devise-two-factor 1.1.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f606d2579650285b6cc4377b1da513596d979e3c
-  data.tar.gz: 36d5f5df579e84d85db796eacdb07376abdfec47
+  metadata.gz: 139ae00abf04084452d11ccb85fba46e18ba36bb
+  data.tar.gz: f8ebe13d8db9f67663306e854be967bd08d39460
 SHA512:
-  metadata.gz: 5539b146deb18560ac1be676606a8165d860acef7661b80d73ce000d006d9a530c06121393707a0d9d91951c415703e7ece16cdda6698bf71f081267322d149f
-  data.tar.gz: d0c422b2f12ffdae6d507732d71fe06684fe69c2501c1a24c920b50ddfcfb037d5f69229869fbd62f54f345a43ea2788e90fb4e8942dfb20faf564d95069fed9
+  metadata.gz: 4114ed8083d8daacbd15355132dc02c1bc33770bc8018a8a858e0888e1200eae1420be1eccc79af96b7ba5374af60c6a81562300b39b629ccdaba9f373c3b968
+  data.tar.gz: 74bc2b4571a54206c9d3cf256eaa27bedf1e57f3c99ae1a7424beef6217afd8bfb4b22b5e6f5be3fcf8a3a7c894d820e46e019c1f14c47cd83e2f80a16089dd9

data/UPGRADING.md

@@ -0,0 +1,11 @@
+# Guide to upgrading from 1.x to 2.x
+
+Pull request #43 added a new field to protect against "shoulder-surfing" attacks. If upgrading, you'll need to add the `:consumed_timestep` column to your `Users` model.
+
+```ruby
+class AddConsumedTimestepToUsers < ActiveRecord::Migration
+  def change
+    add_column :users, :consumed_timestep, :integer
+  end
+end
+```

data/devise-two-factor.gemspec

@@ -32,7 +32,7 @@ Gem::Specification.new do |s|
 
   s.add_development_dependency 'activemodel'
   s.add_development_dependency 'bundler',    '> 1.0'
-  s.add_development_dependency 'rspec',      '> 2', '< 3'
+  s.add_development_dependency 'rspec',      '> 3'
   s.add_development_dependency 'simplecov'
   s.add_development_dependency 'faker'
   s.add_development_dependency 'timecop'

data/lib/devise_two_factor/models/two_factor_authenticatable.rb

@@ -15,17 +15,19 @@ module Devise
       end
 
       def self.required_fields(klass)
-        [:encrypted_otp_secret, :encrypted_otp_secret_iv, :encrypted_otp_secret_salt]
+        [:encrypted_otp_secret, :encrypted_otp_secret_iv, :encrypted_otp_secret_salt, :consumed_timestep]
       end
 
       # This defaults to the model's otp_secret
-      # If this hasn't been generated yet, pass a secret as an  option
-      def valid_otp?(code, options = {})
+      # If this hasn't been generated yet, pass a secret as an option
+      def validate_and_consume_otp!(code, options = {})
         otp_secret = options[:otp_secret] || self.otp_secret
         return false unless otp_secret.present?
 
         totp = self.otp(otp_secret)
-        totp.verify_with_drift(code, self.class.otp_allowed_drift)
+        return consume_otp! if totp.verify_with_drift(code, self.class.otp_allowed_drift)
+
+        false
       end
 
       def otp(otp_secret = self.otp_secret)
@@ -36,6 +38,11 @@ module Devise
         otp.at(Time.now)
       end
 
+      # ROTP's TOTP#timecode is private, so we duplicate it here
+      def current_otp_timestep
+         Time.now.utc.to_i / otp.interval
+      end
+
       def otp_provisioning_uri(account, options = {})
         otp_secret = options[:otp_secret] || self.otp_secret
         ROTP::TOTP.new(otp_secret, options).provisioning_uri(account)
@@ -47,6 +54,17 @@ module Devise
 
     protected
 
+      # An OTP cannot be used more than once in a given timestep
+      # Storing timestep of last valid OTP is sufficient to satisfy this requirement
+      def consume_otp!
+        if self.consumed_timestep != current_otp_timestep
+          self.consumed_timestep = current_otp_timestep
+          return save(validate: false)
+        end
+
+        false
+      end
+
       module ClassMethods
         Devise::Models.config(self, :otp_secret_length,
                                     :otp_allowed_drift,

data/lib/devise_two_factor/spec_helpers/two_factor_authenticatable_shared_examples.rb

@@ -5,29 +5,29 @@ shared_examples 'two_factor_authenticatable' do
 
   describe 'required_fields' do
     it 'should have the attr_encrypted fields for otp_secret' do
-      Devise::Models::TwoFactorAuthenticatable.required_fields(subject.class).should =~ ([:encrypted_otp_secret, :encrypted_otp_secret_iv, :encrypted_otp_secret_salt])
+      expect(Devise::Models::TwoFactorAuthenticatable.required_fields(subject.class)).to contain_exactly(:encrypted_otp_secret, :encrypted_otp_secret_iv, :encrypted_otp_secret_salt, :consumed_timestep)
     end
   end
 
   describe '#otp_secret' do
     it 'should be of the configured length' do
-      subject.otp_secret.length.should eq(subject.class.otp_secret_length)
+      expect(subject.otp_secret.length).to eq(subject.class.otp_secret_length)
     end
 
     it 'stores the encrypted otp_secret' do
-      subject.encrypted_otp_secret.should_not be_nil
+      expect(subject.encrypted_otp_secret).to_not be_nil
     end
 
     it 'stores an iv for otp_secret' do
-      subject.encrypted_otp_secret_iv.should_not be_nil
+      expect(subject.encrypted_otp_secret_iv).to_not be_nil
     end
 
     it 'stores a salt for otp_secret' do
-      subject.encrypted_otp_secret_salt.should_not be_nil
+      expect(subject.encrypted_otp_secret_salt).to_not be_nil
     end
   end
 
-  describe '#valid_otp?' do
+  describe '#validate_and_consume_otp!' do
     let(:otp_secret) { '2z6hxkdwi3uvrnpn' }
 
     before :each do
@@ -39,24 +39,50 @@ shared_examples 'two_factor_authenticatable' do
       Timecop.return
     end
 
+    context 'with a stored consumed_timestep' do
+      context 'given a precisely correct OTP' do
+        let(:consumed_otp) { ROTP::TOTP.new(otp_secret).at(Time.now) }
+
+        before do
+          subject.validate_and_consume_otp!(consumed_otp)
+        end
+
+        it 'fails to validate' do
+          expect(subject.validate_and_consume_otp!(consumed_otp)).to be false
+        end
+      end
+
+      context 'given a previously valid OTP within the allowed drift' do
+        let(:consumed_otp) { ROTP::TOTP.new(otp_secret).at(Time.now + subject.class.otp_allowed_drift, true) }
+
+        before do
+          subject.validate_and_consume_otp!(consumed_otp)
+        end
+
+        it 'fails to validate' do
+          expect(subject.validate_and_consume_otp!(consumed_otp)).to be false
+        end
+      end
+    end
+
     it 'validates a precisely correct OTP' do
       otp = ROTP::TOTP.new(otp_secret).at(Time.now)
-      subject.valid_otp?(otp).should be true
+      expect(subject.validate_and_consume_otp!(otp)).to be true
     end
 
     it 'validates an OTP within the allowed drift' do
       otp = ROTP::TOTP.new(otp_secret).at(Time.now + subject.class.otp_allowed_drift, true)
-      subject.valid_otp?(otp).should be true
+      expect(subject.validate_and_consume_otp!(otp)).to be true
     end
 
     it 'does not validate an OTP above the allowed drift' do
       otp = ROTP::TOTP.new(otp_secret).at(Time.now + subject.class.otp_allowed_drift * 2, true)
-      subject.valid_otp?(otp).should be false
+      expect(subject.validate_and_consume_otp!(otp)).to be false
     end
 
     it 'does not validate an OTP below the allowed drift' do
       otp = ROTP::TOTP.new(otp_secret).at(Time.now - subject.class.otp_allowed_drift * 2, true)
-      subject.valid_otp?(otp).should be false
+      expect(subject.validate_and_consume_otp!(otp)).to be false
     end
   end
 
@@ -66,11 +92,11 @@ shared_examples 'two_factor_authenticatable' do
     let(:issuer)            { "Tinfoil" }
 
     it "should return uri with specified account" do
-      subject.otp_provisioning_uri(account).should match(%r{otpauth://totp/#{account}\?secret=\w{#{otp_secret_length}}})
+      expect(subject.otp_provisioning_uri(account)).to match(%r{otpauth://totp/#{account}\?secret=\w{#{otp_secret_length}}})
     end
 
     it 'should return uri with issuer option' do
-      subject.otp_provisioning_uri(account, issuer: issuer).should match(%r{otpauth://totp/#{account}\?secret=\w{#{otp_secret_length}}&issuer=#{issuer}$})
+      expect(subject.otp_provisioning_uri(account, issuer: issuer)).to match(%r{otpauth://totp/#{account}\?secret=\w{#{otp_secret_length}}&issuer=#{issuer}$})
     end
   end
 end

data/lib/devise_two_factor/spec_helpers/two_factor_backupable_shared_examples.rb

@@ -1,7 +1,7 @@
 shared_examples 'two_factor_backupable' do
   describe 'required_fields' do
     it 'has the attr_encrypted fields for otp_backup_codes' do
-      Devise::Models::TwoFactorBackupable.required_fields(subject.class).should =~ [:otp_backup_codes]
+      expect(Devise::Models::TwoFactorBackupable.required_fields(subject.class)).to contain_exactly(:otp_backup_codes)
     end
   end
 
@@ -12,24 +12,23 @@ shared_examples 'two_factor_backupable' do
       end
 
       it 'generates the correct number of new recovery codes' do
-        subject.otp_backup_codes.length.should
-          eq(subject.class.otp_number_of_backup_codes)
+        expect(subject.otp_backup_codes.length).to eq(subject.class.otp_number_of_backup_codes)
       end
 
       it 'generates recovery codes of the correct length' do
         @plaintext_codes.each do |code|
-          code.length.should eq(subject.class.otp_backup_code_length)
+          expect(code.length).to eq(subject.class.otp_backup_code_length)
         end
       end
 
       it 'generates distinct recovery codes' do
-        @plaintext_codes.uniq.should =~ @plaintext_codes
+        expect(@plaintext_codes.uniq).to contain_exactly(*@plaintext_codes)
       end
 
       it 'stores the codes as BCrypt hashes' do
         subject.otp_backup_codes.each do |code|
           # $algorithm$cost$(22 character salt + 31 character hash)
-          code.should =~ /\A\$[0-9a-z]{2}\$[0-9]{2}\$[A-Za-z0-9\.\/]{53}\z/
+          expect(code).to match(/\A\$[0-9a-z]{2}\$[0-9]{2}\$[A-Za-z0-9\.\/]{53}\z/)
         end
       end
     end
@@ -44,7 +43,7 @@ shared_examples 'two_factor_backupable' do
       end
 
       it 'invalidates the existing recovery codes' do
-        (subject.otp_backup_codes & old_codes_hashed).should =~ []
+        expect((subject.otp_backup_codes & old_codes_hashed)).to match []
       end
     end
   end
@@ -56,14 +55,14 @@ shared_examples 'two_factor_backupable' do
 
     context 'given an invalid recovery code' do
       it 'returns false' do
-        subject.invalidate_otp_backup_code!('password').should be false
+        expect(subject.invalidate_otp_backup_code!('password')).to be false
       end
     end
 
     context 'given a valid recovery code' do
       it 'returns true' do
         @plaintext_codes.each do |code|
-          subject.invalidate_otp_backup_code!(code).should be true
+          expect(subject.invalidate_otp_backup_code!(code)).to be true
         end
       end
 
@@ -71,7 +70,7 @@ shared_examples 'two_factor_backupable' do
         code = @plaintext_codes.sample
 
         subject.invalidate_otp_backup_code!(code)
-        subject.invalidate_otp_backup_code!(code).should be false
+        expect(subject.invalidate_otp_backup_code!(code)).to be false
       end
 
       it 'does not invalidate the other recovery codes' do
@@ -81,7 +80,7 @@ shared_examples 'two_factor_backupable' do
         @plaintext_codes.delete(code)
 
         @plaintext_codes.each do |code|
-          subject.invalidate_otp_backup_code!(code).should be true
+          expect(subject.invalidate_otp_backup_code!(code)).to be true
         end
       end
     end

data/lib/devise_two_factor/strategies/two_factor_authenticatable.rb

@@ -22,7 +22,7 @@ module Devise
       def validate_otp(resource)
         return true unless resource.otp_required_for_login
         return if params[scope]['otp_attempt'].nil?
-        resource.valid_otp?(params[scope]['otp_attempt'])
+        resource.validate_and_consume_otp!(params[scope]['otp_attempt'])
       end
     end
   end

data/lib/devise_two_factor/version.rb

@@ -1,3 +1,3 @@
 module DeviseTwoFactor
-   VERSION = '1.1.0'.freeze
+   VERSION = '2.0.0'.freeze
 end

data/lib/generators/devise_two_factor/devise_two_factor_generator.rb

@@ -22,6 +22,7 @@ module DeviseTwoFactor
                                 "encrypted_otp_secret:string",
                                 "encrypted_otp_secret_iv:string",
                                 "encrypted_otp_secret_salt:string",
+                                "consumed_timestep:integer",
                                 "otp_required_for_login:boolean"
                               ]
 

data/spec/devise/models/two_factor_authenticatable_spec.rb

@@ -6,6 +6,13 @@ class TwoFactorAuthenticatableDouble
   extend  ::Devise::Models
 
   devise :two_factor_authenticatable, :otp_secret_encryption_key => 'test-key'
+
+  attr_accessor :consumed_timestep
+
+  def save(validate)
+    # noop for testing
+    true
+  end
 end
 
 describe ::Devise::Models::TwoFactorAuthenticatable do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise-two-factor
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Shane Wilton
@@ -84,166 +84,160 @@ cert_chain:
   5C31v4YyRBnNCp0pN66nxYX2avEiQ8riTBP5mlkPPOhsIoYQHHe2Uj75aVpu0LZ3
   cdFzuO4GC1dV0Wv+dsDm+MyF7DT5E9pUPXpnMJuPvPrFpCb+wrFlszW9hGjXbQ==
   -----END CERTIFICATE-----
-date: 2015-07-10 00:00:00.000000000 Z
+date: 2015-09-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: attr_encrypted
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 1.3.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 1.3.2
 - !ruby/object:Gem::Dependency
   name: devise
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 3.5.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: 3.5.0
 - !ruby/object:Gem::Dependency
   name: rotp
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ~>
       - !ruby/object:Gem::Version
         version: '2'
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">"
+    - - '>'
       - !ruby/object:Gem::Version
         version: '1.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">"
+    - - '>'
       - !ruby/object:Gem::Version
         version: '1.0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">"
-      - !ruby/object:Gem::Version
-        version: '2'
-    - - "<"
+    - - '>'
       - !ruby/object:Gem::Version
         version: '3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">"
-      - !ruby/object:Gem::Version
-        version: '2'
-    - - "<"
+    - - '>'
       - !ruby/object:Gem::Version
         version: '3'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: faker
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: timecop
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 description: Barebones two-factor authentication with Devise
@@ -252,14 +246,15 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".gitignore"
-- ".rspec"
-- ".travis.yml"
+- .gitignore
+- .rspec
+- .travis.yml
 - CONTRIBUTING.md
 - Gemfile
 - LICENSE
 - README.md
 - Rakefile
+- UPGRADING.md
 - certs/tinfoil-cacert.pem
 - certs/tinfoilsecurity-gems-cert.pem
 - devise-two-factor.gemspec
@@ -288,17 +283,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: devise-two-factor
-rubygems_version: 2.4.6
+rubygems_version: 2.4.7
 signing_key: 
 specification_version: 4
 summary: Barebones two-factor authentication with Devise
@@ -306,3 +301,4 @@ test_files:
 - spec/devise/models/two_factor_authenticatable_spec.rb
 - spec/devise/models/two_factor_backupable_spec.rb
 - spec/spec_helper.rb
+has_rdoc: