devise-two-factor 5.1.0 → 6.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c55843526e6b06f1804f07a6c38bd6a247006d90ba43a5f6659cb8c0f98d53ff
-  data.tar.gz: e0e67eab0624fa0fa88f9719afbbc1da169bcf280f60d249efd96bc98ad10629
+  metadata.gz: 4513e96354e689136149f21dbd447785cc74113a66725bed6153e44758a1709b
+  data.tar.gz: 9e83133ebdc4166577129276188688780aeec065a5fead7861073496210215e9
 SHA512:
-  metadata.gz: cc10ef88ba898b09fd310dc3015853027b8120915d35c2c491dad9976d5809981486efc4d49e4d44abdbf01573ca643de31029a279bffc43609b92e8101cf0eb
-  data.tar.gz: 2dd29e26cc88edcea8044f6acf22d55275550d9d5c02cbc07337f1509b7b61de766b9e2ab6f1cc436ee569c016fea51130b4bff42853088807c576e2c363f9d0
+  metadata.gz: a119f4f3f825409f6cea77f934fe7e35fa741dfb1b242c33a59dd523eb43ef2270b3dda80d1403f4baf7ade03271bbd4b145d21c6c390eeb223e00f0aadb6d29
+  data.tar.gz: 0f31866cb9c1523ff94095d2b43cf819d2a06a658a2dad94383d93e4c6c47d9e791092090cf8063f351c7727df6f2146e4bf22bf5a204c0b1f80aaf8a4fec3fb

data/.github/workflows/ci.yml

@@ -12,14 +12,21 @@ jobs:
       fail-fast: false
       matrix:
         # Due to https://github.com/actions/runner/issues/849, we should quote versions
-        ruby: ['3.1', '3.2', '3.3', 'truffleruby-head']
-        rails: ['7.0', '7.1']
+        ruby: ['3.1', '3.2', '3.3', '3.4', 'truffleruby-head']
+        rails: ['7.0', '7.1', '7.2', '8.0', '8.1']
+        exclude:
+          - ruby: '3.1'
+            rails: '8.0'
+          - ruby: '3.1'
+            rails: '8.1'
+          - ruby: '3.4'
+            rails: '7.0'
 
     name: Ruby ${{ matrix.ruby }}, Rails ${{ matrix.rails }}
     env: # $BUNDLE_GEMFILE must be set at the job level, so it is set for all steps
       BUNDLE_GEMFILE: ${{ github.workspace }}/gemfiles/rails_${{ matrix.rails }}.gemfile
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:

data/.github/workflows/push.yml

@@ -0,0 +1,28 @@
+name: Push Gem
+
+on:
+  push:
+    tags:
+      - v*
+
+jobs:
+  deployment:
+    name: Push gem to RubyGems.org
+    environment: RubyGems
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
+      contents: write # IMPORTANT: this permission is required for `rake release` to push the release tag
+
+    steps:
+      # Set up
+      - uses: actions/checkout@v6
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+          ruby-version: ruby
+
+      # Release
+      - uses: rubygems/release-gem@v1

data/.markdownlint.json

@@ -0,0 +1,6 @@
+{
+  "MD026": false,
+  "MD029": false,
+  "MD031": false,
+  "MD034": false
+}

data/Appraisals

@@ -1,39 +1,24 @@
-appraise "rails-4.1" do
-  gem 'railties', '~> 4.1'
-  gem 'activesupport', '~> 4.1'
-end
-
-appraise "rails-4.2" do
-  gem 'railties', '~> 4.2'
-  gem 'activesupport', '~> 4.2'
-end
-
-appraise "rails-5.0" do
-  gem 'railties', '~> 5.0'
-  gem 'activesupport', '~> 5.0'
-end
-
-appraise "rails-5.1" do
-  gem 'railties', '~> 5.1'
-  gem 'activesupport', '~> 5.1'
+appraise "rails-7.0" do
+  gem 'railties', '~> 7.0.0'
+  gem 'activesupport', '~> 7.0.0'
 end
 
-appraise "rails-5.2" do
-  gem 'railties', '~> 5.2'
-  gem 'activesupport', '~> 5.2'
+appraise "rails-7.1" do
+  gem 'railties', '~> 7.1.0'
+  gem 'activesupport', '~> 7.1.0'
 end
 
-appraise "rails-6.0" do
-  gem 'railties', '~> 6.0'
-  gem 'activesupport', '~> 6.0'
+appraise "rails-7.2" do
+  gem 'railties', '~> 7.2.0'
+  gem 'activesupport', '~> 7.2.0'
 end
 
-appraise "rails-6.1" do
-  gem 'railties', '~> 6.1'
-  gem 'activesupport', '~> 6.1'
+appraise "rails-8.0" do
+  gem 'railties', '~> 8.0.0'
+  gem 'activesupport', '~> 8.0.0'
 end
 
-appraise "rails-7.0" do
-  gem 'railties', '~> 7.0'
-  gem 'activesupport', '~> 7.0'
+appraise "rails-8.1" do
+  gem 'railties', '8.1.0'
+  gem 'activesupport', '8.1.0'
 end

data/CHANGELOG.md

@@ -2,6 +2,24 @@
 
 ## Unreleased
 
+## 6.3.0
+
+- Fixed timing to be consistent when Devise paranoid mode is active.
+
+## 6.2.0
+
+- Rails 8.1 support
+
+## 6.1.0
+
+- Rails 8 support
+
+## 6.0.0
+
+**Breaking Changes**
+- `otp_secret_length` and `otp_backup_code_length` options have changed to be the number of random bytes that are generated. See [UPGRADING.md](UPGRADING.md).
+- `consume_otp!` and `invalidate_otp_backup_code!` now call `save!` instead of `save`. See [UPGRADING.md](UPGRADING.md).
+
 ## 5.1.0
 
 - Remove faker dev dependency

data/README.md

@@ -15,9 +15,7 @@ We welcome pull requests, bug reports, and other contributions. We're especially
 
 ## Example App
 
-An example Rails 4 application is provided in the `demo` directory. It showcases a minimal example of Devise-Two-Factor in action, and can act as a reference for integrating the gem into your own application.
-
-For the demo app to work, create an encryption key and store it as an environment variable. One way to do this is to create a file named `local_env.yml` in the application root. Set the value of `ENCRYPTION_KEY` in the YML file. That value will be loaded into the application environment by `application.rb`.
+See [examples](demo/README.md).
 
 ## Getting Started
 
@@ -84,7 +82,7 @@ This generator will:
 
 1. Edit `app/models/MODEL.rb` (where MODEL is your model name):
     * add the `:two_factor_authenticatable` devise module
-    * remove the `:database_authenticatable` if present because it is incompatible with `:two_factor_authenticatable`
+    * remove the `:database_authenticatable` devise module, if present; having both modules enabled will lead to issues described below.
 1. Add a Warden config block to your Devise initializer, which enables the strategies required for two-factor authentication.
 
 Remember to apply the new migration after you run the generator:
@@ -109,9 +107,9 @@ Next you need to whitelist `:otp_attempt` as a permitted parameter in Devise `:s
   end
 ```
 
-Finally you should verify that `:database_authenticatable` is **not** being loaded by your model. The generator will try to remove it, but if you have a non-standard Devise setup, this step may fail.
+Finally you should verify that `:database_authenticatable` is **not** being loaded by your model. The generator will try to remove it, but if you have a non-standard Devise setup, this step may fail. `:two_factor_authenticatable` includes all of `:database_authenticatable`'s functionality; it will still allow login without two-factor authentication until you enable it on your model's records with `otp_required_for_login`.
 
-**Loading both `:database_authenticatable` and `:two_factor_authenticatable` in a model is a security issue** It will allow users to bypass two-factor authenticatable due to the way Warden handles cascading strategies!
+**Loading both `:database_authenticatable` and `:two_factor_authenticatable` in a model is a security issue.** It will allow users to bypass two-factor authentication regardless of how `otp_required_for_login` is set due to the way Warden handles cascading strategies!
 
 ## Designing Your Workflow
 
@@ -157,10 +155,7 @@ At Tinfoil Security, we opted to use the excellent [rqrcode-rails3](https://gith
 If you decide to do this you'll need to generate a URI to act as the source for the QR code. This can be done using the `User#otp_provisioning_uri` method.
 
 ```ruby
-issuer = 'Your App'
-label = "#{issuer}:#{current_user.email}"
-
-current_user.otp_provisioning_uri(label, issuer: issuer)
+current_user.otp_provisioning_uri(current_user.email, issuer: 'Your App')
 
 # > "otpauth://totp/Your%20App:user@example.com?secret=[otp_secret]&issuer=Your+App"
 ```
@@ -238,7 +233,7 @@ class AddDeviseTwoFactorBackupableToUsers < ActiveRecord::Migration
 end
 ```
 
-#### MySQL
+#### MySQL, SQL Server, other databases without an array string type
 
 ```ruby
 # migration

data/Rakefile

@@ -11,6 +11,8 @@ rescue Bundler::BundlerError => e
 end
 require 'rake'
 
+require 'bundler/gem_tasks'
+
 require 'rspec/core'
 require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new(:spec) do |spec|

data/SECURITY.md

@@ -2,4 +2,4 @@
 
 ## Reporting a Vulnerability
 
-Please report any vulnerabilities to the [Synopsys PSIRT](https://www.synopsys.com/company/legal/vulnerability-disclosure-policy.html).
+Please report any vulnerabilities to the [Black Duck PSIRT](psirt@blackduck.com).

data/UPGRADING.md

@@ -1,8 +1,25 @@
-# Upgrading from 4.x to 5.x
+# Upgrading
 
-## Background
+## Upgrading from 5.x to 6.x
 
-### Database columns in version 4.x and older
+### save!
+
+`consume_otp!` and `invalidate_otp_backup_code!` now call `save!` instead of `save` (or nothing at all in the case of `invalidate_otp_backup_code!`). If you manually called `save`/`save!` after calling `invalidate_otp_backup_code!` you may be able to remove it.
+
+### Secret Lengths
+
+The `otp_secret_length` and `otp_backup_code_length` options have changed to be the number of random bytes that are generated.
+If you had configured these values you may want to change them if you wish to keep the same output length.
+
+`otp_secret_length` now has a default value of 20, generating a 160 bit secret key with an output length length of 32 bytes.
+
+`otp_backup_code_length` now has a default value of 16, generating a 32 byte backup code.
+
+## Upgrading from 4.x to 5.x
+
+### Background
+
+#### Database columns in version 4.x and older
 
 Versions 4.x and older stored the OTP secret in an attribute called `encrypted_otp_secret` using the [attr_encrypted](https://github.com/attr-encrypted/attr_encrypted) gem. This gem is currently unmaintained which is part of the motivation for moving to Rails encrypted attributes. This attribute was backed by three database columns:
 
@@ -21,7 +38,7 @@ otp_required_for_login
 
 A fresh install of 4.x would create all five of the database columns above.
 
-### Database columns in version 5.x and later
+#### Database columns in version 5.x and later
 
 Versions 5+ of this gem uses a single [Rails 7+ encrypted attribute](https://edgeguides.rubyonrails.org/active_record_encryption.html) named `otp_secret`to store the OTP secret in the database table (usually `users` but will be whatever model you picked).
 
@@ -33,18 +50,15 @@ consumed_timestep
 otp_required_for_login
 ```
 
-### Upgrading from 4.x to 5.x
-
-
 We have attempted to make the upgrade as painless as possible but unfortunately because of the secret storage change, it cannot be as simple as `bundle update devise-two-factor` :heart:
 
-#### Assumptions
+### Assumptions
 
 This guide assumes you are upgrading an existing Rails 6 app (with `devise` and `devise-two-factor`) to Rails 7.
 
 This gem must be upgraded **as part of a Rails 7 upgrade**. See [the official Rails upgrading guide](https://guides.rubyonrails.org/upgrading_ruby_on_rails.html) for an overview of upgrading Rails.
 
-#### Phase 1: Upgrading devise-two-factor as part of Rails 7 upgrade
+### Phase 1: Upgrading devise-two-factor as part of Rails 7 upgrade
 
 1. Update the version constraint for Rails in your `Gemfile` to your desired version e.g. `gem "rails", "~> 7.0.3"`
 1. Run `bundle install` and resolve any issues with dependencies.
@@ -149,7 +163,7 @@ You can now deploy your upgraded application and devise-two-factor should work a
 
 This gem will fall back to **reading** the OTP secret from the legacy columns if it cannot find one in the new `otp_secret` column. When you **write** a new OTP secret it will always be written to the new `otp_secret` column.
 
-#### Phase 2: Clean up
+### Phase 2: Clean up
 
 This "clean up" phase can happen at the same time as your initial deployment but teams managing existing apps will likely want to do clean-up as separate, later deployments.
 
@@ -200,7 +214,7 @@ This "clean up" phase can happen at the same time as your initial deployment but
     devise :two_factor_authenticatable
     ```
 
-# Guide to upgrading from 2.x to 3.x
+## Upgrading from 2.x to 3.x
 
 Pull request #76 allows for compatibility with `attr_encrypted` 3.0, which should be used due to a security vulnerability discovered in 2.0.
 
@@ -220,7 +234,7 @@ class User < ActiveRecord::Base
          :otp_secret_encryption_key => ENV['DEVISE_TWO_FACTOR_ENCRYPTION_KEY']
 ```
 
-# Guide to upgrading from 1.x to 2.x
+## Upgrading from 1.x to 2.x
 
 Pull request #43 added a new field to protect against "shoulder-surfing" attacks. If upgrading, you'll need to add the `:consumed_timestep` column to your `Users` model.
 

data/devise-two-factor.gemspec

@@ -11,18 +11,13 @@ Gem::Specification.new do |s|
   s.description = 'Devise-Two-Factor is a minimalist extension to Devise which offers support for two-factor authentication through the TOTP scheme.'
   s.authors     = ['Quinn Wilton']
 
-  s.cert_chain  = [
-                    'certs/tinfoil-cacert.pem',
-                    'certs/tinfoilsecurity-gems-cert.pem'
-                  ]
-  s.signing_key = File.expand_path("~/.ssh/tinfoilsecurity-gems-key.pem") if $0 =~ /gem\z/
   s.files         = `git ls-files`.split("\n").delete_if { |x| x.match('demo/*') }
   s.test_files    = `git ls-files -- spec/*`.split("\n")
   s.require_paths = ['lib']
 
-  s.add_runtime_dependency 'railties',       '~> 7.0'
-  s.add_runtime_dependency 'activesupport',  '~> 7.0'
-  s.add_runtime_dependency 'devise',         '~> 4.0'
+  s.add_runtime_dependency 'railties',       '>= 7.0', '< 8.2'
+  s.add_runtime_dependency 'activesupport',  '>= 7.0', '< 8.2'
+  s.add_runtime_dependency 'devise',         '>= 4.0', '< 5.0'
   s.add_runtime_dependency 'rotp',           '~> 6.0'
 
   s.add_development_dependency 'activemodel'
@@ -30,4 +25,5 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'bundler',    '> 1.0'
   s.add_development_dependency 'rspec',      '> 3'
   s.add_development_dependency 'simplecov'
+  s.add_development_dependency 'rake', '~> 13'
 end

data/gemfiles/rails_7.2.gemfile

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "railties", "~> 7.2.0"
+gem "activesupport", "~> 7.2.0"
+
+gemspec path: "../"

data/gemfiles/rails_8.0.gemfile

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "railties", "~> 8.0.0"
+gem "activesupport", "~> 8.0.0"
+
+gemspec path: "../"

data/gemfiles/rails_8.1.gemfile

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "railties", "8.1.0"
+gem "activesupport", "8.1.0"
+
+gemspec path: "../"

data/lib/devise-two-factor.rb

@@ -1,11 +1,13 @@
+require 'logger'
 require 'devise'
 require 'devise_two_factor/models'
 require 'devise_two_factor/strategies'
 
 module Devise
-  # The length of generated OTP secrets
+  # The length of randomly generated OTP shared secret (in bytes).
+  # The secrets will be base32-encoded and have a length 1.6 times the configured value.
   mattr_accessor :otp_secret_length
-  @@otp_secret_length = 24
+  @@otp_secret_length = 20
 
   # The number of seconds before and after the current
   # time for which codes will be accepted
@@ -20,7 +22,8 @@ module Devise
   mattr_accessor :otp_encrypted_attribute_options
   @@otp_encrypted_attribute_options = {}
 
-  # The length of all generated OTP backup codes
+  # The length of randomly generated OTP backup codes (in bytes).
+  # The codes will be hex-encoded and have a length twice the configured value.
   mattr_accessor :otp_backup_code_length
   @@otp_backup_code_length = 16
 

data/lib/devise_two_factor/models/two_factor_authenticatable.rb

@@ -41,12 +41,11 @@ module Devise
 
         if self.consumed_timestep
           # reconstruct the timestamp of the last consumed timestep
-          after_timestamp = self.consumed_timestep * otp.interval
+          after_timestamp = self.consumed_timestep * totp.interval
         end
 
-        if totp.verify(code.gsub(/\s+/, ""), drift_behind: self.class.otp_allowed_drift, drift_ahead: self.class.otp_allowed_drift, after: after_timestamp)
-          return consume_otp!
-        end
+        timestamp = totp.verify(code.gsub(/\s+/, ""), drift_behind: self.class.otp_allowed_drift, drift_ahead: self.class.otp_allowed_drift, after: after_timestamp)
+        return consume_otp!(totp, timestamp) if timestamp
 
         false
       end
@@ -59,11 +58,6 @@ module Devise
         otp.at(Time.now)
       end
 
-      # ROTP's TOTP#timecode is private, so we duplicate it here
-      def current_otp_timestep
-         Time.now.utc.to_i / otp.interval
-      end
-
       def otp_provisioning_uri(account, options = {})
         otp_secret = options[:otp_secret] || self.otp_secret
         ROTP::TOTP.new(otp_secret, options).provisioning_uri(account)
@@ -78,10 +72,14 @@ module Devise
 
       # An OTP cannot be used more than once in a given timestep
       # Storing timestep of last valid OTP is sufficient to satisfy this requirement
-      def consume_otp!
-        if self.consumed_timestep != current_otp_timestep
-          self.consumed_timestep = current_otp_timestep
-          return save(validate: false)
+      def consume_otp!(otp, timestamp)
+        timestep = timestamp / otp.interval
+
+        if self.consumed_timestep != timestep
+          self.consumed_timestep = timestep
+          save!(validate: false)
+
+          return true
         end
 
         false
@@ -93,8 +91,9 @@ module Devise
                                     :otp_encrypted_attribute_options,
                                     :otp_secret_encryption_key)
 
+        # Geneartes an OTP secret of the specified length, returning it after Base32 encoding.
         def generate_otp_secret(otp_secret_length = self.otp_secret_length)
-          ROTP::Base32.random_base32(otp_secret_length)
+          ROTP::Base32.random(otp_secret_length)
         end
 
         # Return value will be splatted with ** so return a version of the

data/lib/devise_two_factor/models/two_factor_backupable.rb

@@ -20,7 +20,7 @@ module Devise
         code_length     = self.class.otp_backup_code_length
 
         number_of_codes.times do
-          codes << SecureRandom.hex(code_length / 2) # Hexstring has length 2*n
+          codes << SecureRandom.hex(code_length)
         end
 
         hashed_codes = codes.map { |code| Devise::Encryptor.digest(self.class, code) }
@@ -34,11 +34,15 @@ module Devise
       def invalidate_otp_backup_code!(code)
         codes = self.otp_backup_codes || []
 
+        # Should we still have some other kind of non iterable result, terminate.
+        raise TypeError.new("`otp_backup_codes` is expected to be an Array, got #{codes.class.name}. Hint: If your database does not support arrays, does your model correctly `serialize :otp_backup_codes, Array`?") unless codes.is_a?(Array)
+
         codes.each do |backup_code|
           next unless Devise::Encryptor.compare(self.class, backup_code, code)
 
           codes.delete(backup_code)
           self.otp_backup_codes = codes
+          save!(validate: false)
           return true
         end
 

data/lib/devise_two_factor/spec_helpers/two_factor_authenticatable_shared_examples.rb

@@ -13,8 +13,8 @@ RSpec.shared_examples 'two_factor_authenticatable' do
   end
 
   describe '#otp_secret' do
-    it 'should be of the configured length' do
-      expect(subject.otp_secret.length).to eq(subject.class.otp_secret_length)
+    it 'should be of the expected length' do
+      expect(subject.otp_secret.length).to eq(subject.class.otp_secret_length*8/5)
     end
   end
 
@@ -129,11 +129,11 @@ RSpec.shared_examples 'two_factor_authenticatable' do
     let(:issuer)            { 'Tinfoil' }
 
     it 'should return uri with specified account' do
-      expect(subject.otp_provisioning_uri(account)).to match(%r{otpauth://totp/#{CGI.escape(account)}\?secret=\w{#{otp_secret_length}}})
+      expect(subject.otp_provisioning_uri(account)).to match(%r{otpauth://totp/#{CGI.escape(account)}\?secret=\w{#{otp_secret_length*8/5}}})
     end
 
     it 'should return uri with issuer option' do
-      expect(subject.otp_provisioning_uri(account, issuer: issuer)).to match(%r{otpauth://totp/#{issuer}:#{CGI.escape(account)}\?.*secret=\w{#{otp_secret_length}}(&|$)})
+      expect(subject.otp_provisioning_uri(account, issuer: issuer)).to match(%r{otpauth://totp/#{issuer}:#{CGI.escape(account)}\?.*secret=\w{#{otp_secret_length*8/5}}(&|$)})
       expect(subject.otp_provisioning_uri(account, issuer: issuer)).to match(%r{otpauth://totp/#{issuer}:#{CGI.escape(account)}\?.*issuer=#{issuer}(&|$)})
     end
   end

data/lib/devise_two_factor/spec_helpers/two_factor_backupable_shared_examples.rb

@@ -17,7 +17,7 @@ RSpec.shared_examples 'two_factor_backupable' do
 
       it 'generates recovery codes of the correct length' do
         @plaintext_codes.each do |code|
-          expect(code.length).to eq(subject.class.otp_backup_code_length)
+          expect(code.length).to eq(subject.class.otp_backup_code_length*2)
         end
       end
 
@@ -49,38 +49,66 @@ RSpec.shared_examples 'two_factor_backupable' do
   end
 
   describe '#invalidate_otp_backup_code!' do
-    before do
-      @plaintext_codes = subject.generate_otp_backup_codes!
-    end
 
-    context 'given an invalid recovery code' do
-      it 'returns false' do
-        expect(subject.invalidate_otp_backup_code!('password')).to be false
-      end
-    end
 
-    context 'given a valid recovery code' do
-      it 'returns true' do
-        @plaintext_codes.each do |code|
-          expect(subject.invalidate_otp_backup_code!(code)).to be true
+  describe "#invalidate_otp_backup_code!" do
+      context "with no backup codes" do
+        it "does nothing" do
+          expect(subject.invalidate_otp_backup_code!("foo")).to be false
         end
       end
 
-      it 'invalidates that recovery code' do
-        code = @plaintext_codes.sample
+      context "with an array of backup codes, newly generated" do
+        before do
+          @plaintext_codes = subject.generate_otp_backup_codes!
+        end
+
+        context 'given an invalid recovery code' do
+          it 'returns false' do
+            expect(subject.invalidate_otp_backup_code!('password')).to be false
+          end
+        end
+
+        context 'given a valid recovery code' do
+          it 'returns true' do
+            @plaintext_codes.each do |code|
+              expect(subject.invalidate_otp_backup_code!(code)).to be true
+            end
+          end
 
-        subject.invalidate_otp_backup_code!(code)
-        expect(subject.invalidate_otp_backup_code!(code)).to be false
+          it 'invalidates that recovery code' do
+            code = @plaintext_codes.sample
+
+            subject.invalidate_otp_backup_code!(code)
+            expect(subject.invalidate_otp_backup_code!(code)).to be false
+          end
+
+          it 'does not invalidate the other recovery codes' do
+            code = @plaintext_codes.sample
+            subject.invalidate_otp_backup_code!(code)
+
+            @plaintext_codes.delete(code)
+
+            @plaintext_codes.each do |code|
+              expect(subject.invalidate_otp_backup_code!(code)).to be true
+            end
+          end
+        end
       end
 
-      it 'does not invalidate the other recovery codes' do
-        code = @plaintext_codes.sample
-        subject.invalidate_otp_backup_code!(code)
+      context "with backup codes as a string" do
+        before do
+          @plaintext_codes = subject.generate_otp_backup_codes!
 
-        @plaintext_codes.delete(code)
+          # Simulates database adapters that don't understand `t.string :otp_backup_codes, type: array` properly
+          # such as SQL Server; and have just returned the serialized string still.
+          # and the user not having done:
+          # `serialize :otp_backup_codes, Array` in their model
+          subject.otp_backup_codes = subject.otp_backup_codes.to_json
+        end
 
-        @plaintext_codes.each do |code|
-          expect(subject.invalidate_otp_backup_code!(code)).to be true
+        it "raises a meaningful error" do
+          expect { subject.invalidate_otp_backup_code!("flork") }.to raise_error(TypeError)
         end
       end
     end

data/lib/devise_two_factor/strategies/two_factor_authenticatable.rb

@@ -4,12 +4,18 @@ module Devise
 
       def authenticate!
         resource = mapping.to.find_for_database_authentication(authentication_hash)
+
+        hashed = false
         # We authenticate in two cases:
         # 1. The password and the OTP are correct
         # 2. The password is correct, and OTP is not required for login
         # We check the OTP, then defer to DatabaseAuthenticatable
-        if validate(resource) { validate_otp(resource) }
+        if validate(resource) { hashed = true; validate_otp(resource) }
           super
+        else
+          # Paranoid mode: do the expensive hash even when resource is nil,
+          # to avoid timing-based user enumeration.
+          mapping.to.new.password = password if !hashed && Devise.paranoid
         end
 
         fail(Devise.paranoid ? :invalid : :not_found_in_database) unless resource

data/lib/devise_two_factor/strategies/two_factor_backupable.rb

@@ -5,10 +5,7 @@ module Devise
       def authenticate!
         resource = mapping.to.find_for_database_authentication(authentication_hash)
 
-        if validate(resource) { resource.invalidate_otp_backup_code!(params[scope]['otp_attempt']) }
-          # Devise fails to authenticate invalidated resources, but if we've
-          # gotten here, the object changed (Since we deleted a recovery code)
-          resource.save!
+        if validate(resource) { validate_backup_code(resource) }
           super
         end
 
@@ -18,6 +15,11 @@ module Devise
         # but database authenticatable automatically halts on a bad password
         @halted = false if @result == :failure
       end
+
+      def validate_backup_code(resource)
+        return if params[scope].nil? || params[scope]['otp_attempt'].nil?
+        resource.invalidate_otp_backup_code!(params[scope]['otp_attempt'])
+      end
     end
   end
 end

data/lib/devise_two_factor/version.rb

@@ -1,3 +1,3 @@
 module DeviseTwoFactor
-  VERSION = '5.1.0'.freeze
+  VERSION = '6.3.0'.freeze
 end

data/spec/devise/models/two_factor_authenticatable_spec.rb

@@ -18,7 +18,7 @@ class TwoFactorAuthenticatableDouble
 
   attr_accessor :consumed_timestep
 
-  def save(validate)
+  def save!(_)
     # noop for testing
     true
   end

data/spec/devise/models/two_factor_backupable_spec.rb

@@ -17,6 +17,10 @@ class TwoFactorBackupableDouble
   devise :two_factor_authenticatable, :two_factor_backupable
 
   attr_accessor :otp_backup_codes
+
+  def save!(_)
+    true
+  end
 end
 
 describe ::Devise::Models::TwoFactorBackupable do

metadata

@@ -1,135 +1,74 @@
 --- !ruby/object:Gem::Specification
 name: devise-two-factor
 version: !ruby/object:Gem::Version
-  version: 5.1.0
+  version: 6.3.0
 platform: ruby
 authors:
 - Quinn Wilton
-autorequire: 
 bindir: bin
-cert_chain:
-- |
-  -----BEGIN CERTIFICATE-----
-  MIIHSjCCBTKgAwIBAgIJAK2u0LojMCNgMA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
-  VQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVBhbG8gQWx0bzEfMB0GA1UE
-  ChMWVGluZm9pbCBTZWN1cml0eSwgSW5jLjEfMB0GA1UEAxMWVGluZm9pbCBTZWN1
-  cml0eSwgSW5jLjEqMCgGCSqGSIb3DQEJARYbc3VwcG9ydEB0aW5mb2lsc2VjdXJp
-  dHkuY29tMB4XDTIxMDkwOTE4MjIwMFoXDTI1MDkwOTE4MjIwMFowgZwxCzAJBgNV
-  BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJUGFsbyBBbHRvMR8wHQYDVQQK
-  ExZUaW5mb2lsIFNlY3VyaXR5LCBJbmMuMR8wHQYDVQQDExZUaW5mb2lsIFNlY3Vy
-  aXR5LCBJbmMuMSowKAYJKoZIhvcNAQkBFhtzdXBwb3J0QHRpbmZvaWxzZWN1cml0
-  eS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCqbHvsSj0H0FB1
-  0gLYoDK1BKugkSB2DZeZZHP6B1UdWRahJXJP9oT1lhfQxx8iX4cgEi7JU3NqA6NR
-  cIRFQ50eH/qlmgs7909gaf8pDaeC0vR3wd0GeRg6qr1eDEnkzIyr/D1AMiX6H1eP
-  Y7J3SfrdaL3gft2iPRKGkgqsXR7oBNLA3n/ShiNgPXqRDl1CCj6aMY0cn5ROFScz
-  vT2FUB4DEwPD2l18m1p99OnXqsOLL2J65qA2+cI8FtgFmlwIi5oSf+URvIdNx+cH
-  lInlAtVHCvAKYLY0dlQ7czMQBcRpYjp2rwPt9f2ksq9b/voMTBABYHFV+IVn8svv
-  GZ5e1+icjtr/R7dCGmCdEdFLXVxafmZhukymG9USv9DKuv1qh7r4q8KaPIE8n7nQ
-  m97jENFfsgnwv+nUmIJ3tzuW5ZxO7A0tIIYdwzt0UjrO3ya4R5bTFXr4bnzZ/g/s
-  CLknWqg1BCRlPd6LnpVGPT0gNDV1pEO25wE3A3Yy0Ujxudcgay/CgUhnlU11qOAc
-  xmar2fhNZsviUhndd/220Ad5QMV2XzcAiopJIeu0juIVGRQM7x2h19Hsp0m6sOEF
-  jfhvbdUa4nvmIFeYFY+hr/YkTmG9ZjyBa8YaZXhwjhSmKCQ374J7mn5e0Cryuvi5
-  tYhwJn8rdwYZF/h2qqfEu8vaLoD09QIDAQABo4IBizCCAYcwHQYDVR0OBBYEFMmT
-  /x412UH+5OHqgleeTjLOv6iHMIHRBgNVHSMEgckwgcaAFMmT/x412UH+5OHqglee
-  TjLOv6iHoYGipIGfMIGcMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNV
-  BAcTCVBhbG8gQWx0bzEfMB0GA1UEChMWVGluZm9pbCBTZWN1cml0eSwgSW5jLjEf
-  MB0GA1UEAxMWVGluZm9pbCBTZWN1cml0eSwgSW5jLjEqMCgGCSqGSIb3DQEJARYb
-  c3VwcG9ydEB0aW5mb2lsc2VjdXJpdHkuY29tggkAra7QuiMwI2AwDwYDVR0TAQH/
-  BAUwAwEB/zARBglghkgBhvhCAQEEBAMCAQYwCQYDVR0SBAIwADArBglghkgBhvhC
-  AQ0EHhYcVGlueUNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAmBgNVHREEHzAdgRtz
-  dXBwb3J0QHRpbmZvaWxzZWN1cml0eS5jb20wDgYDVR0PAQH/BAQDAgEGMA0GCSqG
-  SIb3DQEBBQUAA4ICAQBZy4JJSmwLuO0nZbdr4tJeVS2P8bcGi6PzAcdzVfwzjp6n
-  5qf8m4O8my4lnJieom0GrWSHQoPY1Yur4hEoZbugKO9DWZL3dTiGcrgw0TbQ6Gtq
-  TTPatW3LA21qFJwvohSvLqPdmZuM+H9g49sdl2kNTDVI6iUyMYuNpL14aPKPGBFo
-  o7UjciT1h7JtJl9b/fXrbPeRHBwpZXWeipiPGv/OZW5KnOsNlUkTquS7Zj4ETkIC
-  6mVtmsLvq+YwFthFyMU37pXwYxcmqRmH6lX+XC6AVW5oO4GBmG+Zr/Z+h5Cih5ca
-  /mX88RkO+dGTjw1IdxKmxOqKL62OBATKrTDJ/scsmRptynA4TunYW+7ikOpDbPfL
-  l18aleLISlcgWJg/Czf2nmBqAClPLnhV8qxWsvt58MQQ/Jpoggvpl8EG1PylWiBS
-  Kc/4Ad/FKQFpTzXUgDg2kV07npVjYbBzA5p4ZSWSlflFu93jb9gg2+qtnRSImVCZ
-  nQjZdsv8hebElPAIbtJjSnoH1Kz2ucYLakdF1UMKnpp1PVREtuKPz/foU9KUHs0z
-  dWRALx8cWG4uKK9AIEUlVdGKfX0Wj0qFK0KGxl3f3jObud5Agwue2EPKWwUzEGUh
-  Iqp60gNw3vBdKHw4dh1bfcbXWnRDL+OQPuOFZeMWgu1QmeHeuggYtYtRg7V5Kg==
-  -----END CERTIFICATE-----
-- |
-  -----BEGIN CERTIFICATE-----
-  MIIGADCCA+igAwIBAgIIHIF9ta6cW3YwDQYJKoZIhvcNAQENBQAwgZwxCzAJBgNV
-  BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJUGFsbyBBbHRvMR8wHQYDVQQK
-  ExZUaW5mb2lsIFNlY3VyaXR5LCBJbmMuMR8wHQYDVQQDExZUaW5mb2lsIFNlY3Vy
-  aXR5LCBJbmMuMSowKAYJKoZIhvcNAQkBFhtzdXBwb3J0QHRpbmZvaWxzZWN1cml0
-  eS5jb20wHhcNMjIwMzIyMjI1MzAwWhcNMjUwOTA5MTgyMjAwWjCBiDELMAkGA1UE
-  BhMCVVMxCzAJBgNVBAgTAkNBMR8wHQYDVQQKExZUaW5mb2lsIFNlY3VyaXR5LCBJ
-  bmMuMR0wGwYDVQQDExR0aW5mb2lsc2VjdXJpdHktZ2VtczEsMCoGCSqGSIb3DQEJ
-  ARYdZW5naW5lZXJzQHRpbmZvaWxzZWN1cml0eS5jb20wggIiMA0GCSqGSIb3DQEB
-  AQUAA4ICDwAwggIKAoICAQDNJYNH8D+8lACLt3KzjEIPs3XVBCPaMm2eD/Xk9OOT
-  uDV/NqgMK0icD9MRxMUtS3SCrC9QcPocXT76f2LQ3yVJuK+rBUasymEES47PIx2c
-  zC4n4Hga0xPPuBpioO26oaRFsobyzh9RPOIbnYfpjyqtdrbm+YyM3sPR4XzFirv9
-  xomT4E9T4RCLgOQHTcLKL9K9m+EN7PeVdVUXV0Pa7cVs2vJUKedsd7vnr6Lzbn8T
-  oPk/7J/4W931PbaeI5yg9ZuaRa9K2IaY1TkPI67NW4qKitBVepRlXw6Sb7TYcUnc
-  WEQ/eC5CpnOmqUrG5tfGD8cc5aGZOkitW/VXZgVj81xgCv1hk4HjErrqq4FBNAaC
-  SNyBfwR0TUYqg1lN1nbNjOKwfb6YRn06R2ovcFJG0tmGhsQULCr6fW8u2TfSM+U9
-  WFSIJx2griureY7EZPwg/MgsUiWUWMFemz3GVYXWJR3dN2pW9Uqr3rkjKZbA0bst
-  GWahJO9HuFdDakQxoaTPYPtTQDC+kskkO6lKG1KLIoZ1iLZzB1Ks1vEeyE7lp1im
-  WgpUq+q23PFkt1gIBi/4tGvzsLZye25QU2Y+XLzldCNm+DyRFXZ+Q+bK33IveUeU
-  WEOv4T1qTXHAOypyzmgodVRG/PrlsSMOBfE515kG1mDMGjRcCpEtlskgxUbf7qM7
-  hQIDAQABo1gwVjAJBgNVHRMEAjAAMEkGA1UdHwRCMEAwPqA8oDqGOGh0dHBzOi8v
-  d3d3LnRpbmZvaWxzZWN1cml0eS5jb20vc2VjdXJpdHkvcmV2b2NhdGlvbl9saXN0
-  MA0GCSqGSIb3DQEBDQUAA4ICAQAiYF/m2ny/mxFvBVxHfdYuzybhCvsEUd+TSnoe
-  mqOWntY3sxCOaY0aGOMB4vyg9G+oP/kT4m63sD4uQxeuU7WOjaG2smCSS5q+PSWS
-  v63gILqPamjSyP/Om864EA6YlvVQ7nPXhVDEaiBt3iliefJGmb0wWSbbDCmq3aMb
-  WTLuax/IeY6MjJi20LutIcuz+VX8OxlA1hSpgAToMz3xrhA8fPt5UkKhkDkPFYBF
-  5htKVipyijChWsXyt33YM2qGaavTEXzxza1I99PGNRKxUMvbSMas4YaLqkBpQSc+
-  mcrLWYPiXWsePGu+j08AypE2Ubp4AOSZJN9rBBGotC3gofipo+K/sBiOM9xXI76Q
-  0HYOxXPa7D7UQQG1R9i0rcxmf9qepIVYCldmqVkKKDizcDo5UI9lRiLFjDyQhn6l
-  YFY9bPQ4lKTK5Jr3M6+dV7fHxLhqXyMGs1905IUb7qvB7Bq/f0qJfC0JZuY/qdn2
-  lL0SeFKOVsjErtobh3u8p8j2USkc8uJgIANHpXEMEExdp899CV/eVjh3TpAR7E6T
-  mg7Q9Hi6Hh8z+Le9iR4I49vPEWDQEvj35IT6VfwU79UfIOlX+DkW8fFkPbaut3Se
-  vqIDv6JBG9I16h/HhchntKfM58MI1bNZFBSdZqYOJiL8JIjP8HNIk76Y366ppG29
-  EhBYYg==
-  -----END CERTIFICATE-----
-date: 2024-06-18 00:00:00.000000000 Z
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '7.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '8.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '7.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '8.2'
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '7.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '8.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '7.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '8.2'
 - !ruby/object:Gem::Dependency
   name: devise
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '4.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '4.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.0'
 - !ruby/object:Gem::Dependency
   name: rotp
   requirement: !ruby/object:Gem::Requirement
@@ -214,16 +153,31 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13'
 description: Devise-Two-Factor is a minimalist extension to Devise which offers support
   for two-factor authentication through the TOTP scheme.
-email: 
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
 - ".github/dependabot.yml"
 - ".github/workflows/ci.yml"
+- ".github/workflows/push.yml"
 - ".gitignore"
+- ".markdownlint.json"
 - ".rspec"
 - Appraisals
 - CHANGELOG.md
@@ -234,11 +188,12 @@ files:
 - Rakefile
 - SECURITY.md
 - UPGRADING.md
-- certs/tinfoil-cacert.pem
-- certs/tinfoilsecurity-gems-cert.pem
 - devise-two-factor.gemspec
 - gemfiles/rails_7.0.gemfile
 - gemfiles/rails_7.1.gemfile
+- gemfiles/rails_7.2.gemfile
+- gemfiles/rails_8.0.gemfile
+- gemfiles/rails_8.1.gemfile
 - lib/devise-two-factor.rb
 - lib/devise_two_factor/models.rb
 - lib/devise_two_factor/models/two_factor_authenticatable.rb
@@ -258,7 +213,6 @@ homepage: https://github.com/devise-two-factor/devise-two-factor
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -273,8 +227,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
-signing_key: 
+rubygems_version: 4.0.3
 specification_version: 4
 summary: Barebones two-factor authentication with Devise
 test_files:

data/certs/tinfoil-cacert.pem

@@ -1,41 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIHSjCCBTKgAwIBAgIJAK2u0LojMCNgMA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD
-VQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVBhbG8gQWx0bzEfMB0GA1UE
-ChMWVGluZm9pbCBTZWN1cml0eSwgSW5jLjEfMB0GA1UEAxMWVGluZm9pbCBTZWN1
-cml0eSwgSW5jLjEqMCgGCSqGSIb3DQEJARYbc3VwcG9ydEB0aW5mb2lsc2VjdXJp
-dHkuY29tMB4XDTIxMDkwOTE4MjIwMFoXDTI1MDkwOTE4MjIwMFowgZwxCzAJBgNV
-BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJUGFsbyBBbHRvMR8wHQYDVQQK
-ExZUaW5mb2lsIFNlY3VyaXR5LCBJbmMuMR8wHQYDVQQDExZUaW5mb2lsIFNlY3Vy
-aXR5LCBJbmMuMSowKAYJKoZIhvcNAQkBFhtzdXBwb3J0QHRpbmZvaWxzZWN1cml0
-eS5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCqbHvsSj0H0FB1
-0gLYoDK1BKugkSB2DZeZZHP6B1UdWRahJXJP9oT1lhfQxx8iX4cgEi7JU3NqA6NR
-cIRFQ50eH/qlmgs7909gaf8pDaeC0vR3wd0GeRg6qr1eDEnkzIyr/D1AMiX6H1eP
-Y7J3SfrdaL3gft2iPRKGkgqsXR7oBNLA3n/ShiNgPXqRDl1CCj6aMY0cn5ROFScz
-vT2FUB4DEwPD2l18m1p99OnXqsOLL2J65qA2+cI8FtgFmlwIi5oSf+URvIdNx+cH
-lInlAtVHCvAKYLY0dlQ7czMQBcRpYjp2rwPt9f2ksq9b/voMTBABYHFV+IVn8svv
-GZ5e1+icjtr/R7dCGmCdEdFLXVxafmZhukymG9USv9DKuv1qh7r4q8KaPIE8n7nQ
-m97jENFfsgnwv+nUmIJ3tzuW5ZxO7A0tIIYdwzt0UjrO3ya4R5bTFXr4bnzZ/g/s
-CLknWqg1BCRlPd6LnpVGPT0gNDV1pEO25wE3A3Yy0Ujxudcgay/CgUhnlU11qOAc
-xmar2fhNZsviUhndd/220Ad5QMV2XzcAiopJIeu0juIVGRQM7x2h19Hsp0m6sOEF
-jfhvbdUa4nvmIFeYFY+hr/YkTmG9ZjyBa8YaZXhwjhSmKCQ374J7mn5e0Cryuvi5
-tYhwJn8rdwYZF/h2qqfEu8vaLoD09QIDAQABo4IBizCCAYcwHQYDVR0OBBYEFMmT
-/x412UH+5OHqgleeTjLOv6iHMIHRBgNVHSMEgckwgcaAFMmT/x412UH+5OHqglee
-TjLOv6iHoYGipIGfMIGcMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNV
-BAcTCVBhbG8gQWx0bzEfMB0GA1UEChMWVGluZm9pbCBTZWN1cml0eSwgSW5jLjEf
-MB0GA1UEAxMWVGluZm9pbCBTZWN1cml0eSwgSW5jLjEqMCgGCSqGSIb3DQEJARYb
-c3VwcG9ydEB0aW5mb2lsc2VjdXJpdHkuY29tggkAra7QuiMwI2AwDwYDVR0TAQH/
-BAUwAwEB/zARBglghkgBhvhCAQEEBAMCAQYwCQYDVR0SBAIwADArBglghkgBhvhC
-AQ0EHhYcVGlueUNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAmBgNVHREEHzAdgRtz
-dXBwb3J0QHRpbmZvaWxzZWN1cml0eS5jb20wDgYDVR0PAQH/BAQDAgEGMA0GCSqG
-SIb3DQEBBQUAA4ICAQBZy4JJSmwLuO0nZbdr4tJeVS2P8bcGi6PzAcdzVfwzjp6n
-5qf8m4O8my4lnJieom0GrWSHQoPY1Yur4hEoZbugKO9DWZL3dTiGcrgw0TbQ6Gtq
-TTPatW3LA21qFJwvohSvLqPdmZuM+H9g49sdl2kNTDVI6iUyMYuNpL14aPKPGBFo
-o7UjciT1h7JtJl9b/fXrbPeRHBwpZXWeipiPGv/OZW5KnOsNlUkTquS7Zj4ETkIC
-6mVtmsLvq+YwFthFyMU37pXwYxcmqRmH6lX+XC6AVW5oO4GBmG+Zr/Z+h5Cih5ca
-/mX88RkO+dGTjw1IdxKmxOqKL62OBATKrTDJ/scsmRptynA4TunYW+7ikOpDbPfL
-l18aleLISlcgWJg/Czf2nmBqAClPLnhV8qxWsvt58MQQ/Jpoggvpl8EG1PylWiBS
-Kc/4Ad/FKQFpTzXUgDg2kV07npVjYbBzA5p4ZSWSlflFu93jb9gg2+qtnRSImVCZ
-nQjZdsv8hebElPAIbtJjSnoH1Kz2ucYLakdF1UMKnpp1PVREtuKPz/foU9KUHs0z
-dWRALx8cWG4uKK9AIEUlVdGKfX0Wj0qFK0KGxl3f3jObud5Agwue2EPKWwUzEGUh
-Iqp60gNw3vBdKHw4dh1bfcbXWnRDL+OQPuOFZeMWgu1QmeHeuggYtYtRg7V5Kg==
------END CERTIFICATE-----

data/certs/tinfoilsecurity-gems-cert.pem

@@ -1,35 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIGADCCA+igAwIBAgIIHIF9ta6cW3YwDQYJKoZIhvcNAQENBQAwgZwxCzAJBgNV
-BAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UEBxMJUGFsbyBBbHRvMR8wHQYDVQQK
-ExZUaW5mb2lsIFNlY3VyaXR5LCBJbmMuMR8wHQYDVQQDExZUaW5mb2lsIFNlY3Vy
-aXR5LCBJbmMuMSowKAYJKoZIhvcNAQkBFhtzdXBwb3J0QHRpbmZvaWxzZWN1cml0
-eS5jb20wHhcNMjIwMzIyMjI1MzAwWhcNMjUwOTA5MTgyMjAwWjCBiDELMAkGA1UE
-BhMCVVMxCzAJBgNVBAgTAkNBMR8wHQYDVQQKExZUaW5mb2lsIFNlY3VyaXR5LCBJ
-bmMuMR0wGwYDVQQDExR0aW5mb2lsc2VjdXJpdHktZ2VtczEsMCoGCSqGSIb3DQEJ
-ARYdZW5naW5lZXJzQHRpbmZvaWxzZWN1cml0eS5jb20wggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQDNJYNH8D+8lACLt3KzjEIPs3XVBCPaMm2eD/Xk9OOT
-uDV/NqgMK0icD9MRxMUtS3SCrC9QcPocXT76f2LQ3yVJuK+rBUasymEES47PIx2c
-zC4n4Hga0xPPuBpioO26oaRFsobyzh9RPOIbnYfpjyqtdrbm+YyM3sPR4XzFirv9
-xomT4E9T4RCLgOQHTcLKL9K9m+EN7PeVdVUXV0Pa7cVs2vJUKedsd7vnr6Lzbn8T
-oPk/7J/4W931PbaeI5yg9ZuaRa9K2IaY1TkPI67NW4qKitBVepRlXw6Sb7TYcUnc
-WEQ/eC5CpnOmqUrG5tfGD8cc5aGZOkitW/VXZgVj81xgCv1hk4HjErrqq4FBNAaC
-SNyBfwR0TUYqg1lN1nbNjOKwfb6YRn06R2ovcFJG0tmGhsQULCr6fW8u2TfSM+U9
-WFSIJx2griureY7EZPwg/MgsUiWUWMFemz3GVYXWJR3dN2pW9Uqr3rkjKZbA0bst
-GWahJO9HuFdDakQxoaTPYPtTQDC+kskkO6lKG1KLIoZ1iLZzB1Ks1vEeyE7lp1im
-WgpUq+q23PFkt1gIBi/4tGvzsLZye25QU2Y+XLzldCNm+DyRFXZ+Q+bK33IveUeU
-WEOv4T1qTXHAOypyzmgodVRG/PrlsSMOBfE515kG1mDMGjRcCpEtlskgxUbf7qM7
-hQIDAQABo1gwVjAJBgNVHRMEAjAAMEkGA1UdHwRCMEAwPqA8oDqGOGh0dHBzOi8v
-d3d3LnRpbmZvaWxzZWN1cml0eS5jb20vc2VjdXJpdHkvcmV2b2NhdGlvbl9saXN0
-MA0GCSqGSIb3DQEBDQUAA4ICAQAiYF/m2ny/mxFvBVxHfdYuzybhCvsEUd+TSnoe
-mqOWntY3sxCOaY0aGOMB4vyg9G+oP/kT4m63sD4uQxeuU7WOjaG2smCSS5q+PSWS
-v63gILqPamjSyP/Om864EA6YlvVQ7nPXhVDEaiBt3iliefJGmb0wWSbbDCmq3aMb
-WTLuax/IeY6MjJi20LutIcuz+VX8OxlA1hSpgAToMz3xrhA8fPt5UkKhkDkPFYBF
-5htKVipyijChWsXyt33YM2qGaavTEXzxza1I99PGNRKxUMvbSMas4YaLqkBpQSc+
-mcrLWYPiXWsePGu+j08AypE2Ubp4AOSZJN9rBBGotC3gofipo+K/sBiOM9xXI76Q
-0HYOxXPa7D7UQQG1R9i0rcxmf9qepIVYCldmqVkKKDizcDo5UI9lRiLFjDyQhn6l
-YFY9bPQ4lKTK5Jr3M6+dV7fHxLhqXyMGs1905IUb7qvB7Bq/f0qJfC0JZuY/qdn2
-lL0SeFKOVsjErtobh3u8p8j2USkc8uJgIANHpXEMEExdp899CV/eVjh3TpAR7E6T
-mg7Q9Hi6Hh8z+Le9iR4I49vPEWDQEvj35IT6VfwU79UfIOlX+DkW8fFkPbaut3Se
-vqIDv6JBG9I16h/HhchntKfM58MI1bNZFBSdZqYOJiL8JIjP8HNIk76Y366ppG29
-EhBYYg==
------END CERTIFICATE-----