devise-two-factor 4.1.1 → 6.0.0

data/gemfiles/rails_7.0.gemfile

@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "railties", "~> 7.0"
-gem "activesupport", "~> 7.0"
+gem "railties", "~> 7.0.0"
+gem "activesupport", "~> 7.0.0"
 
 gemspec path: "../"

data/gemfiles/{rails_4.1.gemfile → rails_7.1.gemfile}

@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "railties", "~> 4.1"
-gem "activesupport", "~> 4.1"
+gem "railties", "~> 7.1.0"
+gem "activesupport", "~> 7.1.0"
 
 gemspec path: "../"

data/lib/devise-two-factor.rb

@@ -3,20 +3,26 @@ require 'devise_two_factor/models'
 require 'devise_two_factor/strategies'
 
 module Devise
-  # The length of generated OTP secrets
+  # The length of randomly generated OTP shared secret (in bytes).
+  # The secrets will be base32-encoded and have a length 1.6 times the configured value.
   mattr_accessor :otp_secret_length
-  @@otp_secret_length = 24
+  @@otp_secret_length = 20
 
   # The number of seconds before and after the current
   # time for which codes will be accepted
   mattr_accessor :otp_allowed_drift
   @@otp_allowed_drift = 30
 
-  # The key used to encrypt OTP secrets in the database
+  # The key used to encrypt OTP secrets in the database in legacy installs.
   mattr_accessor :otp_secret_encryption_key
   @@otp_secret_encryption_key = nil
 
-  # The length of all generated OTP backup codes
+  # These options are passed to the Rails 7+ encrypted attribute
+  mattr_accessor :otp_encrypted_attribute_options
+  @@otp_encrypted_attribute_options = {}
+
+  # The length of randomly generated OTP backup codes (in bytes).
+  # The codes will be hex-encoded and have a length twice the configured value.
   mattr_accessor :otp_backup_code_length
   @@otp_backup_code_length = 16
 
@@ -27,7 +33,7 @@ module Devise
 end
 
 Devise.add_module(:two_factor_authenticatable, :route => :session, :strategy => true,
-                  :controller => :sessions, :model  => true)
+                  :controller => :sessions, :model  => true, :insert_at => 0)
 
 Devise.add_module(:two_factor_backupable, :route => :session, :strategy => true,
                   :controller => :sessions, :model  => true)

data/lib/devise_two_factor/models/two_factor_authenticatable.rb

@@ -7,25 +7,28 @@ module Devise
       include Devise::Models::DatabaseAuthenticatable
 
       included do
-        unless %i[otp_secret otp_secret=].all? { |attr| method_defined?(attr) }
-          require 'attr_encrypted'
-
-          unless singleton_class.ancestors.include?(AttrEncrypted)
-            extend AttrEncrypted
-          end
-
-          unless attr_encrypted?(:otp_secret)
-            attr_encrypted :otp_secret,
-              :key  => self.otp_secret_encryption_key,
-              :mode => :per_attribute_iv_and_salt unless self.attr_encrypted?(:otp_secret)
-          end
-        end
-
+        encrypts :otp_secret, **splattable_encrypted_attr_options
         attr_accessor :otp_attempt
       end
 
+      def otp_secret
+        # return the OTP secret stored as a Rails encrypted attribute if it
+        # exists. Otherwise return OTP secret stored by the `attr_encrypted` gem
+        return self[:otp_secret] if self[:otp_secret]
+
+        legacy_otp_secret
+      end
+
+      ##
+      # Decrypt and return the `encrypted_otp_secret` attribute which was used in
+      # prior versions of devise-two-factor
+      # See: # https://github.com/tinfoil/devise-two-factor/blob/main/UPGRADING.md
+      def legacy_otp_secret
+        nil
+      end
+
       def self.required_fields(klass)
-        [:encrypted_otp_secret, :encrypted_otp_secret_iv, :encrypted_otp_secret_salt, :consumed_timestep]
+        [:otp_secret, :consumed_timestep]
       end
 
       # This defaults to the model's otp_secret
@@ -78,7 +81,8 @@ module Devise
       def consume_otp!
         if self.consumed_timestep != current_otp_timestep
           self.consumed_timestep = current_otp_timestep
-          return save(validate: false)
+          save!(validate: false)
+          return true
         end
 
         false
@@ -87,10 +91,21 @@ module Devise
       module ClassMethods
         Devise::Models.config(self, :otp_secret_length,
                                     :otp_allowed_drift,
+                                    :otp_encrypted_attribute_options,
                                     :otp_secret_encryption_key)
 
+        # Geneartes an OTP secret of the specified length, returning it after Base32 encoding.
         def generate_otp_secret(otp_secret_length = self.otp_secret_length)
-          ROTP::Base32.random_base32(otp_secret_length)
+          ROTP::Base32.random(otp_secret_length)
+        end
+
+        # Return value will be splatted with ** so return a version of the
+        # encrypted attribute options which is always a Hash.
+        # @return [Hash]
+        def splattable_encrypted_attr_options
+          return {} if otp_encrypted_attribute_options.nil?
+
+          otp_encrypted_attribute_options
         end
       end
     end

data/lib/devise_two_factor/models/two_factor_backupable.rb

@@ -20,7 +20,7 @@ module Devise
         code_length     = self.class.otp_backup_code_length
 
         number_of_codes.times do
-          codes << SecureRandom.hex(code_length / 2) # Hexstring has length 2*n
+          codes << SecureRandom.hex(code_length)
         end
 
         hashed_codes = codes.map { |code| Devise::Encryptor.digest(self.class, code) }
@@ -30,7 +30,7 @@ module Devise
       end
 
       # Returns true and invalidates the given code
-      # iff that code is a valid backup code.
+      # if that code is a valid backup code.
       def invalidate_otp_backup_code!(code)
         codes = self.otp_backup_codes || []
 
@@ -39,6 +39,7 @@ module Devise
 
           codes.delete(backup_code)
           self.otp_backup_codes = codes
+          save!(validate: false)
           return true
         end
 

data/lib/devise_two_factor/spec_helpers/two_factor_authenticatable_shared_examples.rb

@@ -8,25 +8,13 @@ RSpec.shared_examples 'two_factor_authenticatable' do
 
   describe 'required_fields' do
     it 'should have the attr_encrypted fields for otp_secret' do
-      expect(Devise::Models::TwoFactorAuthenticatable.required_fields(subject.class)).to contain_exactly(:encrypted_otp_secret, :encrypted_otp_secret_iv, :encrypted_otp_secret_salt, :consumed_timestep)
+      expect(Devise::Models::TwoFactorAuthenticatable.required_fields(subject.class)).to contain_exactly(:otp_secret, :consumed_timestep)
     end
   end
 
   describe '#otp_secret' do
-    it 'should be of the configured length' do
-      expect(subject.otp_secret.length).to eq(subject.class.otp_secret_length)
-    end
-
-    it 'stores the encrypted otp_secret' do
-      expect(subject.encrypted_otp_secret).to_not be_nil
-    end
-
-    it 'stores an iv for otp_secret' do
-      expect(subject.encrypted_otp_secret_iv).to_not be_nil
-    end
-
-    it 'stores a salt for otp_secret' do
-      expect(subject.encrypted_otp_secret_salt).to_not be_nil
+    it 'should be of the expected length' do
+      expect(subject.otp_secret.length).to eq(subject.class.otp_secret_length*8/5)
     end
   end
 
@@ -137,15 +125,15 @@ RSpec.shared_examples 'two_factor_authenticatable' do
 
   describe '#otp_provisioning_uri' do
     let(:otp_secret_length) { subject.class.otp_secret_length }
-    let(:account)           { Faker::Internet.email }
+    let(:account)           { 'user@host.example' }
     let(:issuer)            { 'Tinfoil' }
 
     it 'should return uri with specified account' do
-      expect(subject.otp_provisioning_uri(account)).to match(%r{otpauth://totp/#{CGI.escape(account)}\?secret=\w{#{otp_secret_length}}})
+      expect(subject.otp_provisioning_uri(account)).to match(%r{otpauth://totp/#{CGI.escape(account)}\?secret=\w{#{otp_secret_length*8/5}}})
     end
 
     it 'should return uri with issuer option' do
-      expect(subject.otp_provisioning_uri(account, issuer: issuer)).to match(%r{otpauth://totp/#{issuer}:#{CGI.escape(account)}\?.*secret=\w{#{otp_secret_length}}(&|$)})
+      expect(subject.otp_provisioning_uri(account, issuer: issuer)).to match(%r{otpauth://totp/#{issuer}:#{CGI.escape(account)}\?.*secret=\w{#{otp_secret_length*8/5}}(&|$)})
       expect(subject.otp_provisioning_uri(account, issuer: issuer)).to match(%r{otpauth://totp/#{issuer}:#{CGI.escape(account)}\?.*issuer=#{issuer}(&|$)})
     end
   end

data/lib/devise_two_factor/spec_helpers/two_factor_backupable_shared_examples.rb

@@ -17,7 +17,7 @@ RSpec.shared_examples 'two_factor_backupable' do
 
       it 'generates recovery codes of the correct length' do
         @plaintext_codes.each do |code|
-          expect(code.length).to eq(subject.class.otp_backup_code_length)
+          expect(code.length).to eq(subject.class.otp_backup_code_length*2)
         end
       end
 
@@ -34,7 +34,7 @@ RSpec.shared_examples 'two_factor_backupable' do
     end
 
     context 'with existing recovery codes' do
-      let(:old_codes)        { Faker::Lorem.words }
+      let(:old_codes)        { ['adam', 'betty', 'charles'] }
       let(:old_codes_hashed) { old_codes.map { |x| Devise::Encryptor.digest(subject.class, x) } }
 
       before do

data/lib/devise_two_factor/strategies/two_factor_authenticatable.rb

@@ -21,7 +21,7 @@ module Devise
 
       def validate_otp(resource)
         return true unless resource.otp_required_for_login
-        return if params[scope]['otp_attempt'].nil?
+        return if params[scope].nil? || params[scope]['otp_attempt'].nil?
         resource.validate_and_consume_otp!(params[scope]['otp_attempt'])
       end
     end

data/lib/devise_two_factor/strategies/two_factor_backupable.rb

@@ -6,9 +6,6 @@ module Devise
         resource = mapping.to.find_for_database_authentication(authentication_hash)
 
         if validate(resource) { resource.invalidate_otp_backup_code!(params[scope]['otp_attempt']) }
-          # Devise fails to authenticate invalidated resources, but if we've
-          # gotten here, the object changed (Since we deleted a recovery code)
-          resource.save!
           super
         end
 

data/lib/devise_two_factor/version.rb

@@ -1,3 +1,3 @@
 module DeviseTwoFactor
-  VERSION = '4.1.1'.freeze
+  VERSION = '6.0.0'.freeze
 end

data/lib/generators/devise_two_factor/devise_two_factor_generator.rb

@@ -3,8 +3,6 @@ require 'rails/generators'
 module DeviseTwoFactor
   module Generators
     class DeviseTwoFactorGenerator < Rails::Generators::NamedBase
-      argument :encryption_key_env, :type => :string, :required => true
-
       desc 'Creates a migration to add the required attributes to NAME, and ' \
            'adds the necessary Devise directives to the model'
 
@@ -19,9 +17,7 @@ module DeviseTwoFactor
       def create_devise_two_factor_migration
         migration_arguments = [
                                 "add_devise_two_factor_to_#{plural_name}",
-                                "encrypted_otp_secret:string",
-                                "encrypted_otp_secret_iv:string",
-                                "encrypted_otp_secret_salt:string",
+                                "otp_secret:string",
                                 "consumed_timestep:integer",
                                 "otp_required_for_login:boolean"
                               ]
@@ -51,8 +47,7 @@ module DeviseTwoFactor
         indent_depth = class_path.size
 
         content = [
-                    "devise :two_factor_authenticatable,",
-                    "       :otp_secret_encryption_key => ENV['#{encryption_key_env}']\n"
+                    "devise :two_factor_authenticatable"
                   ]
 
         content << "attr_accessible :otp_attempt\n" if needs_attr_accessible?

data/spec/devise/models/two_factor_authenticatable_spec.rb

@@ -6,91 +6,33 @@ class TwoFactorAuthenticatableDouble
   include ::ActiveModel::Validations::Callbacks
   extend  ::Devise::Models
 
-  define_model_callbacks :update
-
-  devise :two_factor_authenticatable, :otp_secret_encryption_key => 'test-key'*4
-
-  attr_accessor :consumed_timestep
-
-  def save(validate)
-    # noop for testing
-    true
+  # stub out the ::ActiveRecord::Encryption::EncryptableRecord API
+  attr_accessor :otp_secret
+  def self.encrypts(*attrs)
+    nil
   end
-end
-
-class TwoFactorAuthenticatableWithCustomizeAttrEncryptedDouble
-  extend ::ActiveModel::Callbacks
-  include ::ActiveModel::Validations::Callbacks
-
-  # like https://github.com/tinfoil/devise-two-factor/blob/cf73e52043fbe45b74d68d02bc859522ad22fe73/UPGRADING.md#guide-to-upgrading-from-2x-to-3x
-  extend ::AttrEncrypted
-  attr_encrypted :otp_secret,
-                  :key       => 'test-key'*8,
-                  :mode      => :per_attribute_iv_and_salt,
-                  :algorithm => 'aes-256-cbc'
-
-  extend  ::Devise::Models
 
   define_model_callbacks :update
 
-  devise :two_factor_authenticatable, :otp_secret_encryption_key => 'test-key'*4
+  devise :two_factor_authenticatable
 
   attr_accessor :consumed_timestep
 
-  def save(validate)
+  def save!(_)
     # noop for testing
     true
   end
 end
 
 describe ::Devise::Models::TwoFactorAuthenticatable do
-  context 'When included in a class' do
-    subject { TwoFactorAuthenticatableDouble.new }
-
-    it_behaves_like 'two_factor_authenticatable'
+  it 'should be inserted prior to other devise modules' do
+    expect(Devise::ALL.first).to eq(:two_factor_authenticatable)
   end
-end
 
-describe ::Devise::Models::TwoFactorAuthenticatable do
   context 'When included in a class' do
-    subject { TwoFactorAuthenticatableWithCustomizeAttrEncryptedDouble.new }
+    subject { TwoFactorAuthenticatableDouble.new }
 
     it_behaves_like 'two_factor_authenticatable'
-
-    before :each do
-      subject.otp_secret = subject.class.generate_otp_secret
-      subject.consumed_timestep = nil
-    end
-
-    describe 'otp_secret options' do
-      it 'should be of the key' do
-        if attr_encrypted_is_rails_seven_compatible?
-          expect(subject.attr_encrypted_encrypted_attributes[:otp_secret][:key]).to eq('test-key'*8)
-        else
-          expect(subject.encrypted_attributes[:otp_secret][:key]).to eq('test-key'*8)
-        end
-      end
-
-      it 'should be of the mode' do
-        if attr_encrypted_is_rails_seven_compatible?
-          expect(subject.attr_encrypted_encrypted_attributes[:otp_secret][:mode]).to eq(:per_attribute_iv_and_salt)
-        else
-          expect(subject.encrypted_attributes[:otp_secret][:mode]).to eq(:per_attribute_iv_and_salt)
-        end
-      end
-
-      it 'should be of the mode' do
-        if attr_encrypted_is_rails_seven_compatible?
-          expect(subject.attr_encrypted_encrypted_attributes[:otp_secret][:algorithm]).to eq('aes-256-cbc')
-        else
-          expect(subject.encrypted_attributes[:otp_secret][:algorithm]).to eq('aes-256-cbc')
-        end
-      end
-
-      def attr_encrypted_is_rails_seven_compatible?
-        Gem::Version.new(AttrEncrypted::Version.string) >= Gem::Version.new('4.0.0')
-      end
-    end
   end
 end
 
@@ -101,11 +43,11 @@ describe ::Devise::Models::TwoFactorAuthenticatable do
       subject.otp_attempt = 'foo'
       subject.password_confirmation = 'foo'
     end
-    it 'otp_attempt should be nill' do 
+    it 'otp_attempt should be nill' do
       subject.clean_up_passwords
       expect(subject.otp_attempt).to be_nil
     end
-    it 'password_confirmation should be nill' do 
+    it 'password_confirmation should be nill' do
       subject.clean_up_passwords
       expect(subject.password_confirmation).to be_nil
     end

data/spec/devise/models/two_factor_backupable_spec.rb

@@ -6,12 +6,21 @@ class TwoFactorBackupableDouble
   include ::ActiveModel::Validations::Callbacks
   extend  ::Devise::Models
 
+  # stub out the ::ActiveRecord::Encryption::EncryptableRecord API
+  attr_accessor :otp_secret
+  def self.encrypts(*attrs)
+    nil
+  end
+
   define_model_callbacks :update
 
-  devise :two_factor_authenticatable, :two_factor_backupable,
-         :otp_secret_encryption_key => 'test-key'*4
+  devise :two_factor_authenticatable, :two_factor_backupable
 
   attr_accessor :otp_backup_codes
+
+  def save!(_)
+    true
+  end
 end
 
 describe ::Devise::Models::TwoFactorBackupable do

data/spec/spec_helper.rb

@@ -18,7 +18,6 @@ $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
 $LOAD_PATH.unshift(File.dirname(__FILE__))
 
 require 'rspec'
-require 'faker'
 require 'devise-two-factor'
 require 'devise_two_factor/spec_helpers'
 

metadata

@@ -1,11 +1,11 @@
 --- !ruby/object:Gem::Specification
 name: devise-two-factor
 version: !ruby/object:Gem::Version
-  version: 4.1.1
+  version: 6.0.0
 platform: ruby
 authors:
-- Shane Wilton
-autorequire: 
+- Quinn Wilton
+autorequire:
 bindir: bin
 cert_chain:
 - |
@@ -86,7 +86,7 @@ cert_chain:
   vqIDv6JBG9I16h/HhchntKfM58MI1bNZFBSdZqYOJiL8JIjP8HNIk76Y366ppG29
   EhBYYg==
   -----END CERTIFICATE-----
-date: 2023-10-12 00:00:00.000000000 Z
+date: 2024-09-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -116,32 +116,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '7.0'
-- !ruby/object:Gem::Dependency
-  name: attr_encrypted
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.3'
-    - - "!="
-      - !ruby/object:Gem::Version
-        version: '2'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '5'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '1.3'
-    - - "!="
-      - !ruby/object:Gem::Version
-        version: '2'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '5'
 - !ruby/object:Gem::Dependency
   name: devise
   requirement: !ruby/object:Gem::Requirement
@@ -240,28 +214,17 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: faker
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-description: Barebones two-factor authentication with Devise
-email: engineers@tinfoilsecurity.com
+description: Devise-Two-Factor is a minimalist extension to Devise which offers support
+  for two-factor authentication through the TOTP scheme.
+email:
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/dependabot.yml"
 - ".github/workflows/ci.yml"
 - ".gitignore"
+- ".markdownlint.json"
 - ".rspec"
 - Appraisals
 - CHANGELOG.md
@@ -270,18 +233,13 @@ files:
 - LICENSE
 - README.md
 - Rakefile
+- SECURITY.md
 - UPGRADING.md
 - certs/tinfoil-cacert.pem
 - certs/tinfoilsecurity-gems-cert.pem
 - devise-two-factor.gemspec
-- gemfiles/rails_4.1.gemfile
-- gemfiles/rails_4.2.gemfile
-- gemfiles/rails_5.0.gemfile
-- gemfiles/rails_5.1.gemfile
-- gemfiles/rails_5.2.gemfile
-- gemfiles/rails_6.0.gemfile
-- gemfiles/rails_6.1.gemfile
 - gemfiles/rails_7.0.gemfile
+- gemfiles/rails_7.1.gemfile
 - lib/devise-two-factor.rb
 - lib/devise_two_factor/models.rb
 - lib/devise_two_factor/models/two_factor_authenticatable.rb
@@ -297,11 +255,11 @@ files:
 - spec/devise/models/two_factor_authenticatable_spec.rb
 - spec/devise/models/two_factor_backupable_spec.rb
 - spec/spec_helper.rb
-homepage: https://github.com/tinfoil/devise-two-factor
+homepage: https://github.com/devise-two-factor/devise-two-factor
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -316,8 +274,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
-signing_key: 
+rubygems_version: 3.5.11
+signing_key:
 specification_version: 4
 summary: Barebones two-factor authentication with Devise
 test_files:

data/gemfiles/rails_4.2.gemfile

@@ -1,8 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "railties", "~> 4.2"
-gem "activesupport", "~> 4.2"
-
-gemspec path: "../"

data/gemfiles/rails_5.0.gemfile

@@ -1,8 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "railties", "~> 5.0"
-gem "activesupport", "~> 5.0"
-
-gemspec path: "../"

data/gemfiles/rails_5.1.gemfile

@@ -1,8 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "railties", "~> 5.1"
-gem "activesupport", "~> 5.1"
-
-gemspec path: "../"

data/gemfiles/rails_5.2.gemfile

@@ -1,8 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "railties", "~> 5.2"
-gem "activesupport", "~> 5.2"
-
-gemspec path: "../"

data/gemfiles/rails_6.0.gemfile

@@ -1,8 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "railties", "~> 6.0"
-gem "activesupport", "~> 6.0"
-
-gemspec path: "../"

data/gemfiles/rails_6.1.gemfile

@@ -1,8 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "railties", "~> 6.1"
-gem "activesupport", "~> 6.1"
-
-gemspec path: "../"