devise-two-factor 6.1.0 → 6.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 84d4fba8bbdcee4f8d8b00c5d2662dc5e8d78cc60e7f0502c7e0e9d5fc93a4d4
-  data.tar.gz: 33a77876910f588992917ebb123148f26d82b26fbe713f944e59f3b720c4978c
+  metadata.gz: 4513e96354e689136149f21dbd447785cc74113a66725bed6153e44758a1709b
+  data.tar.gz: 9e83133ebdc4166577129276188688780aeec065a5fead7861073496210215e9
 SHA512:
-  metadata.gz: d2f69c9f760278e3a1a40d5913b786468d9d4d12b54e93dd5d5437cfb5edc669f21a56953ea817d66722cbe305190762dcb86cef80009a0fff718e86a39726be
-  data.tar.gz: e3086e4034e6208e064f81e5845b1027b5e7c19d38ddd4788c615fe1a837772f1330aba234a30fb3f7f9cc549dbed3864da9f70249aef04b9efa066c8284733c
+  metadata.gz: a119f4f3f825409f6cea77f934fe7e35fa741dfb1b242c33a59dd523eb43ef2270b3dda80d1403f4baf7ade03271bbd4b145d21c6c390eeb223e00f0aadb6d29
+  data.tar.gz: 0f31866cb9c1523ff94095d2b43cf819d2a06a658a2dad94383d93e4c6c47d9e791092090cf8063f351c7727df6f2146e4bf22bf5a204c0b1f80aaf8a4fec3fb

data/.github/workflows/ci.yml

@@ -12,17 +12,21 @@ jobs:
       fail-fast: false
       matrix:
         # Due to https://github.com/actions/runner/issues/849, we should quote versions
-        ruby: ['3.1', '3.2', '3.3', 'truffleruby-head']
-        rails: ['7.0', '7.1', '7.2', '8.0']
+        ruby: ['3.1', '3.2', '3.3', '3.4', 'truffleruby-head']
+        rails: ['7.0', '7.1', '7.2', '8.0', '8.1']
         exclude:
           - ruby: '3.1'
             rails: '8.0'
+          - ruby: '3.1'
+            rails: '8.1'
+          - ruby: '3.4'
+            rails: '7.0'
 
     name: Ruby ${{ matrix.ruby }}, Rails ${{ matrix.rails }}
     env: # $BUNDLE_GEMFILE must be set at the job level, so it is set for all steps
       BUNDLE_GEMFILE: ${{ github.workspace }}/gemfiles/rails_${{ matrix.rails }}.gemfile
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:

data/.github/workflows/push.yml

@@ -17,7 +17,7 @@ jobs:
 
     steps:
       # Set up
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:

data/Appraisals

@@ -17,3 +17,8 @@ appraise "rails-8.0" do
   gem 'railties', '~> 8.0.0'
   gem 'activesupport', '~> 8.0.0'
 end
+
+appraise "rails-8.1" do
+  gem 'railties', '8.1.0'
+  gem 'activesupport', '8.1.0'
+end

data/CHANGELOG.md

@@ -2,6 +2,18 @@
 
 ## Unreleased
 
+## 6.3.0
+
+- Fixed timing to be consistent when Devise paranoid mode is active.
+
+## 6.2.0
+
+- Rails 8.1 support
+
+## 6.1.0
+
+- Rails 8 support
+
 ## 6.0.0
 
 **Breaking Changes**

data/README.md

@@ -82,7 +82,7 @@ This generator will:
 
 1. Edit `app/models/MODEL.rb` (where MODEL is your model name):
     * add the `:two_factor_authenticatable` devise module
-    * remove the `:database_authenticatable` if present because it is incompatible with `:two_factor_authenticatable`
+    * remove the `:database_authenticatable` devise module, if present; having both modules enabled will lead to issues described below.
 1. Add a Warden config block to your Devise initializer, which enables the strategies required for two-factor authentication.
 
 Remember to apply the new migration after you run the generator:
@@ -107,9 +107,9 @@ Next you need to whitelist `:otp_attempt` as a permitted parameter in Devise `:s
   end
 ```
 
-Finally you should verify that `:database_authenticatable` is **not** being loaded by your model. The generator will try to remove it, but if you have a non-standard Devise setup, this step may fail.
+Finally you should verify that `:database_authenticatable` is **not** being loaded by your model. The generator will try to remove it, but if you have a non-standard Devise setup, this step may fail. `:two_factor_authenticatable` includes all of `:database_authenticatable`'s functionality; it will still allow login without two-factor authentication until you enable it on your model's records with `otp_required_for_login`.
 
-**Loading both `:database_authenticatable` and `:two_factor_authenticatable` in a model is a security issue** It will allow users to bypass two-factor authenticatable due to the way Warden handles cascading strategies!
+**Loading both `:database_authenticatable` and `:two_factor_authenticatable` in a model is a security issue.** It will allow users to bypass two-factor authentication regardless of how `otp_required_for_login` is set due to the way Warden handles cascading strategies!
 
 ## Designing Your Workflow
 
@@ -155,10 +155,7 @@ At Tinfoil Security, we opted to use the excellent [rqrcode-rails3](https://gith
 If you decide to do this you'll need to generate a URI to act as the source for the QR code. This can be done using the `User#otp_provisioning_uri` method.
 
 ```ruby
-issuer = 'Your App'
-label = "#{issuer}:#{current_user.email}"
-
-current_user.otp_provisioning_uri(label, issuer: issuer)
+current_user.otp_provisioning_uri(current_user.email, issuer: 'Your App')
 
 # > "otpauth://totp/Your%20App:user@example.com?secret=[otp_secret]&issuer=Your+App"
 ```
@@ -236,7 +233,7 @@ class AddDeviseTwoFactorBackupableToUsers < ActiveRecord::Migration
 end
 ```
 
-#### MySQL
+#### MySQL, SQL Server, other databases without an array string type
 
 ```ruby
 # migration

data/devise-two-factor.gemspec

@@ -15,9 +15,9 @@ Gem::Specification.new do |s|
   s.test_files    = `git ls-files -- spec/*`.split("\n")
   s.require_paths = ['lib']
 
-  s.add_runtime_dependency 'railties',       '>= 7.0', '< 8.1'
-  s.add_runtime_dependency 'activesupport',  '>= 7.0', '< 8.1'
-  s.add_runtime_dependency 'devise',         '~> 4.0'
+  s.add_runtime_dependency 'railties',       '>= 7.0', '< 8.2'
+  s.add_runtime_dependency 'activesupport',  '>= 7.0', '< 8.2'
+  s.add_runtime_dependency 'devise',         '>= 4.0', '< 5.0'
   s.add_runtime_dependency 'rotp',           '~> 6.0'
 
   s.add_development_dependency 'activemodel'

data/gemfiles/rails_8.1.gemfile

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "railties", "8.1.0"
+gem "activesupport", "8.1.0"
+
+gemspec path: "../"

data/lib/devise-two-factor.rb

@@ -1,3 +1,4 @@
+require 'logger'
 require 'devise'
 require 'devise_two_factor/models'
 require 'devise_two_factor/strategies'

data/lib/devise_two_factor/models/two_factor_authenticatable.rb

@@ -41,12 +41,11 @@ module Devise
 
         if self.consumed_timestep
           # reconstruct the timestamp of the last consumed timestep
-          after_timestamp = self.consumed_timestep * otp.interval
+          after_timestamp = self.consumed_timestep * totp.interval
         end
 
-        if totp.verify(code.gsub(/\s+/, ""), drift_behind: self.class.otp_allowed_drift, drift_ahead: self.class.otp_allowed_drift, after: after_timestamp)
-          return consume_otp!
-        end
+        timestamp = totp.verify(code.gsub(/\s+/, ""), drift_behind: self.class.otp_allowed_drift, drift_ahead: self.class.otp_allowed_drift, after: after_timestamp)
+        return consume_otp!(totp, timestamp) if timestamp
 
         false
       end
@@ -59,11 +58,6 @@ module Devise
         otp.at(Time.now)
       end
 
-      # ROTP's TOTP#timecode is private, so we duplicate it here
-      def current_otp_timestep
-         Time.now.utc.to_i / otp.interval
-      end
-
       def otp_provisioning_uri(account, options = {})
         otp_secret = options[:otp_secret] || self.otp_secret
         ROTP::TOTP.new(otp_secret, options).provisioning_uri(account)
@@ -78,10 +72,13 @@ module Devise
 
       # An OTP cannot be used more than once in a given timestep
       # Storing timestep of last valid OTP is sufficient to satisfy this requirement
-      def consume_otp!
-        if self.consumed_timestep != current_otp_timestep
-          self.consumed_timestep = current_otp_timestep
+      def consume_otp!(otp, timestamp)
+        timestep = timestamp / otp.interval
+
+        if self.consumed_timestep != timestep
+          self.consumed_timestep = timestep
           save!(validate: false)
+
           return true
         end
 

data/lib/devise_two_factor/models/two_factor_backupable.rb

@@ -34,6 +34,9 @@ module Devise
       def invalidate_otp_backup_code!(code)
         codes = self.otp_backup_codes || []
 
+        # Should we still have some other kind of non iterable result, terminate.
+        raise TypeError.new("`otp_backup_codes` is expected to be an Array, got #{codes.class.name}. Hint: If your database does not support arrays, does your model correctly `serialize :otp_backup_codes, Array`?") unless codes.is_a?(Array)
+
         codes.each do |backup_code|
           next unless Devise::Encryptor.compare(self.class, backup_code, code)
 

data/lib/devise_two_factor/spec_helpers/two_factor_backupable_shared_examples.rb

@@ -49,38 +49,66 @@ RSpec.shared_examples 'two_factor_backupable' do
   end
 
   describe '#invalidate_otp_backup_code!' do
-    before do
-      @plaintext_codes = subject.generate_otp_backup_codes!
-    end
 
-    context 'given an invalid recovery code' do
-      it 'returns false' do
-        expect(subject.invalidate_otp_backup_code!('password')).to be false
-      end
-    end
 
-    context 'given a valid recovery code' do
-      it 'returns true' do
-        @plaintext_codes.each do |code|
-          expect(subject.invalidate_otp_backup_code!(code)).to be true
+  describe "#invalidate_otp_backup_code!" do
+      context "with no backup codes" do
+        it "does nothing" do
+          expect(subject.invalidate_otp_backup_code!("foo")).to be false
         end
       end
 
-      it 'invalidates that recovery code' do
-        code = @plaintext_codes.sample
+      context "with an array of backup codes, newly generated" do
+        before do
+          @plaintext_codes = subject.generate_otp_backup_codes!
+        end
+
+        context 'given an invalid recovery code' do
+          it 'returns false' do
+            expect(subject.invalidate_otp_backup_code!('password')).to be false
+          end
+        end
+
+        context 'given a valid recovery code' do
+          it 'returns true' do
+            @plaintext_codes.each do |code|
+              expect(subject.invalidate_otp_backup_code!(code)).to be true
+            end
+          end
 
-        subject.invalidate_otp_backup_code!(code)
-        expect(subject.invalidate_otp_backup_code!(code)).to be false
+          it 'invalidates that recovery code' do
+            code = @plaintext_codes.sample
+
+            subject.invalidate_otp_backup_code!(code)
+            expect(subject.invalidate_otp_backup_code!(code)).to be false
+          end
+
+          it 'does not invalidate the other recovery codes' do
+            code = @plaintext_codes.sample
+            subject.invalidate_otp_backup_code!(code)
+
+            @plaintext_codes.delete(code)
+
+            @plaintext_codes.each do |code|
+              expect(subject.invalidate_otp_backup_code!(code)).to be true
+            end
+          end
+        end
       end
 
-      it 'does not invalidate the other recovery codes' do
-        code = @plaintext_codes.sample
-        subject.invalidate_otp_backup_code!(code)
+      context "with backup codes as a string" do
+        before do
+          @plaintext_codes = subject.generate_otp_backup_codes!
 
-        @plaintext_codes.delete(code)
+          # Simulates database adapters that don't understand `t.string :otp_backup_codes, type: array` properly
+          # such as SQL Server; and have just returned the serialized string still.
+          # and the user not having done:
+          # `serialize :otp_backup_codes, Array` in their model
+          subject.otp_backup_codes = subject.otp_backup_codes.to_json
+        end
 
-        @plaintext_codes.each do |code|
-          expect(subject.invalidate_otp_backup_code!(code)).to be true
+        it "raises a meaningful error" do
+          expect { subject.invalidate_otp_backup_code!("flork") }.to raise_error(TypeError)
         end
       end
     end

data/lib/devise_two_factor/strategies/two_factor_authenticatable.rb

@@ -4,12 +4,18 @@ module Devise
 
       def authenticate!
         resource = mapping.to.find_for_database_authentication(authentication_hash)
+
+        hashed = false
         # We authenticate in two cases:
         # 1. The password and the OTP are correct
         # 2. The password is correct, and OTP is not required for login
         # We check the OTP, then defer to DatabaseAuthenticatable
-        if validate(resource) { validate_otp(resource) }
+        if validate(resource) { hashed = true; validate_otp(resource) }
           super
+        else
+          # Paranoid mode: do the expensive hash even when resource is nil,
+          # to avoid timing-based user enumeration.
+          mapping.to.new.password = password if !hashed && Devise.paranoid
         end
 
         fail(Devise.paranoid ? :invalid : :not_found_in_database) unless resource

data/lib/devise_two_factor/strategies/two_factor_backupable.rb

@@ -5,7 +5,7 @@ module Devise
       def authenticate!
         resource = mapping.to.find_for_database_authentication(authentication_hash)
 
-        if validate(resource) { resource.invalidate_otp_backup_code!(params[scope]['otp_attempt']) }
+        if validate(resource) { validate_backup_code(resource) }
           super
         end
 
@@ -15,6 +15,11 @@ module Devise
         # but database authenticatable automatically halts on a bad password
         @halted = false if @result == :failure
       end
+
+      def validate_backup_code(resource)
+        return if params[scope].nil? || params[scope]['otp_attempt'].nil?
+        resource.invalidate_otp_backup_code!(params[scope]['otp_attempt'])
+      end
     end
   end
 end

data/lib/devise_two_factor/version.rb

@@ -1,3 +1,3 @@
 module DeviseTwoFactor
-  VERSION = '6.1.0'.freeze
+  VERSION = '6.3.0'.freeze
 end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: devise-two-factor
 version: !ruby/object:Gem::Version
-  version: 6.1.0
+  version: 6.3.0
 platform: ruby
 authors:
 - Quinn Wilton
-autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-11-11 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -19,7 +18,7 @@ dependencies:
         version: '7.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '8.1'
+        version: '8.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +28,7 @@ dependencies:
         version: '7.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '8.1'
+        version: '8.2'
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
@@ -39,7 +38,7 @@ dependencies:
         version: '7.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '8.1'
+        version: '8.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -49,21 +48,27 @@ dependencies:
         version: '7.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '8.1'
+        version: '8.2'
 - !ruby/object:Gem::Dependency
   name: devise
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '4.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '4.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.0'
 - !ruby/object:Gem::Dependency
   name: rotp
   requirement: !ruby/object:Gem::Requirement
@@ -164,7 +169,6 @@ dependencies:
         version: '13'
 description: Devise-Two-Factor is a minimalist extension to Devise which offers support
   for two-factor authentication through the TOTP scheme.
-email: 
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -189,6 +193,7 @@ files:
 - gemfiles/rails_7.1.gemfile
 - gemfiles/rails_7.2.gemfile
 - gemfiles/rails_8.0.gemfile
+- gemfiles/rails_8.1.gemfile
 - lib/devise-two-factor.rb
 - lib/devise_two_factor/models.rb
 - lib/devise_two_factor/models/two_factor_authenticatable.rb
@@ -208,7 +213,6 @@ homepage: https://github.com/devise-two-factor/devise-two-factor
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -223,8 +227,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.22
-signing_key: 
+rubygems_version: 4.0.3
 specification_version: 4
 summary: Barebones two-factor authentication with Devise
 test_files: