devise-two-factor 4.1.1 → 5.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 787116f2d8fd1e2ef5a6e663c0a3ed5a65ca6110a491f44d2de5eb1a985da516
-  data.tar.gz: f379bef9da0239c3697fe14dad33ba6c662ecfd2b6bcc3ab54fb184f75a970d4
+  metadata.gz: f0f81d936ba021c504827ebf9a6faa199f7a0a8f714fee2d9ce6d48acbde423b
+  data.tar.gz: 38bf04b9361f64618c84081c5ce5436f523f8476c625b91b92cfba8e56e2cd5c
 SHA512:
-  metadata.gz: 23b55432e9df42fa8723db98cd38abe641656ed05ce6f5d9e5d7ee1a1179624ba7212209c460a7ff4b16d4f14347b11c69750d795e7ff9f56513e93af651c619
-  data.tar.gz: ce784140d65f12c6e46a51d86ed8e97edc6b98e706f276160e67f95bccf615c308a5cf273bd54ad71788b61e5dac92f9676c4e67ebfdd81c83584fa71e0bb509
+  metadata.gz: 54b62797c0194f8a3dc04f4594db384bdf6421eaf35707b7a35a39dc3993348790f1544e24d9d013885a7569a4c2381f938037626c26bf054ca00fe02bc46026
+  data.tar.gz: 2c24d3d5e822151f323ba27efb915ad44a33be2a20b95b3decad88facf34c68a70bbf471b1d748bd2c2498a088b5ddc0fb333486d467eb9865dd3f6aa941694c

data/.github/workflows/ci.yml

@@ -12,23 +12,8 @@ jobs:
       fail-fast: false
       matrix:
         # Due to https://github.com/actions/runner/issues/849, we should quote versions
-        ruby: ['2.3', '2.4', '2.5', '2.6', '2.7', '3.0', 'truffleruby-head']
-        rails: ['4.1', '4.2', '5.0', '5.1', '5.2', '6.0', '6.1', '7.0']
-        exclude:
-          - { ruby: '2.3', rails: '7.0' }
-          - { ruby: '2.4', rails: '7.0' }
-          - { ruby: '2.5', rails: '7.0' }
-          - { ruby: '2.6', rails: '7.0' }
-          - { ruby: '2.3', rails: '6.0' }
-          - { ruby: '2.3', rails: '6.1' }
-          - { ruby: '2.4', rails: '6.0' }
-          - { ruby: '2.4', rails: '6.1' }
-          - { ruby: '2.7', rails: '4.1' }
-          - { ruby: '2.7', rails: '4.2' }
-          - { ruby: '3.0', rails: '4.1' }
-          - { ruby: '3.0', rails: '4.2' }
-          - { ruby: 'truffleruby-head', rails: '4.1' }
-          - { ruby: 'truffleruby-head', rails: '4.2' }
+        ruby: ['2.7', '3.0', '3.1', 'truffleruby-head']
+        rails: ['7.0']
 
     name: Ruby ${{ matrix.ruby }}, Rails ${{ matrix.rails }}
     env: # $BUNDLE_GEMFILE must be set at the job level, so it is set for all steps

data/README.md

@@ -19,79 +19,80 @@ An example Rails 4 application is provided in the `demo` directory. It showcases
 For the demo app to work, create an encryption key and store it as an environment variable. One way to do this is to create a file named `local_env.yml` in the application root. Set the value of `ENCRYPTION_KEY` in the YML file. That value will be loaded into the application environment by `application.rb`.
 
 ## Getting Started
-Devise-Two-Factor doesn't require much to get started, but there are a few prerequisites before you can start using it in your application.
 
-First, you'll need a Rails application setup with Devise. Visit the Devise [homepage](https://github.com/plataformatec/devise) for instructions.
+Devise-Two-Factor doesn't require much to get started, but there are two prerequisites before you can start using it in your application:
 
-You can add Devise-Two-Factor to your Gemfile with:
+1. A Rails application with [devise](https://github.com/heartcombo/devise) installed
+1. Secrets configured for ActiveRecord encrypted attributes
 
-```ruby
-gem 'devise-two-factor'
-```
+First, you'll need a Rails application setup with Devise. Visit the Devise [homepage](https://github.com/plataformatec/devise) for instructions.
 
-Next, since Devise-Two-Factor encrypts its secrets before storing them in the database, you'll need to generate an encryption key, and store it in an environment variable of your choice. Set the encryption key in the model that uses Devise:
+Devise-Two-Factor uses [ActiveRecord encrypted attributes](https://edgeguides.rubyonrails.org/active_record_encryption.html) which in turn uses Rails' encrypted credentials. [The Rails encrypted attributes guide](https://edgeguides.rubyonrails.org/active_record_encryption.html) has full details of how to set these up but briefly:
 
-```ruby
-  devise :two_factor_authenticatable,
-         :otp_secret_encryption_key => ENV['YOUR_ENCRYPTION_KEY_HERE']
+```bash
+# generate suitable encryption secrets to stdout
+$ ./bin/rails db:encryption:init
 
+# Add the output from the command above to your encrypted credentials file via
+# Setting the EDITOR environment variable is optional, without it, your default editor will open
+$ EDITOR=code ./bin/rails credentials:edit
 ```
 
-Finally, you can automate all of the required setup by simply running:
+Add Devise-Two-Factor to your Gemfile with:
 
 ```ruby
-rails generate devise_two_factor MODEL ENVIRONMENT_VARIABLE
-```
-
-Where `MODEL` is the name of the model you wish to add two-factor functionality to (for example `user`), and `ENVIRONMENT_VARIABLE` is the name of the variable you're storing your encryption key in.
-
-This generator will add a few columns to the specified model:
-
-* encrypted_otp_secret
-* encrypted_otp_secret_iv
-* encrypted_otp_secret_salt
-* consumed_timestep
-* otp_required_for_login
-
-Remember to apply the new migration.
+# Gemfile
 
-```ruby
-bundle exec rake db:migrate
+gem 'devise-two-factor'
 ```
 
-It also adds the `:two_factor_authenticatable` directive to your model, and sets up your encryption key. If present, it will remove `:database_authenticatable` from the model, as the two strategies are incompatible. Lastly, the generator will add a Warden config block to your Devise initializer, which enables the strategies required for two-factor authentication.
+There is a generator which automates most of the setup:
 
-If you're running Rails 3, or do not have strong parameters enabled, the generator will also setup the required mass-assignment security options in your model.
+```bash
+# MODEL is the name of the model you wish to configure devise_two_factor e.g. User or Admin
+./bin/rails generate devise_two_factor MODEL
+```
 
-If you're running Rails 4, you'll also need to whitelist `:otp_attempt` as a permitted parameter in Devise `:sign_in` controller. You can do this by adding the following to your `application_controller.rb`:
+Where `MODEL` is the name of the model you wish to add two-factor functionality to (for example `user`)
 
-```ruby
-before_action :configure_permitted_parameters, if: :devise_controller?
+This generator will:
 
-...
+1. Create a new migration which adds a few columns to the specified model:
+    ```ruby
+    add_column :users, :otp_secret, :string
+    add_column :users, :consumed_timestep, :integer
+    add_column :users, :otp_required_for_login, :boolean
+    ```
+1. Edit `app/models/MODEL.rb` (where MODEL is your model name):
+    * add the `:two_factor_authenticatable` devise module
+    * remove the `:database_authenticatable` if present because it is incompatible with `:two_factor_authenticatable`
+1. Add a Warden config block to your Devise initializer, which enables the strategies required for two-factor authentication.
 
-protected
+Remember to apply the new migration after you run the generator:
 
-def configure_permitted_parameters
-  devise_parameter_sanitizer.for(:sign_in) << :otp_attempt
-end
+```bash
+./bin/rails db:migrate
 ```
 
-If you're running Devise 4.0.0 or above, you'll want to use `.permit` instead:
+Next you need to whitelist `:otp_attempt` as a permitted parameter in Devise `:sign_in` controller. You can do this by adding the following to your `application_controller.rb`:
 
 ```ruby
-before_action :configure_permitted_parameters, if: :devise_controller?
+# app/controllers/application_controller.rb
 
-...
+  before_action :configure_permitted_parameters, if: :devise_controller?
 
-protected
+  # ...
 
-def configure_permitted_parameters
-  devise_parameter_sanitizer.permit(:sign_in, keys: [:otp_attempt])
-end
+  protected
+
+  def configure_permitted_parameters
+    devise_parameter_sanitizer.permit(:sign_in, keys: [:otp_attempt])
+  end
 ```
 
-**After running the generator, verify that `:database_authenticatable` is not being loaded by your model. The generator will try to remove it, but if you have a non-standard Devise setup, this step may fail. Loading both `:database_authenticatable` and `:two_factor_authenticatable` in a model will allow users to bypass two-factor authenticatable due to the way Warden handles cascading strategies.**
+Finally you should verify that `:database_authenticatable` is **not** being loaded by your model. The generator will try to remove it, but if you have a non-standard Devise setup, this step may fail.
+
+**Loading both `:database_authenticatable` and `:two_factor_authenticatable` in a model is a security issue** It will allow users to bypass two-factor authenticatable due to the way Warden handles cascading strategies!
 
 ## Designing Your Workflow
 Devise-Two-Factor only worries about the backend, leaving the details of the integration up to you. This means that you're responsible for building the UI that drives the gem. While there is an example Rails application included in the gem, it is important to remember that this gem is intentionally very open-ended, and you should build a user experience which fits your individual application.

data/UPGRADING.md

@@ -1,3 +1,196 @@
+# Upgrading from 4.x to 5.x
+
+## Background
+
+### Database columns in version 4.x and older
+
+Versions 4.x and older stored the OTP secret in an attribute called `encrypted_otp_secret` using the [attr_encrypted](https://github.com/attr-encrypted/attr_encrypted) gem. This gem is currently unmaintained which is part of the motivation for moving to Rails encrypted attributes. This attribute was backed by three database columns:
+
+```
+encrypted_otp_secret
+encrypted_otp_secret_iv
+encrypted_otp_secret_salt
+```
+
+Two other columns were also created:
+
+```
+consumed_timestep
+otp_required_for_login
+```
+
+A fresh install of 4.x would create all five of the database columns above.
+
+### Database columns in version 5.x and later
+
+Versions 5+ of this gem uses a single [Rails 7+ encrypted attribute](https://edgeguides.rubyonrails.org/active_record_encryption.html) named `otp_secret`to store the OTP secret in the database table (usually `users` but will be whatever model you picked).
+
+A fresh install of 5+ will add the following columns to your `users` table:
+
+```bash
+otp_secret # this replaces encrypted_otp_secret, encrypted_otp_secret_iv, encrypted_otp_secret_salt
+consumed_timestep
+otp_required_for_login
+```
+
+### Upgrading from 4.x to 5.x
+
+
+We have attempted to make the upgrade as painless as possible but unfortunately because of the secret storage change, it cannot be as simple as `bundle update devise-two-factor` :heart:
+
+#### Assumptions
+
+This guide assumes you are upgrading an existing Rails 6 app (with `devise` and `devise-two-factor`) to Rails 7.
+
+This gem must be upgraded **as part of a Rails 7 upgrade**. See [the official Rails upgrading guide](https://guides.rubyonrails.org/upgrading_ruby_on_rails.html) for an overview of upgrading Rails.
+
+#### Phase 1: Upgrading devise-two-factor as part of Rails 7 upgrade
+
+1. Update the version constraint for Rails in your `Gemfile` to your desired version e.g. `gem "rails", "~> 7.0.3"`
+1. Run `bundle install` and resolve any issues with dependencies.
+1. Update the version constraint for `devise-two-factor` in your `Gemfile` to the the latest version (must be at least 5.x e.g. `~> 5.0`
+1. Run `./bin/rails app:update` as per the [Rails upgrade guide](https://guides.rubyonrails.org/upgrading_ruby_on_rails.html) and tweak the output as required for your app.
+1. Run `./bin/rails db:migrate` to update your DB based on the changes made by `app:update`
+1. Add a new `otp_secret` attribute to your user model
+    ```bash
+    # TODO: replace 'User' in the migration name with the name of your user model
+    ./bin/rails g migration AddOtpSecretToUser otp_secret:string
+    ./bin/rails db:migrate
+    ```
+1. Add a `legacy_otp_secret` method to your user model e.g. `User`.
+  * This method is used by the gem to find and decode the OTP secret from the legacy database columns.
+  * The implementation shown below works if you set up devise-two-factor with the settings suggested in the [README](./README.md).
+  * If you have customised the encryption scheme used to store the OTP secret then you will need to update this method to match.
+  * If you are unsure, you should try the method below as is, and if you can still sign in users with OTP enabled then all is well.
+    ```ruby
+    class User
+      # ...
+
+      private
+
+      ##
+      # Decrypt and return the `encrypted_otp_secret` attribute which was used in
+      # prior versions of devise-two-factor
+      # @return [String] The decrypted OTP secret
+      def legacy_otp_secret
+        return nil unless self[:encrypted_otp_secret]
+        return nil unless self.class.otp_secret_encryption_key
+
+        hmac_iterations = 2000 # a default set by the Encryptor gem
+        key = self.class.otp_secret_encryption_key
+        salt = Base64.decode64(encrypted_otp_secret_salt)
+        iv = Base64.decode64(encrypted_otp_secret_iv)
+
+        raw_cipher_text = Base64.decode64(encrypted_otp_secret)
+        # The last 16 bytes of the ciphertext are the authentication tag - we use
+        # Galois Counter Mode which is an authenticated encryption mode
+        cipher_text = raw_cipher_text[0..-17]
+        auth_tag =  raw_cipher_text[-16..-1]
+
+        # this alrorithm lifted from
+        # https://github.com/attr-encrypted/encryptor/blob/master/lib/encryptor.rb#L54
+
+        # create an OpenSSL object which will decrypt the AES cipher with 256 bit
+        # keys in Galois Counter Mode (GCM). See
+        # https://ruby.github.io/openssl/OpenSSL/Cipher.html
+        cipher = OpenSSL::Cipher.new('aes-256-gcm')
+
+        # tell the cipher we want to decrypt. Symmetric algorithms use a very
+        # similar process for encryption and decryption, hence the same object can
+        # do both.
+        cipher.decrypt
+
+        # Use a Password-Based Key Derivation Function to generate the key actually
+        # used for encryptoin from the key we got as input.
+        cipher.key = OpenSSL::PKCS5.pbkdf2_hmac_sha1(key, salt, hmac_iterations, cipher.key_len)
+
+        # set the Initialization Vector (IV)
+        cipher.iv = iv
+
+        # The tag must be set after calling Cipher#decrypt, Cipher#key= and
+        # Cipher#iv=, but before calling Cipher#final. After all decryption is
+        # performed, the tag is verified automatically in the call to Cipher#final.
+        #
+        # If the auth_tag does not verify, then #final will raise OpenSSL::Cipher::CipherError
+        cipher.auth_tag = auth_tag
+
+        # auth_data must be set after auth_tag has been set when decrypting See
+        # http://ruby-doc.org/stdlib-2.0.0/libdoc/openssl/rdoc/OpenSSL/Cipher.html#method-i-auth_data-3D
+        # we are not adding any authenticated data but OpenSSL docs say this should
+        # still be called.
+        cipher.auth_data = ''
+
+        # #update is (somewhat confusingly named) the method which actually
+        # performs the decryption on the given chunk of data. Our OTP secret is
+        # short so we only need to call it once.
+        #
+        # It is very important that we call #final because:
+        #
+        # 1. The authentication tag is checked during the call to #final
+        # 2. Block based cipher modes (e.g. CBC) work on fixed size chunks. We need
+        #    to call #final to get it to process the last chunk properly. The output
+        #    of #final should be appended to the decrypted value. This isn't
+        #    required for streaming cipher modes but including it is a best practice
+        #    so that your code will continue to function correctly even if you later
+        #    change to a block cipher mode.
+        cipher.update(cipher_text) + cipher.final
+      end
+    end
+    ```
+2. Set up [Rails encrypted secrets](https://edgeguides.rubyonrails.org/active_record_encryption.html)
+    ```bash
+    ./bin/rails db:encryption:init
+    # capture the output and put in encrypted credentials via
+    ./bin/rails credentials:edit
+    ```
+3. Complete your Rails 7 upgrade (making whatever other changes are required)
+
+You can now deploy your upgraded application and devise-two-factor should work as before.
+
+This gem will fall back to **reading** the OTP secret from the legacy columns if it cannot find one in the new `otp_secret` column. When you **write** a new OTP secret it will always be written to the new `otp_secret` column.
+
+#### Phase 2: Clean up
+
+This "clean up" phase can happen at the same time as your initial deployment but teams managing existing apps will likely want to do clean-up as separate, later deployments.
+
+1. Create a rake task to copy the OTP secret for each user from the legacy column to the new `otp_secret` column. This prepares the way for us to remove the legacy columns in a later step.
+    ```ruby
+    # lib/tasks/devise_two_factor_migration.rake
+
+    # Use this as a starting point for your task to migrate your user's OTP secrets.
+    namespace :devise_two_factor do
+      desc "Copy devise_two_factor OTP secret from old format to new format"
+      task copy_otp_secret_to_rails7_encrypted_attr: [:environment] do
+        # TODO: change User to your user model
+        User.find_each do |user| # find_each finds in batches of 1,000 by default
+          otp_secret = user.otp_secret # read from otp_secret column, fall back to legacy columns if new column is empty
+          puts "Processing #{user.email}"
+          user.update!(otp_secret: otp_secret)
+        end
+      end
+    end
+    ```
+1. Remove the `#legacy_otp_secret` method from your user model (e.g. `User`) because it is no longer required.
+1. Remove the now unused legacy columns from the database. This assumes you have run a rake task as in the previous step to migrate all the legacy stored secrets to the new storage.
+    ```bash
+    # TODO: replace 'Users' in migration name with the name of your user model
+    ./bin/rails g migration RemoveLegacyDeviseTwoFactorSecretsFromUsers
+    ```
+    which generates
+    ```ruby
+    class RemoveLegacyDeviseTwoFactorSecretsFromUsers < ActiveRecord::Migration[7.0]
+      def change
+        # TODO: change :users to whatever your users table is
+
+        # WARNING: Only run this when you are confident you have copied the OTP
+        # secret for ALL users from `encrypted_otp_secret` to `otp_secret`!
+        remove_column :users, :encrypted_otp_secret
+        remove_column :users, :encrypted_otp_secret_iv
+        remove_column :users, :encrypted_otp_secret_salt
+      end
+    end
+    ```
+
 # Guide to upgrading from 2.x to 3.x
 
 Pull request #76 allows for compatibility with `attr_encrypted` 3.0, which should be used due to a security vulnerability discovered in 2.0.

data/devise-two-factor.gemspec

@@ -23,7 +23,6 @@ Gem::Specification.new do |s|
 
   s.add_runtime_dependency 'railties',       '~> 7.0'
   s.add_runtime_dependency 'activesupport',  '~> 7.0'
-  s.add_runtime_dependency 'attr_encrypted', '>= 1.3', '< 5', '!= 2'
   s.add_runtime_dependency 'devise',         '~> 4.0'
   s.add_runtime_dependency 'rotp',           '~> 6.0'
 

data/lib/devise-two-factor.rb

@@ -12,10 +12,14 @@ module Devise
   mattr_accessor :otp_allowed_drift
   @@otp_allowed_drift = 30
 
-  # The key used to encrypt OTP secrets in the database
+  # The key used to encrypt OTP secrets in the database in legacy installs.
   mattr_accessor :otp_secret_encryption_key
   @@otp_secret_encryption_key = nil
 
+  # These options are passed to the Rails 7+ encrypted attribute
+  mattr_accessor :otp_encrypted_attribute_options
+  @@otp_encrypted_attribute_options = {}
+
   # The length of all generated OTP backup codes
   mattr_accessor :otp_backup_code_length
   @@otp_backup_code_length = 16

data/lib/devise_two_factor/models/two_factor_authenticatable.rb

@@ -7,25 +7,28 @@ module Devise
       include Devise::Models::DatabaseAuthenticatable
 
       included do
-        unless %i[otp_secret otp_secret=].all? { |attr| method_defined?(attr) }
-          require 'attr_encrypted'
-
-          unless singleton_class.ancestors.include?(AttrEncrypted)
-            extend AttrEncrypted
-          end
-
-          unless attr_encrypted?(:otp_secret)
-            attr_encrypted :otp_secret,
-              :key  => self.otp_secret_encryption_key,
-              :mode => :per_attribute_iv_and_salt unless self.attr_encrypted?(:otp_secret)
-          end
-        end
-
+        encrypts :otp_secret, **splattable_encrypted_attr_options
         attr_accessor :otp_attempt
       end
 
+      def otp_secret
+        # return the OTP secret stored as a Rails encrypted attribute if it
+        # exists. Otherwise return OTP secret stored by the `attr_encrypted` gem
+        return self[:otp_secret] if self[:otp_secret]
+
+        legacy_otp_secret
+      end
+
+      ##
+      # Decrypt and return the `encrypted_otp_secret` attribute which was used in
+      # prior versions of devise-two-factor
+      # See: # https://github.com/tinfoil/devise-two-factor/blob/main/UPGRADING.md
+      def legacy_otp_secret
+        nil
+      end
+
       def self.required_fields(klass)
-        [:encrypted_otp_secret, :encrypted_otp_secret_iv, :encrypted_otp_secret_salt, :consumed_timestep]
+        [:otp_secret, :consumed_timestep]
       end
 
       # This defaults to the model's otp_secret
@@ -87,11 +90,21 @@ module Devise
       module ClassMethods
         Devise::Models.config(self, :otp_secret_length,
                                     :otp_allowed_drift,
+                                    :otp_encrypted_attribute_options,
                                     :otp_secret_encryption_key)
 
         def generate_otp_secret(otp_secret_length = self.otp_secret_length)
           ROTP::Base32.random_base32(otp_secret_length)
         end
+
+        # Return value will be splatted with ** so return a version of the
+        # encrypted attribute options which is always a Hash.
+        # @return [Hash]
+        def splattable_encrypted_attr_options
+          return {} if otp_encrypted_attribute_options.nil?
+
+          otp_encrypted_attribute_options
+        end
       end
     end
   end

data/lib/devise_two_factor/spec_helpers/two_factor_authenticatable_shared_examples.rb

@@ -8,7 +8,7 @@ RSpec.shared_examples 'two_factor_authenticatable' do
 
   describe 'required_fields' do
     it 'should have the attr_encrypted fields for otp_secret' do
-      expect(Devise::Models::TwoFactorAuthenticatable.required_fields(subject.class)).to contain_exactly(:encrypted_otp_secret, :encrypted_otp_secret_iv, :encrypted_otp_secret_salt, :consumed_timestep)
+      expect(Devise::Models::TwoFactorAuthenticatable.required_fields(subject.class)).to contain_exactly(:otp_secret, :consumed_timestep)
     end
   end
 
@@ -16,18 +16,6 @@ RSpec.shared_examples 'two_factor_authenticatable' do
     it 'should be of the configured length' do
       expect(subject.otp_secret.length).to eq(subject.class.otp_secret_length)
     end
-
-    it 'stores the encrypted otp_secret' do
-      expect(subject.encrypted_otp_secret).to_not be_nil
-    end
-
-    it 'stores an iv for otp_secret' do
-      expect(subject.encrypted_otp_secret_iv).to_not be_nil
-    end
-
-    it 'stores a salt for otp_secret' do
-      expect(subject.encrypted_otp_secret_salt).to_not be_nil
-    end
   end
 
   describe '#validate_and_consume_otp!' do

data/lib/devise_two_factor/version.rb

@@ -1,3 +1,3 @@
 module DeviseTwoFactor
-  VERSION = '4.1.1'.freeze
+  VERSION = '5.0.0'.freeze
 end

data/lib/generators/devise_two_factor/devise_two_factor_generator.rb

@@ -3,8 +3,6 @@ require 'rails/generators'
 module DeviseTwoFactor
   module Generators
     class DeviseTwoFactorGenerator < Rails::Generators::NamedBase
-      argument :encryption_key_env, :type => :string, :required => true
-
       desc 'Creates a migration to add the required attributes to NAME, and ' \
            'adds the necessary Devise directives to the model'
 
@@ -19,9 +17,7 @@ module DeviseTwoFactor
       def create_devise_two_factor_migration
         migration_arguments = [
                                 "add_devise_two_factor_to_#{plural_name}",
-                                "encrypted_otp_secret:string",
-                                "encrypted_otp_secret_iv:string",
-                                "encrypted_otp_secret_salt:string",
+                                "otp_secret:string",
                                 "consumed_timestep:integer",
                                 "otp_required_for_login:boolean"
                               ]
@@ -51,8 +47,7 @@ module DeviseTwoFactor
         indent_depth = class_path.size
 
         content = [
-                    "devise :two_factor_authenticatable,",
-                    "       :otp_secret_encryption_key => ENV['#{encryption_key_env}']\n"
+                    "devise :two_factor_authenticatable"
                   ]
 
         content << "attr_accessible :otp_attempt\n" if needs_attr_accessible?

data/spec/devise/models/two_factor_authenticatable_spec.rb

@@ -6,34 +6,15 @@ class TwoFactorAuthenticatableDouble
   include ::ActiveModel::Validations::Callbacks
   extend  ::Devise::Models
 
-  define_model_callbacks :update
-
-  devise :two_factor_authenticatable, :otp_secret_encryption_key => 'test-key'*4
-
-  attr_accessor :consumed_timestep
-
-  def save(validate)
-    # noop for testing
-    true
+  # stub out the ::ActiveRecord::Encryption::EncryptableRecord API
+  attr_accessor :otp_secret
+  def self.encrypts(*attrs)
+    nil
   end
-end
-
-class TwoFactorAuthenticatableWithCustomizeAttrEncryptedDouble
-  extend ::ActiveModel::Callbacks
-  include ::ActiveModel::Validations::Callbacks
-
-  # like https://github.com/tinfoil/devise-two-factor/blob/cf73e52043fbe45b74d68d02bc859522ad22fe73/UPGRADING.md#guide-to-upgrading-from-2x-to-3x
-  extend ::AttrEncrypted
-  attr_encrypted :otp_secret,
-                  :key       => 'test-key'*8,
-                  :mode      => :per_attribute_iv_and_salt,
-                  :algorithm => 'aes-256-cbc'
-
-  extend  ::Devise::Models
 
   define_model_callbacks :update
 
-  devise :two_factor_authenticatable, :otp_secret_encryption_key => 'test-key'*4
+  devise :two_factor_authenticatable
 
   attr_accessor :consumed_timestep
 
@@ -51,49 +32,6 @@ describe ::Devise::Models::TwoFactorAuthenticatable do
   end
 end
 
-describe ::Devise::Models::TwoFactorAuthenticatable do
-  context 'When included in a class' do
-    subject { TwoFactorAuthenticatableWithCustomizeAttrEncryptedDouble.new }
-
-    it_behaves_like 'two_factor_authenticatable'
-
-    before :each do
-      subject.otp_secret = subject.class.generate_otp_secret
-      subject.consumed_timestep = nil
-    end
-
-    describe 'otp_secret options' do
-      it 'should be of the key' do
-        if attr_encrypted_is_rails_seven_compatible?
-          expect(subject.attr_encrypted_encrypted_attributes[:otp_secret][:key]).to eq('test-key'*8)
-        else
-          expect(subject.encrypted_attributes[:otp_secret][:key]).to eq('test-key'*8)
-        end
-      end
-
-      it 'should be of the mode' do
-        if attr_encrypted_is_rails_seven_compatible?
-          expect(subject.attr_encrypted_encrypted_attributes[:otp_secret][:mode]).to eq(:per_attribute_iv_and_salt)
-        else
-          expect(subject.encrypted_attributes[:otp_secret][:mode]).to eq(:per_attribute_iv_and_salt)
-        end
-      end
-
-      it 'should be of the mode' do
-        if attr_encrypted_is_rails_seven_compatible?
-          expect(subject.attr_encrypted_encrypted_attributes[:otp_secret][:algorithm]).to eq('aes-256-cbc')
-        else
-          expect(subject.encrypted_attributes[:otp_secret][:algorithm]).to eq('aes-256-cbc')
-        end
-      end
-
-      def attr_encrypted_is_rails_seven_compatible?
-        Gem::Version.new(AttrEncrypted::Version.string) >= Gem::Version.new('4.0.0')
-      end
-    end
-  end
-end
-
 describe ::Devise::Models::TwoFactorAuthenticatable do
   context 'When clean_up_passwords is called ' do
     subject { TwoFactorAuthenticatableDouble.new }
@@ -101,11 +39,11 @@ describe ::Devise::Models::TwoFactorAuthenticatable do
       subject.otp_attempt = 'foo'
       subject.password_confirmation = 'foo'
     end
-    it 'otp_attempt should be nill' do 
+    it 'otp_attempt should be nill' do
       subject.clean_up_passwords
       expect(subject.otp_attempt).to be_nil
     end
-    it 'password_confirmation should be nill' do 
+    it 'password_confirmation should be nill' do
       subject.clean_up_passwords
       expect(subject.password_confirmation).to be_nil
     end

data/spec/devise/models/two_factor_backupable_spec.rb

@@ -6,10 +6,15 @@ class TwoFactorBackupableDouble
   include ::ActiveModel::Validations::Callbacks
   extend  ::Devise::Models
 
+  # stub out the ::ActiveRecord::Encryption::EncryptableRecord API
+  attr_accessor :otp_secret
+  def self.encrypts(*attrs)
+    nil
+  end
+
   define_model_callbacks :update
 
-  devise :two_factor_authenticatable, :two_factor_backupable,
-         :otp_secret_encryption_key => 'test-key'*4
+  devise :two_factor_authenticatable, :two_factor_backupable
 
   attr_accessor :otp_backup_codes
 end

metadata

@@ -1,11 +1,11 @@
 --- !ruby/object:Gem::Specification
 name: devise-two-factor
 version: !ruby/object:Gem::Version
-  version: 4.1.1
+  version: 5.0.0
 platform: ruby
 authors:
 - Shane Wilton
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain:
 - |
@@ -86,7 +86,7 @@ cert_chain:
   vqIDv6JBG9I16h/HhchntKfM58MI1bNZFBSdZqYOJiL8JIjP8HNIk76Y366ppG29
   EhBYYg==
   -----END CERTIFICATE-----
-date: 2023-10-12 00:00:00.000000000 Z
+date: 2022-07-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -116,32 +116,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '7.0'
-- !ruby/object:Gem::Dependency
-  name: attr_encrypted
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.3'
-    - - "!="
-      - !ruby/object:Gem::Version
-        version: '2'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '5'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.3'
-    - - "!="
-      - !ruby/object:Gem::Version
-        version: '2'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '5'
 - !ruby/object:Gem::Dependency
   name: devise
   requirement: !ruby/object:Gem::Requirement
@@ -301,7 +275,7 @@ homepage: https://github.com/tinfoil/devise-two-factor
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -316,8 +290,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
-signing_key: 
+rubygems_version: 3.2.32
+signing_key:
 specification_version: 4
 summary: Barebones two-factor authentication with Devise
 test_files: