devise-two-factor 2.1.0 → 2.2.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of devise-two-factor might be problematic. Click here for more details.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/.travis.yml +1 -2
- data/UPGRADING.md +18 -0
- data/devise-two-factor.gemspec +1 -1
- data/lib/devise-two-factor.rb +1 -1
- data/lib/devise_two_factor/models/two_factor_authenticatable.rb +9 -2
- data/lib/devise_two_factor/version.rb +1 -1
- data/spec/devise/models/two_factor_authenticatable_spec.rb +53 -1
- data/spec/devise/models/two_factor_backupable_spec.rb +1 -1
- metadata +11 -5
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 49da530a07a8536cd97a273716ac420983b6d5c5
|
4
|
+
data.tar.gz: 096e65bcf25b0a075c86f759ff8d96c1ac74e1e0
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: bb74672142accc67af59a6f4af54b7984e2e7ef72649c5cc089bf55702c9c7fb6443b4c07adcffce8ed8a78b9bb928c557c674fd1ca6b08587c146a4ecbc05fc
|
7
|
+
data.tar.gz: 2e5de1659867d6308c2987eb05dddda217ac9165d81e70b1fb036d8b4d2dbc8832dd24fa4c21c1b189935b9b941face1144cce62191af2a8be9cc42a0cc51de2
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data.tar.gz.sig
CHANGED
Binary file
|
data/.travis.yml
CHANGED
data/UPGRADING.md
CHANGED
@@ -1,3 +1,21 @@
|
|
1
|
+
# Guide to upgrading from 2.x to 3.x
|
2
|
+
|
3
|
+
Pull request #73 allows for compatibility with `attr_encrypted` 2.0. This version changes many of the defaults which must be taken into account to avoid corrupted OTP secrets on your model.
|
4
|
+
|
5
|
+
Due to new security practices in `attr_encrypted` an encryption key with insufficient length will cause an error. If you run into this, you may set `insecure_mode: true` in the `attr_encrypted` options.
|
6
|
+
|
7
|
+
You should initially add compatibility by specifying the `attr_encrypted` attribute in your model (`User` for these examples) with the old default encryption algorithm before invoking `devise :two_factor_authenticatable`:
|
8
|
+
```ruby
|
9
|
+
class User < ActiveRecord::Base
|
10
|
+
attr_encrypted :otp_secret,
|
11
|
+
:key => self.otp_secret_encryption_key,
|
12
|
+
:mode => :per_attribute_iv_and_salt,
|
13
|
+
:algorithm => 'aes-256-cbc'
|
14
|
+
|
15
|
+
devise :two_factor_authenticatable,
|
16
|
+
:otp_secret_encryption_key => ENV['DEVISE_TWO_FACTOR_ENCRYPTION_KEY']
|
17
|
+
```
|
18
|
+
|
1
19
|
# Guide to upgrading from 1.x to 2.x
|
2
20
|
|
3
21
|
Pull request #43 added a new field to protect against "shoulder-surfing" attacks. If upgrading, you'll need to add the `:consumed_timestep` column to your `Users` model.
|
data/devise-two-factor.gemspec
CHANGED
@@ -26,7 +26,7 @@ Gem::Specification.new do |s|
|
|
26
26
|
|
27
27
|
s.add_runtime_dependency 'railties'
|
28
28
|
s.add_runtime_dependency 'activesupport'
|
29
|
-
s.add_runtime_dependency 'attr_encrypted', '
|
29
|
+
s.add_runtime_dependency 'attr_encrypted', '>= 1.3', '< 4'
|
30
30
|
s.add_runtime_dependency 'devise', '~> 3.5'
|
31
31
|
s.add_runtime_dependency 'rotp', '~> 2.0'
|
32
32
|
|
data/lib/devise-two-factor.rb
CHANGED
@@ -5,7 +5,7 @@ require 'devise_two_factor/strategies'
|
|
5
5
|
module Devise
|
6
6
|
# The length of generated OTP secrets
|
7
7
|
mattr_accessor :otp_secret_length
|
8
|
-
@@otp_secret_length =
|
8
|
+
@@otp_secret_length = 24
|
9
9
|
|
10
10
|
# The number of seconds before and after the current
|
11
11
|
# time for which codes will be accepted
|
@@ -8,8 +8,15 @@ module Devise
|
|
8
8
|
include Devise::Models::DatabaseAuthenticatable
|
9
9
|
|
10
10
|
included do
|
11
|
-
|
12
|
-
|
11
|
+
unless singleton_class.ancestors.include?(AttrEncrypted)
|
12
|
+
extend AttrEncrypted
|
13
|
+
end
|
14
|
+
|
15
|
+
unless attr_encrypted?(:otp_secret)
|
16
|
+
attr_encrypted :otp_secret,
|
17
|
+
:key => self.otp_secret_encryption_key,
|
18
|
+
:mode => :per_attribute_iv_and_salt unless self.attr_encrypted?(:otp_secret)
|
19
|
+
end
|
13
20
|
|
14
21
|
attr_accessor :otp_attempt
|
15
22
|
end
|
@@ -8,7 +8,32 @@ class TwoFactorAuthenticatableDouble
|
|
8
8
|
|
9
9
|
define_model_callbacks :update
|
10
10
|
|
11
|
-
devise :two_factor_authenticatable, :otp_secret_encryption_key => 'test-key'
|
11
|
+
devise :two_factor_authenticatable, :otp_secret_encryption_key => 'test-key'*4
|
12
|
+
|
13
|
+
attr_accessor :consumed_timestep
|
14
|
+
|
15
|
+
def save(validate)
|
16
|
+
# noop for testing
|
17
|
+
true
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
class TwoFactorAuthenticatableWithCustomizeAttrEncryptedDouble
|
22
|
+
extend ::ActiveModel::Callbacks
|
23
|
+
include ::ActiveModel::Validations::Callbacks
|
24
|
+
|
25
|
+
# like https://github.com/tinfoil/devise-two-factor/blob/cf73e52043fbe45b74d68d02bc859522ad22fe73/UPGRADING.md#guide-to-upgrading-from-2x-to-3x
|
26
|
+
extend ::AttrEncrypted
|
27
|
+
attr_encrypted :otp_secret,
|
28
|
+
:key => 'test-key'*8,
|
29
|
+
:mode => :per_attribute_iv_and_salt,
|
30
|
+
:algorithm => 'aes-256-cbc'
|
31
|
+
|
32
|
+
extend ::Devise::Models
|
33
|
+
|
34
|
+
define_model_callbacks :update
|
35
|
+
|
36
|
+
devise :two_factor_authenticatable, :otp_secret_encryption_key => 'test-key'*4
|
12
37
|
|
13
38
|
attr_accessor :consumed_timestep
|
14
39
|
|
@@ -25,3 +50,30 @@ describe ::Devise::Models::TwoFactorAuthenticatable do
|
|
25
50
|
it_behaves_like 'two_factor_authenticatable'
|
26
51
|
end
|
27
52
|
end
|
53
|
+
|
54
|
+
describe ::Devise::Models::TwoFactorAuthenticatable do
|
55
|
+
context 'When included in a class' do
|
56
|
+
subject { TwoFactorAuthenticatableWithCustomizeAttrEncryptedDouble.new }
|
57
|
+
|
58
|
+
it_behaves_like 'two_factor_authenticatable'
|
59
|
+
|
60
|
+
before :each do
|
61
|
+
subject.otp_secret = subject.class.generate_otp_secret
|
62
|
+
subject.consumed_timestep = nil
|
63
|
+
end
|
64
|
+
|
65
|
+
describe 'otp_secret options' do
|
66
|
+
it 'should be of the key' do
|
67
|
+
expect(subject.encrypted_attributes[:otp_secret][:key]).to eq('test-key'*8)
|
68
|
+
end
|
69
|
+
|
70
|
+
it 'should be of the mode' do
|
71
|
+
expect(subject.encrypted_attributes[:otp_secret][:mode]).to eq(:per_attribute_iv_and_salt)
|
72
|
+
end
|
73
|
+
|
74
|
+
it 'should be of the mode' do
|
75
|
+
expect(subject.encrypted_attributes[:otp_secret][:algorithm]).to eq('aes-256-cbc')
|
76
|
+
end
|
77
|
+
end
|
78
|
+
end
|
79
|
+
end
|
@@ -9,7 +9,7 @@ class TwoFactorBackupableDouble
|
|
9
9
|
define_model_callbacks :update
|
10
10
|
|
11
11
|
devise :two_factor_authenticatable, :two_factor_backupable,
|
12
|
-
:otp_secret_encryption_key => 'test-key'
|
12
|
+
:otp_secret_encryption_key => 'test-key'*4
|
13
13
|
|
14
14
|
attr_accessor :otp_backup_codes
|
15
15
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: devise-two-factor
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.
|
4
|
+
version: 2.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Shane Wilton
|
@@ -84,7 +84,7 @@ cert_chain:
|
|
84
84
|
5C31v4YyRBnNCp0pN66nxYX2avEiQ8riTBP5mlkPPOhsIoYQHHe2Uj75aVpu0LZ3
|
85
85
|
cdFzuO4GC1dV0Wv+dsDm+MyF7DT5E9pUPXpnMJuPvPrFpCb+wrFlszW9hGjXbQ==
|
86
86
|
-----END CERTIFICATE-----
|
87
|
-
date: 2016-
|
87
|
+
date: 2016-05-11 00:00:00.000000000 Z
|
88
88
|
dependencies:
|
89
89
|
- !ruby/object:Gem::Dependency
|
90
90
|
name: railties
|
@@ -118,16 +118,22 @@ dependencies:
|
|
118
118
|
name: attr_encrypted
|
119
119
|
requirement: !ruby/object:Gem::Requirement
|
120
120
|
requirements:
|
121
|
-
- - "
|
121
|
+
- - ">="
|
122
122
|
- !ruby/object:Gem::Version
|
123
123
|
version: '1.3'
|
124
|
+
- - "<"
|
125
|
+
- !ruby/object:Gem::Version
|
126
|
+
version: '4'
|
124
127
|
type: :runtime
|
125
128
|
prerelease: false
|
126
129
|
version_requirements: !ruby/object:Gem::Requirement
|
127
130
|
requirements:
|
128
|
-
- - "
|
131
|
+
- - ">="
|
129
132
|
- !ruby/object:Gem::Version
|
130
133
|
version: '1.3'
|
134
|
+
- - "<"
|
135
|
+
- !ruby/object:Gem::Version
|
136
|
+
version: '4'
|
131
137
|
- !ruby/object:Gem::Dependency
|
132
138
|
name: devise
|
133
139
|
requirement: !ruby/object:Gem::Requirement
|
@@ -293,7 +299,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
293
299
|
version: '0'
|
294
300
|
requirements: []
|
295
301
|
rubyforge_project: devise-two-factor
|
296
|
-
rubygems_version: 2.
|
302
|
+
rubygems_version: 2.6.3
|
297
303
|
signing_key:
|
298
304
|
specification_version: 4
|
299
305
|
summary: Barebones two-factor authentication with Devise
|
metadata.gz.sig
CHANGED
Binary file
|