devise-two-factor 1.0.2 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3861bb33d902cf04f7a2d8b87364758bc1815895
-  data.tar.gz: 8cb9baa150b510bd49663ae3c9a7be207f19d201
+  metadata.gz: f606d2579650285b6cc4377b1da513596d979e3c
+  data.tar.gz: 36d5f5df579e84d85db796eacdb07376abdfec47
 SHA512:
-  metadata.gz: 92cedbaed7b992027e851a52af6a086703255037ca9f6538a55e87a722cedef0be09d619cfd64faadaca198be45383acec0332d3ffb2b52ad1558407e5cfaa55
-  data.tar.gz: fd1efa087db868c6b4ec4731db434c4304677ef05d47385c64c008f144450627586d135903584d5093e55a928af76be8e07a4bf22889816be490c8d7851e8ca1
+  metadata.gz: 5539b146deb18560ac1be676606a8165d860acef7661b80d73ce000d006d9a530c06121393707a0d9d91951c415703e7ece16cdda6698bf71f081267322d149f
+  data.tar.gz: d0c422b2f12ffdae6d507732d71fe06684fe69c2501c1a24c920b50ddfcfb037d5f69229869fbd62f54f345a43ea2788e90fb4e8942dfb20faf564d95069fed9

data/.travis.yml

@@ -3,4 +3,6 @@ cache: bundler
 rvm:
   - "1.9.3"
   - "2.0.0"
+  - "2.1"
+  - "2.2"
   - jruby-19mode # JRuby in 1.9 mode

data/README.md

@@ -20,7 +20,7 @@ Devise-two-factor doesn't require much to get started, but there are a few prere
 
 First, you'll need a Rails application setup with Devise. Visit the Devise [homepage](https://github.com/plataformatec/devise) for instructions.
 
-Next, since devise-two-factor encrypts its secrets before storing them in the database, you'll need to generate an encryption key, and store it in an environment variable of your choice. Set the encryption key in the model that uses devise: 
+Next, since devise-two-factor encrypts its secrets before storing them in the database, you'll need to generate an encryption key, and store it in an environment variable of your choice. Set the encryption key in the model that uses devise:
 
 ```
   devise :two_factor_authenticatable,
@@ -47,6 +47,20 @@ It also adds the :two_factor_authenticatable directive to your model, and sets u
 
 If you're running Rails 3, or do not have strong parameters enabled, the generator will also setup the required mass-assignment security options in your model.
 
+If you're running Rails 4, you'll also need to whitelist `:otp_attempt` as a permitted parameter in Devise `:sign_in` controller. You can do this by adding the following to your `application_controller.rb`
+
+```ruby
+before_action :configure_permitted_parameters, if: :devise_controller?
+
+...
+
+protected
+
+def configure_permitted_parameters
+  devise_parameter_sanitizer.for(:sign_in) << :otp_attempt
+end
+```
+
 **After running the generator, verify that :database_authenticatable is not being loaded by your model. The generator will try to remove it, but if you have a non-standard Devise setup, this step may fail. Loading both :database_authenticatable and :two_factor_authenticatable in a model will allow users to bypass two-factor authenticatable due to the way Warden handles cascading strategies.**
 
 ## Designing Your Workflow
@@ -72,49 +86,7 @@ These parameters can be submitted to the standard Devise login route, and the st
 ### Disabling Automatic Login After Password Resets
 If you use the Devise ```recoverable``` strategy, the default behavior after a password reset is to automatically authenticate the user and log them in. This is obviously a problem if a user has two-factor authentication enabled, as resetting the password would get around the 2FA requirement.
 
-Because of this, you need to override the controller and disable the automatic login on your own. If you don't use the ```recoverable``` strategy and don't provide the option of password resets, you don't need to worry about this. An example is as follows:
-
-```ruby
-# app/controllers/passwords_controller.rb
-class PasswordsController < Devise::PasswordsController
-  # Overrides to require a user to log in after resetting the password
-
-  def update
-    self.resource = resource_class.reset_password_by_token(resource_params)
-    yield resource if block_given?
-
-    if resource.errors.empty?
-      resource.unlock_access! if unlockable?(resource)
-      flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
-      set_flash_message(:notice, flash_message) if is_flashing_format?
-
-      # Do not automatically login if two-factor is enabled for this user.
-      # Remove the following three lines entirely if you want to disable
-      # automatic login for all users regardless, after a password reset.
-      unless resource.try(:otp_required_for_login?)
-        sign_in(resource_name, resource)
-      end
-
-      respond_with resource, location: after_resetting_password_path_for(resource)
-    else
-      respond_with resource
-    end
-  end
-
-  protected
-
-  def after_resetting_password_path_for(resource)
-    new_session_path(resource)
-  end
-end
-```
-
-And then tell Devise to use your new controller instead of the default:
-
-```ruby
-# app/config/routes.rb
-devise_for :users, :controllers => {:passwords => "passwords"}
-```
+Because of this, you need to set `sign_in_after_reset_password` to false (either globally in your Devise initializer or via `devise_for`)
 
 ### Enabling Two-Factor Authentication
 Enabling two-factor authentication for a user is easy. For example, if my user model were named User, I could do the following:

data/devise-two-factor.gemspec

@@ -26,11 +26,11 @@ Gem::Specification.new do |s|
 
   s.add_runtime_dependency 'railties'
   s.add_runtime_dependency 'activesupport'
-  s.add_runtime_dependency 'activemodel'
   s.add_runtime_dependency 'attr_encrypted', '~> 1.3.2'
-  s.add_runtime_dependency 'devise',         '>= 3.2.4', '< 3.5'
-  s.add_runtime_dependency 'rotp',           '< 2'
+  s.add_runtime_dependency 'devise',         '~> 3.5.0'
+  s.add_runtime_dependency 'rotp',           '~> 2'
 
+  s.add_development_dependency 'activemodel'
   s.add_development_dependency 'bundler',    '> 1.0'
   s.add_development_dependency 'rspec',      '> 2', '< 3'
   s.add_development_dependency 'simplecov'

data/lib/devise_two_factor/models/two_factor_authenticatable.rb

@@ -1,4 +1,3 @@
-require 'active_model'
 require 'attr_encrypted'
 require 'rotp'
 

data/lib/devise_two_factor/models/two_factor_backupable.rb

@@ -1,5 +1,3 @@
-require 'active_model'
-
 module Devise
   module Models
     # TwoFactorBackupable allows a user to generate backup codes which
@@ -25,7 +23,7 @@ module Devise
           codes << SecureRandom.hex(code_length / 2) # Hexstring has length 2*n
         end
 
-        hashed_codes = codes.map { |code| Devise.bcrypt self.class, code }
+        hashed_codes = codes.map { |code| Devise::Encryptor.digest(self.class, code) }
         self.otp_backup_codes = hashed_codes
 
         codes
@@ -37,14 +35,7 @@ module Devise
         codes = self.otp_backup_codes || []
 
         codes.each do |backup_code|
-          # We hashed the code with Devise.bcrypt, so if Devise changes that
-          # method, we'll have to adjust our comparison here to match it
-          # TODO Fork Devise and encapsulate this logic in a helper
-          bcrypt      = ::BCrypt::Password.new(backup_code)
-          hashed_code = ::BCrypt::Engine.hash_secret("#{code}#{self.class.pepper}",
-                                                     bcrypt.salt)
-
-          next unless Devise.secure_compare(hashed_code, backup_code)
+          next unless Devise::Encryptor.compare(self.class, backup_code, code)
 
           codes.delete(backup_code)
           self.otp_backup_codes = codes

data/lib/devise_two_factor/spec_helpers/two_factor_authenticatable_shared_examples.rb

@@ -70,7 +70,7 @@ shared_examples 'two_factor_authenticatable' do
     end
 
     it 'should return uri with issuer option' do
-      subject.otp_provisioning_uri(account, issuer: issuer).should match(%r{otpauth://totp/#{account}\?issuer=#{issuer}&secret=\w{#{otp_secret_length}}$})
+      subject.otp_provisioning_uri(account, issuer: issuer).should match(%r{otpauth://totp/#{account}\?secret=\w{#{otp_secret_length}}&issuer=#{issuer}$})
     end
   end
 end

data/lib/devise_two_factor/spec_helpers/two_factor_backupable_shared_examples.rb

@@ -36,7 +36,7 @@ shared_examples 'two_factor_backupable' do
 
     context 'with existing recovery codes' do
       let(:old_codes)        { Faker::Lorem.words }
-      let(:old_codes_hashed) { old_codes.map { |x| Devise.bcrypt subject.class, x } }
+      let(:old_codes_hashed) { old_codes.map { |x| Devise::Encryptor.digest(subject.class, x) } }
 
       before do
         subject.otp_backup_codes = old_codes_hashed

data/lib/devise_two_factor/strategies/two_factor_authenticatable.rb

@@ -8,8 +8,7 @@ module Devise
         # 1. The password and the OTP are correct
         # 2. The password is correct, and OTP is not required for login
         # We check the OTP, then defer to DatabaseAuthenticatable
-        if validate(resource) { !resource.otp_required_for_login ||
-                                resource.valid_otp?(params[scope]['otp_attempt']) }
+        if validate(resource) { validate_otp(resource) }
           super
         end
 
@@ -19,6 +18,12 @@ module Devise
         # but database authenticatable automatically halts on a bad password
         @halted = false if @result == :failure
       end
+
+      def validate_otp(resource)
+        return true unless resource.otp_required_for_login
+        return if params[scope]['otp_attempt'].nil?
+        resource.valid_otp?(params[scope]['otp_attempt'])
+      end
     end
   end
 end

data/lib/devise_two_factor/version.rb

@@ -1,3 +1,3 @@
 module DeviseTwoFactor
-   VERSION = '1.0.2'.freeze
+   VERSION = '1.1.0'.freeze
 end

data/spec/devise/models/two_factor_authenticatable_spec.rb

@@ -1,4 +1,5 @@
 require 'spec_helper'
+require 'active_model'
 
 class TwoFactorAuthenticatableDouble
   include ::ActiveModel::Validations::Callbacks

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise-two-factor
 version: !ruby/object:Gem::Version
-  version: 1.0.2
+  version: 1.1.0
 platform: ruby
 authors:
 - Shane Wilton
@@ -84,172 +84,166 @@ cert_chain:
   5C31v4YyRBnNCp0pN66nxYX2avEiQ8riTBP5mlkPPOhsIoYQHHe2Uj75aVpu0LZ3
   cdFzuO4GC1dV0Wv+dsDm+MyF7DT5E9pUPXpnMJuPvPrFpCb+wrFlszW9hGjXbQ==
   -----END CERTIFICATE-----
-date: 2015-05-27 00:00:00.000000000 Z
+date: 2015-07-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: activemodel
+  name: attr_encrypted
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.3.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.3.2
 - !ruby/object:Gem::Dependency
-  name: attr_encrypted
+  name: devise
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3.2
+        version: 3.5.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.3.2
+        version: 3.5.0
 - !ruby/object:Gem::Dependency
-  name: devise
+  name: rotp
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.2.4
-    - - <
-      - !ruby/object:Gem::Version
-        version: '3.5'
+        version: '2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: 3.2.4
-    - - <
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.5'
+        version: '2'
 - !ruby/object:Gem::Dependency
-  name: rotp
+  name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - <
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2'
-  type: :runtime
+        version: '0'
+  type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - <
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>'
+    - - ">"
       - !ruby/object:Gem::Version
         version: '1.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>'
+    - - ">"
       - !ruby/object:Gem::Version
         version: '1.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>'
+    - - ">"
       - !ruby/object:Gem::Version
         version: '2'
-    - - <
+    - - "<"
       - !ruby/object:Gem::Version
         version: '3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>'
+    - - ">"
       - !ruby/object:Gem::Version
         version: '2'
-    - - <
+    - - "<"
       - !ruby/object:Gem::Version
         version: '3'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: faker
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: timecop
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 description: Barebones two-factor authentication with Devise
@@ -258,9 +252,9 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .rspec
-- .travis.yml
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
 - CONTRIBUTING.md
 - Gemfile
 - LICENSE
@@ -294,12 +288,12 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
@@ -312,4 +306,3 @@ test_files:
 - spec/devise/models/two_factor_authenticatable_spec.rb
 - spec/devise/models/two_factor_backupable_spec.rb
 - spec/spec_helper.rb
-has_rdoc: