|
78
|
+
end
|
79
|
+
end
|
@@ -9,7 +9,7 @@ class TwoFactorBackupableDouble
|
|
9
9
|
define_model_callbacks :update
|
10
10
|
|
11
11
|
devise :two_factor_authenticatable, :two_factor_backupable,
|
12
|
-
:otp_secret_encryption_key => 'test-key'
|
12
|
+
:otp_secret_encryption_key => 'test-key'*4
|
13
13
|
|
14
14
|
attr_accessor :otp_backup_codes
|
15
15
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: devise-two-factor
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.
|
4
|
+
version: 2.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Shane Wilton
|
@@ -84,7 +84,7 @@ cert_chain:
|
|
84
84
|
5C31v4YyRBnNCp0pN66nxYX2avEiQ8riTBP5mlkPPOhsIoYQHHe2Uj75aVpu0LZ3
|
85
85
|
cdFzuO4GC1dV0Wv+dsDm+MyF7DT5E9pUPXpnMJuPvPrFpCb+wrFlszW9hGjXbQ==
|
86
86
|
-----END CERTIFICATE-----
|
87
|
-
date: 2016-
|
87
|
+
date: 2016-05-11 00:00:00.000000000 Z
|
88
88
|
dependencies:
|
89
89
|
- !ruby/object:Gem::Dependency
|
90
90
|
name: railties
|
@@ -118,16 +118,22 @@ dependencies:
|
|
118
118
|
name: attr_encrypted
|
119
119
|
requirement: !ruby/object:Gem::Requirement
|
120
120
|
requirements:
|
121
|
-
- - "
|
121
|
+
- - ">="
|
122
122
|
- !ruby/object:Gem::Version
|
123
123
|
version: '1.3'
|
124
|
+
- - "<"
|
125
|
+
- !ruby/object:Gem::Version
|
126
|
+
version: '4'
|
124
127
|
type: :runtime
|
125
128
|
prerelease: false
|
126
129
|
version_requirements: !ruby/object:Gem::Requirement
|
127
130
|
requirements:
|
128
|
-
- - "
|
131
|
+
- - ">="
|
129
132
|
- !ruby/object:Gem::Version
|
130
133
|
version: '1.3'
|
134
|
+
- - "<"
|
135
|
+
- !ruby/object:Gem::Version
|
136
|
+
version: '4'
|
131
137
|
- !ruby/object:Gem::Dependency
|
132
138
|
name: devise
|
133
139
|
requirement: !ruby/object:Gem::Requirement
|
@@ -293,7 +299,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
293
299
|
version: '0'
|
294
300
|
requirements: []
|
295
301
|
rubyforge_project: devise-two-factor
|
296
|
-
rubygems_version: 2.
|
302
|
+
rubygems_version: 2.6.3
|
297
303
|
signing_key:
|
298
304
|
specification_version: 4
|
299
305
|
summary: Barebones two-factor authentication with Devise
|
metadata.gz.sig
CHANGED
Binary file
|