devise-two-factor 5.0.0 → 6.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f0f81d936ba021c504827ebf9a6faa199f7a0a8f714fee2d9ce6d48acbde423b
-  data.tar.gz: 38bf04b9361f64618c84081c5ce5436f523f8476c625b91b92cfba8e56e2cd5c
+  metadata.gz: 131bab7308f2b9d46a41b5e11b85411e0cd097e97f16c82356eadb1cf87d5cc3
+  data.tar.gz: b117115cfbb9ffe4f6dcec8127de0e0d51ca5fa835407a82cad8afc17f923f5f
 SHA512:
-  metadata.gz: 54b62797c0194f8a3dc04f4594db384bdf6421eaf35707b7a35a39dc3993348790f1544e24d9d013885a7569a4c2381f938037626c26bf054ca00fe02bc46026
-  data.tar.gz: 2c24d3d5e822151f323ba27efb915ad44a33be2a20b95b3decad88facf34c68a70bbf471b1d748bd2c2498a088b5ddc0fb333486d467eb9865dd3f6aa941694c
+  metadata.gz: 187bd4ed05b0ad83da40cbe208c4bbe2ce91581d95f437cdaa27364ddb0be3696a2a03aad62e8a02f07adaeca24778202710f20f79422156b4aef63d13a03721
+  data.tar.gz: 5635dccf010dd259404e9e03092eb9e107896b31f178d1ae3760046aa794fe449eb3bd2929bfb08c29df725376d8abc3dbb3f80e2dfb63405172c6130c24c687

data/.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

data/.github/workflows/ci.yml

@@ -12,14 +12,14 @@ jobs:
       fail-fast: false
       matrix:
         # Due to https://github.com/actions/runner/issues/849, we should quote versions
-        ruby: ['2.7', '3.0', '3.1', 'truffleruby-head']
-        rails: ['7.0']
+        ruby: ['3.1', '3.2', '3.3', 'truffleruby-head']
+        rails: ['7.0', '7.1']
 
     name: Ruby ${{ matrix.ruby }}, Rails ${{ matrix.rails }}
     env: # $BUNDLE_GEMFILE must be set at the job level, so it is set for all steps
       BUNDLE_GEMFILE: ${{ github.workspace }}/gemfiles/rails_${{ matrix.rails }}.gemfile
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:

data/.markdownlint.json

@@ -0,0 +1,6 @@
+{
+  "MD026": false,
+  "MD029": false,
+  "MD031": false,
+  "MD034": false
+}

data/CHANGELOG.md

@@ -2,6 +2,21 @@
 
 ## Unreleased
 
+## 5.1.0
+
+- Remove faker dev dependency
+- Insert two_factor_authenticatable at the top of the devise module list
+- README and CI improvements
+
+## 5.0.0
+
+**Breaking Changes**
+- attr_encrypted has been deprecated in favor of native Rails attribute encryption. See [UPGRADING.md](UPGRADING.md) for details on how to migrate your records. You **must** use or build a migration strategy (see examples in [UPGRADING.md](UPGRADING.md)) to use existing data!
+- Rails 7 is now required.
+
+## 4.1.0 / 4.1.1
+- Add support for attr_encrypted v4
+
 ## 4.0.2
 - Add Rails 7.0 support
 - Renew signing certificate

data/README.md

@@ -1,7 +1,6 @@
 # Devise-Two-Factor Authentication
-By [Tinfoil Security](https://www.tinfoilsecurity.com/) (acq. [Synopsys](https://www.synopsys.com/) 2020). Interested in [working with us](https://www.synopsys.com/careers.html)? We're hiring!
 
-![Build Status](https://github.com/tinfoil/devise-two-factor/actions/workflows/ci.yml/badge.svg)
+![Build Status](https://github.com/devise-two-factor/devise-two-factor/actions/workflows/ci.yml/badge.svg)
 
 Devise-Two-Factor is a minimalist extension to Devise which offers support for two-factor authentication, through the [TOTP](https://en.wikipedia.org/wiki/Time-based_One-Time_Password) scheme. It:
 
@@ -11,12 +10,12 @@ Devise-Two-Factor is a minimalist extension to Devise which offers support for t
 * Is extensible, and includes two-factor backup codes as an example of how plugins can be structured
 
 ## Contributing
+
 We welcome pull requests, bug reports, and other contributions. We're especially looking for help getting this gem fully compatible with Rails 5+ and squashing any deprecation messages.
 
 ## Example App
-An example Rails 4 application is provided in the `demo` directory. It showcases a minimal example of Devise-Two-Factor in action, and can act as a reference for integrating the gem into your own application.
 
-For the demo app to work, create an encryption key and store it as an environment variable. One way to do this is to create a file named `local_env.yml` in the application root. Set the value of `ENCRYPTION_KEY` in the YML file. That value will be loaded into the application environment by `application.rb`.
+See [examples](demo/README.md).
 
 ## Getting Started
 
@@ -27,15 +26,31 @@ Devise-Two-Factor doesn't require much to get started, but there are two prerequ
 
 First, you'll need a Rails application setup with Devise. Visit the Devise [homepage](https://github.com/plataformatec/devise) for instructions.
 
-Devise-Two-Factor uses [ActiveRecord encrypted attributes](https://edgeguides.rubyonrails.org/active_record_encryption.html) which in turn uses Rails' encrypted credentials. [The Rails encrypted attributes guide](https://edgeguides.rubyonrails.org/active_record_encryption.html) has full details of how to set these up but briefly:
+Devise-Two-Factor uses [ActiveRecord encrypted attributes](https://edgeguides.rubyonrails.org/active_record_encryption.html). If you haven't already set up ActiveRecord encryption you must generate a key set and configure your application to use them either with Rails' encrypted credentials or from another source such as environment variables.
 
 ```bash
-# generate suitable encryption secrets to stdout
-$ ./bin/rails db:encryption:init
+# Generates a random key set and outputs it to stdout
+./bin/rails db:encryption:init
+```
+
+You can load the key set using Rails' credentials.
+
+```bash
+# Copy the generated key set into your encrypted credentials file
+# Setting the EDITOR environment variable is optional, but without it your default editor will open
+EDITOR="code --wait" ./bin/rails credentials:edit
+```
+
+To learn more about credentials run `./bin/rails credentials:help`.
 
-# Add the output from the command above to your encrypted credentials file via
-# Setting the EDITOR environment variable is optional, without it, your default editor will open
-$ EDITOR=code ./bin/rails credentials:edit
+Alternatively, you can configure your application with environment variables rather than Rails' credentials.
+
+```ruby
+# Copy the generate key set and set them as environment variables
+
+config.active_record.encryption.primary_key = ENV['ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY']
+config.active_record.encryption.deterministic_key = ENV['ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY']
+config.active_record.encryption.key_derivation_salt = ENV['ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT']
 ```
 
 Add Devise-Two-Factor to your Gemfile with:
@@ -58,11 +73,13 @@ Where `MODEL` is the name of the model you wish to add two-factor functionality
 This generator will:
 
 1. Create a new migration which adds a few columns to the specified model:
+
     ```ruby
     add_column :users, :otp_secret, :string
     add_column :users, :consumed_timestep, :integer
     add_column :users, :otp_required_for_login, :boolean
     ```
+
 1. Edit `app/models/MODEL.rb` (where MODEL is your model name):
     * add the `:two_factor_authenticatable` devise module
     * remove the `:database_authenticatable` if present because it is incompatible with `:two_factor_authenticatable`
@@ -95,6 +112,7 @@ Finally you should verify that `:database_authenticatable` is **not** being load
 **Loading both `:database_authenticatable` and `:two_factor_authenticatable` in a model is a security issue** It will allow users to bypass two-factor authenticatable due to the way Warden handles cascading strategies!
 
 ## Designing Your Workflow
+
 Devise-Two-Factor only worries about the backend, leaving the details of the integration up to you. This means that you're responsible for building the UI that drives the gem. While there is an example Rails application included in the gem, it is important to remember that this gem is intentionally very open-ended, and you should build a user experience which fits your individual application.
 
 There are two key workflows you'll have to think about:
@@ -104,8 +122,8 @@ There are two key workflows you'll have to think about:
 
 We chose to keep things as simple as possible, and our implementation can be found by registering at [Tinfoil Security](https://www.tinfoilsecurity.com/), and enabling two-factor authentication from the [security settings page](https://www.tinfoilsecurity.com/account/security).
 
-
 ### Logging In
+
 Logging in with two-factor authentication works extremely similarly to regular database authentication in Devise. The `TwoFactorAuthenticatable` strategy accepts three parameters:
 
 1. email
@@ -115,11 +133,13 @@ Logging in with two-factor authentication works extremely similarly to regular d
 These parameters can be submitted to the standard Devise login route, and the strategy will handle the authentication of the user for you.
 
 ### Disabling Automatic Login After Password Resets
+
 If you use the Devise `recoverable` strategy, the default behavior after a password reset is to automatically authenticate the user and log them in. This is obviously a problem if a user has two-factor authentication enabled, as resetting the password would get around the two-factor requirement.
 
 Because of this, you need to set `sign_in_after_reset_password` to `false` (either globally in your Devise initializer or via `devise_for`).
 
 ### Enabling Two-Factor Authentication
+
 Enabling two-factor authentication for a user is easy. For example, if my user model were named User, I could do the following:
 
 ```ruby
@@ -150,6 +170,7 @@ current_user.current_otp
 ```
 
 The generated code will be valid for the duration specified by `otp_allowed_drift`. This value can be modified by adding a config in `config/initializers/devise.rb`.
+
 ```ruby
 Devise.otp_allowed_drift = 240 # value in seconds
 Devise.setup do |config|
@@ -166,13 +187,27 @@ However you decide to handle enrollment, there are a few important consideration
 It sounds like a lot of work, but most of these problems have been very elegantly solved by other people. We recommend taking a look at the excellent workflows used by Heroku and Google for inspiration.
 
 ### Filtering sensitive parameters from the logs
+
 To prevent two-factor authentication codes from leaking if your application logs get breached, you'll want to filter sensitive parameters from the Rails logs. Add the following to `config/initializers/filter_parameter_logging.rb`:
 
 ```ruby
 Rails.application.config.filter_parameters += [:otp_attempt]
 ```
 
+### Preventing Brute-Force Attacks
+
+With any authentication solution it is also important to protect your users from brute-force attacks. For Devise-Two-Factor specifically if a user's username and password have already been compromised an attacker would be able to try possible TOTP codes and see if they can hit a lucky collision to log in. While Devise-Two-Factor is open-ended by design and cannot solve this for all applications natively there are some possible mitigations to consider. A non-exhaustive list follows:
+
+1. Use the `lockable` strategy from Devise to lock a user after a certain number of failed login attempts. See https://www.rubydoc.info/github/heartcombo/devise/main/Devise/Models/Lockable for more information.
+2. Configure a rate limit for your application, especially on the endpoints used to log in. One such library to accomplish this is [rack-attack](https://rubygems.org/gems/rack-attack).
+3. When displaying authentication errors hide whether validating a username/password combination failed or a two-factor code failed behind a more generic error message.
+
+#### Acknowledgements
+
+Thank you to Christian Reitter (Radically Open Security) and Chris MacNaughton (Centauri Solutions) for reporting the issue.
+
 ## Backup Codes
+
 Devise-Two-Factor is designed with extensibility in mind. One such extension, `TwoFactorBackupable`, is included and serves as a good example of how to extend this gem. This plugin allows you to add the ability to generate single-use backup codes for a user, which they may use to bypass two-factor authentication, in the event that they lose access to their device.
 
 To install it, you need to add the `:two_factor_backupable` directive to your model.
@@ -187,17 +222,39 @@ You'll also be required to enable the `:two_factor_backupable` strategy, by addi
 manager.default_strategies(:scope => :user).unshift :two_factor_backupable
 ```
 
-The final installation step is dependent on your version of Rails. If you're not running Rails 4, skip to the next section. Otherwise, create the following migration:
+### Migration
+
+The final installation step may be dependent on your version of Rails.
+
+#### PostgreSQL
 
 ```ruby
 class AddDeviseTwoFactorBackupableToUsers < ActiveRecord::Migration
   def change
-    # Change type from :string to :text if using MySQL database
     add_column :users, :otp_backup_codes, :string, array: true
   end
 end
 ```
 
+#### MySQL
+
+```ruby
+# migration
+class AddDeviseTwoFactorBackupableToUsers < ActiveRecord::Migration
+  def change
+    add_column :users, :otp_backup_codes, :text
+  end
+end
+
+# model
+class User < ApplicationRecord
+  devise :two_factor_backupable
+  serialize :otp_backup_codes, Array
+end
+```
+
+### Generation
+
 You can then generate backup codes for a user:
 
 ```ruby
@@ -215,23 +272,8 @@ devise :two_factor_backupable, otp_backup_code_length:     32,
                                otp_number_of_backup_codes: 10
 ```
 
-### Help! I'm not using Rails 4.0!
-Don't worry! `TwoFactorBackupable` stores the backup codes as an array of strings in the database. In Rails 4.0 this is supported natively, but in earlier versions you can use a gem to emulate this behavior: we recommend [activerecord-postgres-array](https://github.com/tlconnor/activerecord-postgres-array).
-
-You'll then simply have to create a migration to add an array named `otp_backup_codes` to your model. If you use the above gem, this migration might look like:
-
-```ruby
-class AddTwoFactorBackupCodesToUsers < ActiveRecord::Migration
-  def change
-    # Change type from :string_array to :text_array if using MySQL database
-    add_column :users, :otp_backup_codes, :string_array
-  end
-end
-```
-
-Now just continue with the setup in the previous section, skipping the generator step.
-
 ## Testing
+
 Devise-Two-Factor includes shared-examples for both `TwoFactorAuthenticatable` and `TwoFactorBackupable`. Adding the following two lines to the specs for your two-factor enabled models will allow you to test your models for two-factor functionality:
 
 ```ruby
@@ -242,6 +284,7 @@ it_behaves_like "two_factor_backupable"
 ```
 
 ## Troubleshooting
+
 If you are using Rails 4.x and Ruby >= 2.7, you may get an error like
 
 ```
@@ -251,9 +294,11 @@ Failure/Error: require 'devise'
 NoMethodError:
   undefined method `new' for BigDecimal:Class
 ```
+
 see https://github.com/ruby/bigdecimal#which-version-should-you-select and https://github.com/ruby/bigdecimal/issues/127
 for more details, but you should be able to solve this
 by explicitly requiring an older version of bigdecimal in your gemfile like
-```
+
+```ruby
 gem "bigdecimal", "~> 1.4"
 ```

data/SECURITY.md

@@ -0,0 +1,5 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report any vulnerabilities to the [Black Duck PSIRT](psirt@blackduck.com).

data/UPGRADING.md

@@ -1,8 +1,25 @@
-# Upgrading from 4.x to 5.x
+# Upgrading
 
-## Background
+## Upgrading from 5.x to 6.x
 
-### Database columns in version 4.x and older
+### save!
+
+`consume_otp!` and `invalidate_otp_backup_code!` now call `save!` instead of `save` (or nothing at all in the case of `invalide_otp_backup_code!`). If you manually called `save`/`save!` after calling `invalidate_otp_backup_code` you may be able to remove it.
+
+### Secret Lengths
+
+The `otp_secret_length` and `otp_backup_code_length` options have changed to be the number of random bytes that are generated.
+If you had configured these values you may want to change them if you wish to keep the same output length.
+
+`otp_secret_length` now has a default value of 20, generating a 160 bit secret key with an output length length of 32 bytes.
+
+`otp_backup_code_length` now has a default value of 16, generating a 32 byte backup code.
+
+## Upgrading from 4.x to 5.x
+
+### Background
+
+#### Database columns in version 4.x and older
 
 Versions 4.x and older stored the OTP secret in an attribute called `encrypted_otp_secret` using the [attr_encrypted](https://github.com/attr-encrypted/attr_encrypted) gem. This gem is currently unmaintained which is part of the motivation for moving to Rails encrypted attributes. This attribute was backed by three database columns:
 
@@ -21,7 +38,7 @@ otp_required_for_login
 
 A fresh install of 4.x would create all five of the database columns above.
 
-### Database columns in version 5.x and later
+#### Database columns in version 5.x and later
 
 Versions 5+ of this gem uses a single [Rails 7+ encrypted attribute](https://edgeguides.rubyonrails.org/active_record_encryption.html) named `otp_secret`to store the OTP secret in the database table (usually `users` but will be whatever model you picked).
 
@@ -33,18 +50,15 @@ consumed_timestep
 otp_required_for_login
 ```
 
-### Upgrading from 4.x to 5.x
-
-
 We have attempted to make the upgrade as painless as possible but unfortunately because of the secret storage change, it cannot be as simple as `bundle update devise-two-factor` :heart:
 
-#### Assumptions
+### Assumptions
 
 This guide assumes you are upgrading an existing Rails 6 app (with `devise` and `devise-two-factor`) to Rails 7.
 
 This gem must be upgraded **as part of a Rails 7 upgrade**. See [the official Rails upgrading guide](https://guides.rubyonrails.org/upgrading_ruby_on_rails.html) for an overview of upgrading Rails.
 
-#### Phase 1: Upgrading devise-two-factor as part of Rails 7 upgrade
+### Phase 1: Upgrading devise-two-factor as part of Rails 7 upgrade
 
 1. Update the version constraint for Rails in your `Gemfile` to your desired version e.g. `gem "rails", "~> 7.0.3"`
 1. Run `bundle install` and resolve any issues with dependencies.
@@ -59,7 +73,7 @@ This gem must be upgraded **as part of a Rails 7 upgrade**. See [the official Ra
     ```
 1. Add a `legacy_otp_secret` method to your user model e.g. `User`.
   * This method is used by the gem to find and decode the OTP secret from the legacy database columns.
-  * The implementation shown below works if you set up devise-two-factor with the settings suggested in the [README](./README.md).
+  * The implementation shown below works if you set up devise-two-factor with the settings suggested in the [OLD README](https://github.com/devise-two-factor/devise-two-factor/blob/8d74f5ee45594bf00e60d5d49eb6fcde82c2d2ba/README.md).
   * If you have customised the encryption scheme used to store the OTP secret then you will need to update this method to match.
   * If you are unsure, you should try the method below as is, and if you can still sign in users with OTP enabled then all is well.
     ```ruby
@@ -87,7 +101,7 @@ This gem must be upgraded **as part of a Rails 7 upgrade**. See [the official Ra
         cipher_text = raw_cipher_text[0..-17]
         auth_tag =  raw_cipher_text[-16..-1]
 
-        # this alrorithm lifted from
+        # this algorithm lifted from
         # https://github.com/attr-encrypted/encryptor/blob/master/lib/encryptor.rb#L54
 
         # create an OpenSSL object which will decrypt the AES cipher with 256 bit
@@ -101,7 +115,7 @@ This gem must be upgraded **as part of a Rails 7 upgrade**. See [the official Ra
         cipher.decrypt
 
         # Use a Password-Based Key Derivation Function to generate the key actually
-        # used for encryptoin from the key we got as input.
+        # used for encryption from the key we got as input.
         cipher.key = OpenSSL::PKCS5.pbkdf2_hmac_sha1(key, salt, hmac_iterations, cipher.key_len)
 
         # set the Initialization Vector (IV)
@@ -149,7 +163,7 @@ You can now deploy your upgraded application and devise-two-factor should work a
 
 This gem will fall back to **reading** the OTP secret from the legacy columns if it cannot find one in the new `otp_secret` column. When you **write** a new OTP secret it will always be written to the new `otp_secret` column.
 
-#### Phase 2: Clean up
+### Phase 2: Clean up
 
 This "clean up" phase can happen at the same time as your initial deployment but teams managing existing apps will likely want to do clean-up as separate, later deployments.
 
@@ -190,8 +204,17 @@ This "clean up" phase can happen at the same time as your initial deployment but
       end
     end
     ```
+1. Remove `otp_secret_encryption_key` from the model setup. This also assumes you successfully ran the rake task in step 1.
+    ```ruby
+    # from this:
+    devise :two_factor_authenticatable,
+        otp_secret_encryption_key: ENV['YOUR_ENCRYPTION_KEY_HERE']
+
+    # to this:
+    devise :two_factor_authenticatable
+    ```
 
-# Guide to upgrading from 2.x to 3.x
+## Upgrading from 2.x to 3.x
 
 Pull request #76 allows for compatibility with `attr_encrypted` 3.0, which should be used due to a security vulnerability discovered in 2.0.
 
@@ -211,7 +234,7 @@ class User < ActiveRecord::Base
          :otp_secret_encryption_key => ENV['DEVISE_TWO_FACTOR_ENCRYPTION_KEY']
 ```
 
-# Guide to upgrading from 1.x to 2.x
+## Upgrading from 1.x to 2.x
 
 Pull request #43 added a new field to protect against "shoulder-surfing" attacks. If upgrading, you'll need to add the `:consumed_timestep` column to your `Users` model.
 

data/devise-two-factor.gemspec

@@ -5,12 +5,11 @@ Gem::Specification.new do |s|
   s.name        = 'devise-two-factor'
   s.version     = DeviseTwoFactor::VERSION.dup
   s.platform    = Gem::Platform::RUBY
-  s.licenses    = ['MIT']
+  s.license     = 'MIT'
   s.summary     = 'Barebones two-factor authentication with Devise'
-  s.email       = 'engineers@tinfoilsecurity.com'
-  s.homepage    = 'https://github.com/tinfoil/devise-two-factor'
-  s.description = 'Barebones two-factor authentication with Devise'
-  s.authors     = ['Shane Wilton']
+  s.homepage    = 'https://github.com/devise-two-factor/devise-two-factor'
+  s.description = 'Devise-Two-Factor is a minimalist extension to Devise which offers support for two-factor authentication through the TOTP scheme.'
+  s.authors     = ['Quinn Wilton']
 
   s.cert_chain  = [
                     'certs/tinfoil-cacert.pem',
@@ -31,5 +30,4 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'bundler',    '> 1.0'
   s.add_development_dependency 'rspec',      '> 3'
   s.add_development_dependency 'simplecov'
-  s.add_development_dependency 'faker'
 end

data/gemfiles/rails_7.0.gemfile

@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "railties", "~> 7.0"
-gem "activesupport", "~> 7.0"
+gem "railties", "~> 7.0.0"
+gem "activesupport", "~> 7.0.0"
 
 gemspec path: "../"

data/gemfiles/{rails_4.1.gemfile → rails_7.1.gemfile}

@@ -2,7 +2,7 @@
 
 source "https://rubygems.org"
 
-gem "railties", "~> 4.1"
-gem "activesupport", "~> 4.1"
+gem "railties", "~> 7.1.0"
+gem "activesupport", "~> 7.1.0"
 
 gemspec path: "../"

data/lib/devise-two-factor.rb

@@ -3,9 +3,10 @@ require 'devise_two_factor/models'
 require 'devise_two_factor/strategies'
 
 module Devise
-  # The length of generated OTP secrets
+  # The length of randomly generated OTP shared secret (in bytes).
+  # The secrets will be base32-encoded and have a length 1.6 times the configured value.
   mattr_accessor :otp_secret_length
-  @@otp_secret_length = 24
+  @@otp_secret_length = 20
 
   # The number of seconds before and after the current
   # time for which codes will be accepted
@@ -20,7 +21,8 @@ module Devise
   mattr_accessor :otp_encrypted_attribute_options
   @@otp_encrypted_attribute_options = {}
 
-  # The length of all generated OTP backup codes
+  # The length of randomly generated OTP backup codes (in bytes).
+  # The codes will be hex-encoded and have a length twice the configured value.
   mattr_accessor :otp_backup_code_length
   @@otp_backup_code_length = 16
 
@@ -31,7 +33,7 @@ module Devise
 end
 
 Devise.add_module(:two_factor_authenticatable, :route => :session, :strategy => true,
-                  :controller => :sessions, :model  => true)
+                  :controller => :sessions, :model  => true, :insert_at => 0)
 
 Devise.add_module(:two_factor_backupable, :route => :session, :strategy => true,
                   :controller => :sessions, :model  => true)

data/lib/devise_two_factor/models/two_factor_authenticatable.rb

@@ -81,7 +81,8 @@ module Devise
       def consume_otp!
         if self.consumed_timestep != current_otp_timestep
           self.consumed_timestep = current_otp_timestep
-          return save(validate: false)
+          save!(validate: false)
+          return true
         end
 
         false
@@ -93,8 +94,9 @@ module Devise
                                     :otp_encrypted_attribute_options,
                                     :otp_secret_encryption_key)
 
+        # Geneartes an OTP secret of the specified length, returning it after Base32 encoding.
         def generate_otp_secret(otp_secret_length = self.otp_secret_length)
-          ROTP::Base32.random_base32(otp_secret_length)
+          ROTP::Base32.random(otp_secret_length)
         end
 
         # Return value will be splatted with ** so return a version of the

data/lib/devise_two_factor/models/two_factor_backupable.rb

@@ -20,7 +20,7 @@ module Devise
         code_length     = self.class.otp_backup_code_length
 
         number_of_codes.times do
-          codes << SecureRandom.hex(code_length / 2) # Hexstring has length 2*n
+          codes << SecureRandom.hex(code_length)
         end
 
         hashed_codes = codes.map { |code| Devise::Encryptor.digest(self.class, code) }
@@ -30,7 +30,7 @@ module Devise
       end
 
       # Returns true and invalidates the given code
-      # iff that code is a valid backup code.
+      # if that code is a valid backup code.
       def invalidate_otp_backup_code!(code)
         codes = self.otp_backup_codes || []
 
@@ -39,6 +39,7 @@ module Devise
 
           codes.delete(backup_code)
           self.otp_backup_codes = codes
+          save!(validate: false)
           return true
         end
 

data/lib/devise_two_factor/spec_helpers/two_factor_authenticatable_shared_examples.rb

@@ -13,8 +13,8 @@ RSpec.shared_examples 'two_factor_authenticatable' do
   end
 
   describe '#otp_secret' do
-    it 'should be of the configured length' do
-      expect(subject.otp_secret.length).to eq(subject.class.otp_secret_length)
+    it 'should be of the expected length' do
+      expect(subject.otp_secret.length).to eq(subject.class.otp_secret_length*8/5)
     end
   end
 
@@ -125,15 +125,15 @@ RSpec.shared_examples 'two_factor_authenticatable' do
 
   describe '#otp_provisioning_uri' do
     let(:otp_secret_length) { subject.class.otp_secret_length }
-    let(:account)           { Faker::Internet.email }
+    let(:account)           { 'user@host.example' }
     let(:issuer)            { 'Tinfoil' }
 
     it 'should return uri with specified account' do
-      expect(subject.otp_provisioning_uri(account)).to match(%r{otpauth://totp/#{CGI.escape(account)}\?secret=\w{#{otp_secret_length}}})
+      expect(subject.otp_provisioning_uri(account)).to match(%r{otpauth://totp/#{CGI.escape(account)}\?secret=\w{#{otp_secret_length*8/5}}})
     end
 
     it 'should return uri with issuer option' do
-      expect(subject.otp_provisioning_uri(account, issuer: issuer)).to match(%r{otpauth://totp/#{issuer}:#{CGI.escape(account)}\?.*secret=\w{#{otp_secret_length}}(&|$)})
+      expect(subject.otp_provisioning_uri(account, issuer: issuer)).to match(%r{otpauth://totp/#{issuer}:#{CGI.escape(account)}\?.*secret=\w{#{otp_secret_length*8/5}}(&|$)})
       expect(subject.otp_provisioning_uri(account, issuer: issuer)).to match(%r{otpauth://totp/#{issuer}:#{CGI.escape(account)}\?.*issuer=#{issuer}(&|$)})
     end
   end

data/lib/devise_two_factor/spec_helpers/two_factor_backupable_shared_examples.rb

@@ -17,7 +17,7 @@ RSpec.shared_examples 'two_factor_backupable' do
 
       it 'generates recovery codes of the correct length' do
         @plaintext_codes.each do |code|
-          expect(code.length).to eq(subject.class.otp_backup_code_length)
+          expect(code.length).to eq(subject.class.otp_backup_code_length*2)
         end
       end
 
@@ -34,7 +34,7 @@ RSpec.shared_examples 'two_factor_backupable' do
     end
 
     context 'with existing recovery codes' do
-      let(:old_codes)        { Faker::Lorem.words }
+      let(:old_codes)        { ['adam', 'betty', 'charles'] }
       let(:old_codes_hashed) { old_codes.map { |x| Devise::Encryptor.digest(subject.class, x) } }
 
       before do

data/lib/devise_two_factor/strategies/two_factor_authenticatable.rb

@@ -21,7 +21,7 @@ module Devise
 
       def validate_otp(resource)
         return true unless resource.otp_required_for_login
-        return if params[scope]['otp_attempt'].nil?
+        return if params[scope].nil? || params[scope]['otp_attempt'].nil?
         resource.validate_and_consume_otp!(params[scope]['otp_attempt'])
       end
     end

data/lib/devise_two_factor/strategies/two_factor_backupable.rb

@@ -6,9 +6,6 @@ module Devise
         resource = mapping.to.find_for_database_authentication(authentication_hash)
 
         if validate(resource) { resource.invalidate_otp_backup_code!(params[scope]['otp_attempt']) }
-          # Devise fails to authenticate invalidated resources, but if we've
-          # gotten here, the object changed (Since we deleted a recovery code)
-          resource.save!
           super
         end
 

data/lib/devise_two_factor/version.rb

@@ -1,3 +1,3 @@
 module DeviseTwoFactor
-  VERSION = '5.0.0'.freeze
+  VERSION = '6.0.0'.freeze
 end

data/spec/devise/models/two_factor_authenticatable_spec.rb

@@ -18,13 +18,17 @@ class TwoFactorAuthenticatableDouble
 
   attr_accessor :consumed_timestep
 
-  def save(validate)
+  def save!(_)
     # noop for testing
     true
   end
 end
 
 describe ::Devise::Models::TwoFactorAuthenticatable do
+  it 'should be inserted prior to other devise modules' do
+    expect(Devise::ALL.first).to eq(:two_factor_authenticatable)
+  end
+
   context 'When included in a class' do
     subject { TwoFactorAuthenticatableDouble.new }
 

data/spec/devise/models/two_factor_backupable_spec.rb

@@ -17,6 +17,10 @@ class TwoFactorBackupableDouble
   devise :two_factor_authenticatable, :two_factor_backupable
 
   attr_accessor :otp_backup_codes
+
+  def save!(_)
+    true
+  end
 end
 
 describe ::Devise::Models::TwoFactorBackupable do

data/spec/spec_helper.rb

@@ -18,7 +18,6 @@ $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
 $LOAD_PATH.unshift(File.dirname(__FILE__))
 
 require 'rspec'
-require 'faker'
 require 'devise-two-factor'
 require 'devise_two_factor/spec_helpers'
 

metadata

@@ -1,10 +1,10 @@
 --- !ruby/object:Gem::Specification
 name: devise-two-factor
 version: !ruby/object:Gem::Version
-  version: 5.0.0
+  version: 6.0.0
 platform: ruby
 authors:
-- Shane Wilton
+- Quinn Wilton
 autorequire:
 bindir: bin
 cert_chain:
@@ -86,7 +86,7 @@ cert_chain:
   vqIDv6JBG9I16h/HhchntKfM58MI1bNZFBSdZqYOJiL8JIjP8HNIk76Y366ppG29
   EhBYYg==
   -----END CERTIFICATE-----
-date: 2022-07-11 00:00:00.000000000 Z
+date: 2024-09-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -214,28 +214,17 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: faker
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-description: Barebones two-factor authentication with Devise
-email: engineers@tinfoilsecurity.com
+description: Devise-Two-Factor is a minimalist extension to Devise which offers support
+  for two-factor authentication through the TOTP scheme.
+email:
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/dependabot.yml"
 - ".github/workflows/ci.yml"
 - ".gitignore"
+- ".markdownlint.json"
 - ".rspec"
 - Appraisals
 - CHANGELOG.md
@@ -244,18 +233,13 @@ files:
 - LICENSE
 - README.md
 - Rakefile
+- SECURITY.md
 - UPGRADING.md
 - certs/tinfoil-cacert.pem
 - certs/tinfoilsecurity-gems-cert.pem
 - devise-two-factor.gemspec
-- gemfiles/rails_4.1.gemfile
-- gemfiles/rails_4.2.gemfile
-- gemfiles/rails_5.0.gemfile
-- gemfiles/rails_5.1.gemfile
-- gemfiles/rails_5.2.gemfile
-- gemfiles/rails_6.0.gemfile
-- gemfiles/rails_6.1.gemfile
 - gemfiles/rails_7.0.gemfile
+- gemfiles/rails_7.1.gemfile
 - lib/devise-two-factor.rb
 - lib/devise_two_factor/models.rb
 - lib/devise_two_factor/models/two_factor_authenticatable.rb
@@ -271,7 +255,7 @@ files:
 - spec/devise/models/two_factor_authenticatable_spec.rb
 - spec/devise/models/two_factor_backupable_spec.rb
 - spec/spec_helper.rb
-homepage: https://github.com/tinfoil/devise-two-factor
+homepage: https://github.com/devise-two-factor/devise-two-factor
 licenses:
 - MIT
 metadata: {}
@@ -290,7 +274,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.32
+rubygems_version: 3.5.11
 signing_key:
 specification_version: 4
 summary: Barebones two-factor authentication with Devise

data/gemfiles/rails_4.2.gemfile

@@ -1,8 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "railties", "~> 4.2"
-gem "activesupport", "~> 4.2"
-
-gemspec path: "../"

data/gemfiles/rails_5.0.gemfile

@@ -1,8 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "railties", "~> 5.0"
-gem "activesupport", "~> 5.0"
-
-gemspec path: "../"

data/gemfiles/rails_5.1.gemfile

@@ -1,8 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "railties", "~> 5.1"
-gem "activesupport", "~> 5.1"
-
-gemspec path: "../"

data/gemfiles/rails_5.2.gemfile

@@ -1,8 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "railties", "~> 5.2"
-gem "activesupport", "~> 5.2"
-
-gemspec path: "../"

data/gemfiles/rails_6.0.gemfile

@@ -1,8 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "railties", "~> 6.0"
-gem "activesupport", "~> 6.0"
-
-gemspec path: "../"

data/gemfiles/rails_6.1.gemfile

@@ -1,8 +0,0 @@
-# This file was generated by Appraisal
-
-source "https://rubygems.org"
-
-gem "railties", "~> 6.1"
-gem "activesupport", "~> 6.1"
-
-gemspec path: "../"