RubyGems - devise-two-factor - Versions diffs - 6.1.0 → 6.2.0 - Mend

devise-two-factor 6.1.0 → 6.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

checksums.yaml +4 -4
data/.github/workflows/ci.yml +7 -3
data/.github/workflows/push.yml +1 -1
data/Appraisals +5 -0
data/CHANGELOG.md +8 -0
data/README.md +4 -7
data/devise-two-factor.gemspec +2 -2
data/gemfiles/rails_8.1.gemfile +8 -0
data/lib/devise-two-factor.rb +1 -0
data/lib/devise_two_factor/models/two_factor_authenticatable.rb +9 -12
data/lib/devise_two_factor/strategies/two_factor_backupable.rb +6 -1
data/lib/devise_two_factor/version.rb +1 -1
metadata +8 -11

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 84d4fba8bbdcee4f8d8b00c5d2662dc5e8d78cc60e7f0502c7e0e9d5fc93a4d4
-  data.tar.gz: 33a77876910f588992917ebb123148f26d82b26fbe713f944e59f3b720c4978c
+  metadata.gz: b6893a24ebfb4eae935305d8b0657383c1630eb7619e23dfcd9ad0190bf1cd64
+  data.tar.gz: 24bab113bff7ae25afd03f9230caf372f8bdb0c319eeb18ab469353ca5136de1
 SHA512:
-  metadata.gz: d2f69c9f760278e3a1a40d5913b786468d9d4d12b54e93dd5d5437cfb5edc669f21a56953ea817d66722cbe305190762dcb86cef80009a0fff718e86a39726be
-  data.tar.gz: e3086e4034e6208e064f81e5845b1027b5e7c19d38ddd4788c615fe1a837772f1330aba234a30fb3f7f9cc549dbed3864da9f70249aef04b9efa066c8284733c
+  metadata.gz: 0b78eedcbafc38b967fb8a6717b9f70f87751b234ce905f5b4d99a176224e4927bc7039a69bb454daba16c8b07b368dc1d9a89e19016910733fd5f744f857a7c
+  data.tar.gz: '0199a55f34cc5b67375620c1acabbca8b7256ead8b5401a6917dc2589b64158080851c9d5a061bc7fba1b95d36034f4e24aa13f1efb802a9cf44d1e202f407a0'

data/.github/workflows/ci.yml CHANGED Viewed

@@ -12,17 +12,21 @@ jobs:
       fail-fast: false
       matrix:
         # Due to https://github.com/actions/runner/issues/849, we should quote versions
-        ruby: ['3.1', '3.2', '3.3', 'truffleruby-head']
-        rails: ['7.0', '7.1', '7.2', '8.0']
+        ruby: ['3.1', '3.2', '3.3', '3.4', 'truffleruby-head']
+        rails: ['7.0', '7.1', '7.2', '8.0', '8.1']
         exclude:
           - ruby: '3.1'
             rails: '8.0'
+          - ruby: '3.1'
+            rails: '8.1'
+          - ruby: '3.4'
+            rails: '7.0'
     name: Ruby ${{ matrix.ruby }}, Rails ${{ matrix.rails }}
     env: # $BUNDLE_GEMFILE must be set at the job level, so it is set for all steps
       BUNDLE_GEMFILE: ${{ github.workspace }}/gemfiles/rails_${{ matrix.rails }}.gemfile
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:

data/.github/workflows/push.yml CHANGED Viewed

@@ -17,7 +17,7 @@ jobs:
     steps:
       # Set up
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
         with:

data/Appraisals CHANGED Viewed

@@ -17,3 +17,8 @@ appraise "rails-8.0" do
   gem 'railties', '~> 8.0.0'
   gem 'activesupport', '~> 8.0.0'
 end
+appraise "rails-8.1" do
+  gem 'railties', '8.1.0'
+  gem 'activesupport', '8.1.0'
+end

data/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,14 @@
 ## Unreleased
+## 6.2.0
+- Rails 8.1 support
+## 6.1.0
+- Rails 8 support
 ## 6.0.0
 **Breaking Changes**

data/README.md CHANGED Viewed

@@ -82,7 +82,7 @@ This generator will:
 1. Edit `app/models/MODEL.rb` (where MODEL is your model name):
     * add the `:two_factor_authenticatable` devise module
-    * remove the `:database_authenticatable` if present because it is incompatible with `:two_factor_authenticatable`
+    * remove the `:database_authenticatable` devise module, if present; having both modules enabled will lead to issues described below.
 1. Add a Warden config block to your Devise initializer, which enables the strategies required for two-factor authentication.
 Remember to apply the new migration after you run the generator:
@@ -107,9 +107,9 @@ Next you need to whitelist `:otp_attempt` as a permitted parameter in Devise `:s
   end
 ```
-Finally you should verify that `:database_authenticatable` is **not** being loaded by your model. The generator will try to remove it, but if you have a non-standard Devise setup, this step may fail.
+Finally you should verify that `:database_authenticatable` is **not** being loaded by your model. The generator will try to remove it, but if you have a non-standard Devise setup, this step may fail. `:two_factor_authenticatable` includes all of `:database_authenticatable`'s functionality; it will still allow login without two-factor authentication until you enable it on your model's records with `otp_required_for_login`.
-**Loading both `:database_authenticatable` and `:two_factor_authenticatable` in a model is a security issue** It will allow users to bypass two-factor authenticatable due to the way Warden handles cascading strategies!
+**Loading both `:database_authenticatable` and `:two_factor_authenticatable` in a model is a security issue.** It will allow users to bypass two-factor authentication regardless of how `otp_required_for_login` is set due to the way Warden handles cascading strategies!
 ## Designing Your Workflow
@@ -155,10 +155,7 @@ At Tinfoil Security, we opted to use the excellent [rqrcode-rails3](https://gith
 If you decide to do this you'll need to generate a URI to act as the source for the QR code. This can be done using the `User#otp_provisioning_uri` method.
 ```ruby
-issuer = 'Your App'
-label = "#{issuer}:#{current_user.email}"
-current_user.otp_provisioning_uri(label, issuer: issuer)
+current_user.otp_provisioning_uri(current_user.email, issuer: 'Your App')
 # > "otpauth://totp/Your%20App:user@example.com?secret=[otp_secret]&issuer=Your+App"
 ```

data/devise-two-factor.gemspec CHANGED Viewed

@@ -15,8 +15,8 @@ Gem::Specification.new do |s|
   s.test_files    = `git ls-files -- spec/*`.split("\n")
   s.require_paths = ['lib']
-  s.add_runtime_dependency 'railties',       '>= 7.0', '< 8.1'
-  s.add_runtime_dependency 'activesupport',  '>= 7.0', '< 8.1'
+  s.add_runtime_dependency 'railties',       '>= 7.0', '< 8.2'
+  s.add_runtime_dependency 'activesupport',  '>= 7.0', '< 8.2'
   s.add_runtime_dependency 'devise',         '~> 4.0'
   s.add_runtime_dependency 'rotp',           '~> 6.0'

data/gemfiles/rails_8.1.gemfile ADDED Viewed

@@ -0,0 +1,8 @@
+# This file was generated by Appraisal
+source "https://rubygems.org"
+gem "railties", "8.1.0"
+gem "activesupport", "8.1.0"
+gemspec path: "../"

data/lib/devise-two-factor.rb CHANGED Viewed

@@ -1,3 +1,4 @@
+require 'logger'
 require 'devise'
 require 'devise_two_factor/models'
 require 'devise_two_factor/strategies'

data/lib/devise_two_factor/models/two_factor_authenticatable.rb CHANGED Viewed

@@ -41,12 +41,11 @@ module Devise
         if self.consumed_timestep
           # reconstruct the timestamp of the last consumed timestep
-          after_timestamp = self.consumed_timestep * otp.interval
+          after_timestamp = self.consumed_timestep * totp.interval
         end
-        if totp.verify(code.gsub(/\s+/, ""), drift_behind: self.class.otp_allowed_drift, drift_ahead: self.class.otp_allowed_drift, after: after_timestamp)
-          return consume_otp!
-        end
+        timestamp = totp.verify(code.gsub(/\s+/, ""), drift_behind: self.class.otp_allowed_drift, drift_ahead: self.class.otp_allowed_drift, after: after_timestamp)
+        return consume_otp!(totp, timestamp) if timestamp
         false
       end
@@ -59,11 +58,6 @@ module Devise
         otp.at(Time.now)
       end
-      # ROTP's TOTP#timecode is private, so we duplicate it here
-      def current_otp_timestep
-         Time.now.utc.to_i / otp.interval
-      end
       def otp_provisioning_uri(account, options = {})
         otp_secret = options[:otp_secret] || self.otp_secret
         ROTP::TOTP.new(otp_secret, options).provisioning_uri(account)
@@ -78,10 +72,13 @@ module Devise
       # An OTP cannot be used more than once in a given timestep
       # Storing timestep of last valid OTP is sufficient to satisfy this requirement
-      def consume_otp!
-        if self.consumed_timestep != current_otp_timestep
-          self.consumed_timestep = current_otp_timestep
+      def consume_otp!(otp, timestamp)
+        timestep = timestamp / otp.interval
+        if self.consumed_timestep != timestep
+          self.consumed_timestep = timestep
           save!(validate: false)
           return true
         end

data/lib/devise_two_factor/strategies/two_factor_backupable.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module Devise
       def authenticate!
         resource = mapping.to.find_for_database_authentication(authentication_hash)
-        if validate(resource) { resource.invalidate_otp_backup_code!(params[scope]['otp_attempt']) }
+        if validate(resource) { validate_backup_code(resource) }
           super
         end
@@ -15,6 +15,11 @@ module Devise
         # but database authenticatable automatically halts on a bad password
         @halted = false if @result == :failure
       end
+      def validate_backup_code(resource)
+        return if params[scope].nil? || params[scope]['otp_attempt'].nil?
+        resource.invalidate_otp_backup_code!(params[scope]['otp_attempt'])
+      end
     end
   end
 end

data/lib/devise_two_factor/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module DeviseTwoFactor
-  VERSION = '6.1.0'.freeze
+  VERSION = '6.2.0'.freeze
 end

metadata CHANGED Viewed

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: devise-two-factor
 version: !ruby/object:Gem::Version
-  version: 6.1.0
+  version: 6.2.0
 platform: ruby
 authors:
 - Quinn Wilton
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-11-11 00:00:00.000000000 Z
+date: 2025-10-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -19,7 +18,7 @@ dependencies:
         version: '7.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '8.1'
+        version: '8.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +28,7 @@ dependencies:
         version: '7.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '8.1'
+        version: '8.2'
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
@@ -39,7 +38,7 @@ dependencies:
         version: '7.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '8.1'
+        version: '8.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -49,7 +48,7 @@ dependencies:
         version: '7.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '8.1'
+        version: '8.2'
 - !ruby/object:Gem::Dependency
   name: devise
   requirement: !ruby/object:Gem::Requirement
@@ -164,7 +163,6 @@ dependencies:
         version: '13'
 description: Devise-Two-Factor is a minimalist extension to Devise which offers support
   for two-factor authentication through the TOTP scheme.
-email:
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -189,6 +187,7 @@ files:
 - gemfiles/rails_7.1.gemfile
 - gemfiles/rails_7.2.gemfile
 - gemfiles/rails_8.0.gemfile
+- gemfiles/rails_8.1.gemfile
 - lib/devise-two-factor.rb
 - lib/devise_two_factor/models.rb
 - lib/devise_two_factor/models/two_factor_authenticatable.rb
@@ -208,7 +207,6 @@ homepage: https://github.com/devise-two-factor/devise-two-factor
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -223,8 +221,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.22
-signing_key:
+rubygems_version: 3.6.2
 specification_version: 4
 summary: Barebones two-factor authentication with Devise
 test_files: