RubyGems - devise_fido_usf - Versions diffs - 0.1.0 - Mend

devise_fido_usf 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

checksums.yaml +7 -0
data/MIT-LICENSE +20 -0
data/README.md +33 -0
data/Rakefile +33 -0
data/app/assets/javascript/u2f-api.js +748 -0
data/app/controllers/devise/fido_usf_authentications_controller.rb +54 -0
data/app/controllers/devise/fido_usf_registrations_controller.rb +57 -0
data/app/models/fido_usf/fido_usf_device.rb +7 -0
data/app/views/devise/fido_usf_authentications/new.html.erb +41 -0
data/app/views/devise/fido_usf_registrations/_device.html.erb +5 -0
data/app/views/devise/fido_usf_registrations/_devices.html.erb +14 -0
data/app/views/devise/fido_usf_registrations/destroy.js.erb +3 -0
data/app/views/devise/fido_usf_registrations/new.html.erb +43 -0
data/app/views/devise/fido_usf_registrations/show.html.erb +5 -0
data/config/locales/en.yml +24 -0
data/lib/devise_fido_usf.rb +13 -0
data/lib/devise_fido_usf/controllers/helpers.rb +54 -0
data/lib/devise_fido_usf/hooks/fido_usf_authenticatable.rb +10 -0
data/lib/devise_fido_usf/models/fido_usf_authenticatable.rb +15 -0
data/lib/devise_fido_usf/models/fido_usf_registerable.rb +12 -0
data/lib/devise_fido_usf/rails.rb +8 -0
data/lib/devise_fido_usf/routes.rb +15 -0
data/lib/devise_fido_usf/version.rb +3 -0
data/lib/generators/devise_fido_usf/install_generator.rb +59 -0
data/lib/generators/devise_fido_usf/migrate_generator.rb +28 -0
data/lib/generators/templates/README +44 -0
data/lib/generators/templates/migration.rb +19 -0
data/lib/tasks/devise_fido_usf_tasks.rake +4 -0
metadata +240 -0

data/app/controllers/devise/fido_usf_authentications_controller.rb ADDED Viewed

@@ -0,0 +1,54 @@
+class Devise::FidoUsfAuthenticationsController < DeviseController
+  before_action :find_resource_and_verify_password, only: [:new, :create]
+  def new
+    key_handles = @resource.fido_usf_devices.map(&:key_handle)
+    @app_id = helpers.u2f.app_id
+    @sign_requests = helpers.u2f.authentication_requests(key_handles)
+    @challenge = helpers.u2f.challenge
+    session[:"#{resource_name}_u2f_challenge"] = @challenge
+    render :new
+  end
+  def create
+    begin
+      response = U2F::SignResponse.load_from_json(params[:response])
+    rescue TypeError
+      return redirect_to root_path
+    end
+    registration = @resource.fido_usf_devices.find_by_key_handle(response.key_handle)
+    return 'Need to register first' unless registration
+    begin
+      #helpers.u2f.authenticate!(session[:"#{resource_name}_u2f_challenge"], response, Base64.decode64(registration.public_key), registration.counter)
+      helpers.u2f.authenticate!(session[:"#{resource_name}_u2f_challenge"], response, registration.public_key, registration.counter)
+      registration.update(counter: response.counter, last_authenticated_at: Time.now)
+      # Remember the user (if applicable)
+      @resource.remember_me = Devise::TRUE_VALUES.include?(session[:"#{resource_name}_remember_me"]) if @resource.respond_to?(:remember_me=)
+      sign_in(resource_name, @resource)
+      set_flash_message(:notice, :signed_in) if is_navigational_format?
+    rescue U2F::Error => e
+      flash[:error] = "Unable to authenticate: #{e.class.name}"
+      return redirect_to root_path
+    ensure
+      session.delete(:"#{resource_name}_u2f_challenge")
+    end
+    respond_with resource, :location => after_sign_in_path_for(@resource)
+  end
+  private
+  def find_resource_and_verify_password
+    @resource = send("current_#{resource_name}")
+    if @resource.nil?
+      @resource = resource_class.find_by_id(session["#{resource_name}_id"])
+    end
+    if @resource.nil? || !Devise::TRUE_VALUES.include?(session[:"#{resource_name}_password_checked"])
+      redirect_to root_path
+    end
+  end
+end

data/app/controllers/devise/fido_usf_registrations_controller.rb ADDED Viewed

@@ -0,0 +1,57 @@
+class Devise::FidoUsfRegistrationsController < ApplicationController
+  before_action :authenticate_user!
+  def new
+    @registration_requests = helpers.u2f.registration_requests
+    session[:challenges] = @registration_requests.map(&:challenge)
+    key_handles = current_user.fido_usf_devices.map(&:key_handle)
+    @sign_requests = helpers.u2f.authentication_requests(key_handles)
+    @app_id = helpers.u2f.app_id
+    render :new
+  end
+  # Show a list of all registered devices
+  def show
+    @devices = current_user.fido_usf_devices.all
+    render :show
+  end
+  def destroy
+    device = current_user.fido_usf_devices.find(params[:id])
+    @fade_out_id = device.id
+    device.destroy
+    @devices = current_user.fido_usf_devices.all
+    flash[:success] = I18n.t('fido_usf.flashs.device.removed')
+    respond_to do |format|
+      format.js
+      format.html { redirect_to user_fido_usf_registration_url }
+    end
+  end
+  def create
+    begin
+      response = U2F::RegisterResponse.load_from_json(params[:response])
+      reg = helpers.u2f.register!(session[:challenges], response)
+      pubkey = reg.public_key
+      pubkey = Base64.decode64(reg.public_key) unless pubkey.bytesize == 65 && pubkey.byteslice(0) != "\x04"
+      FidoUsf::FidoUsfDevice.create!(
+          user: current_user,
+          name: 'Unnamed 1',
+          certificate: reg.certificate,
+          key_handle: reg.key_handle,
+          public_key: pubkey,
+          counter: reg.counter,
+          last_authenticated_at: Time.now)
+      flash[:success] = I18n.t('fido_usf.flashs.device.registered')
+    rescue U2F::Error => e
+      @error_message = "Unable to register: #{e.class.name}"
+      flash[:error] = @error_message
+    ensure
+      session.delete(:challenges)
+    end
+    redirect_to user_fido_usf_registration_path()
+  end
+end

data/app/models/fido_usf/fido_usf_device.rb ADDED Viewed

@@ -0,0 +1,7 @@
+module FidoUsf
+  class FidoUsfDevice < ActiveRecord::Base
+    belongs_to :user, polymorphic: true
+    validates :user, :name, :key_handle, :public_key, :certificate, :counter, :last_authenticated_at, presence: true
+  end
+end

data/app/views/devise/fido_usf_authentications/new.html.erb ADDED Viewed

@@ -0,0 +1,41 @@
+<h2>Authenticate key</h2>
+<p>Please insert one of your registered keys and press the button within 15 seconds</p>
+<p id="waiting">Waiting...</p>
+<p id="error" style="display: none;"></p>
+<%= form_tag user_fido_usf_authentication_path(), method: 'post' do %>
+  <%= hidden_field_tag :response %>
+<% end %>
+<script>
+  var appId = <%= @app_id.to_json.html_safe %>;
+  var signRequests = <%= @sign_requests.to_json.html_safe %>;
+  var challenge = <%= @challenge.to_json.html_safe %>;
+  var $waiting = document.getElementById('waiting');
+  var $error = document.getElementById('error');
+  var errorMap = {
+    1: 'Unknown error, try again',
+    2: "Bad request error, try again" ,
+    3: "This key isn't supported, please try another one",
+    4: 'The device is is not registered, please register first.',
+    5: 'Authentication timed out. Please reload to try again.'
+  };
+  var setError = function(code) {
+    $waiting.style.display = 'none';
+    $error.style.display = 'block';
+    $error.innerHTML = errorMap[code];
+  };
+  u2f.sign(appId, challenge, signRequests, function(signResponse) {
+    var form, reg;
+    if (signResponse.errorCode) {
+      return setError(signResponse.errorCode);
+    }
+    form = document.forms[0];
+    response = document.querySelector('[name=response]');
+    response.value = JSON.stringify(signResponse);
+    form.submit();
+  }, 15);
+</script>

data/app/views/devise/fido_usf_registrations/_device.html.erb ADDED Viewed

@@ -0,0 +1,5 @@
+<tr id="device_<%= device.id %>">
+  <td><%= device.name %></td>
+  <td><%= l(device.last_authenticated_at, format: :long) %></td>
+  <td><%= link_to 'Delete', user_fido_usf_registration_path(id: device.id), remote: true, :method => :delete, data: {confirm: "Should device #{device.name} be deleted?" } %></td>
+</tr>

data/app/views/devise/fido_usf_registrations/_devices.html.erb ADDED Viewed

@@ -0,0 +1,14 @@
+<div class="new-device"></div>
+<table id class="table table-bordered table-striped">
+  <thead>
+  <tr>
+    <th class="col-md-4"><%= FidoUsf::FidoUsfDevice.human_attribute_name('name') %></th>
+    <th class="col-md-3"><%= FidoUsf::FidoUsfDevice.human_attribute_name('last_authenticated_at') %></th>
+    <th class="col-md-2"><%= t('common.actions') %></th>
+  </tr>
+  </thead>
+  <tbody id="devices">
+  <%= render partial: 'devise/fido_usf_registrations/device', collection: @devices %>
+  </tbody>
+</table>

data/app/views/devise/fido_usf_registrations/destroy.js.erb ADDED Viewed

@@ -0,0 +1,3 @@
+$('#device_<%= @fade_out_id %>').fadeOut(400, function () {
+  $('#devices').html('<%= j(render(partial: 'devise/fido_usf_registrations/device', collection: @devices)) %>')
+} );

data/app/views/devise/fido_usf_registrations/new.html.erb ADDED Viewed

@@ -0,0 +1,43 @@
+<h2>Register key</h2>
+<p>Please insert the key and press the button within 15 seconds</p>
+<p id="waiting">Waiting...</p>
+<p id="error" style="display: none;"></p>
+<%= form_tag user_fido_usf_registration_path(), method: 'post' do %>
+  <%= hidden_field_tag :response %>
+<% end %>
+<script>
+  var appId = <%= @app_id.to_json.html_safe %>;
+  var registerRequests = <%= @registration_requests.to_json.html_safe %>;
+  var signRequests = <%= @sign_requests.to_json.html_safe %>;
+  var $waiting = document.getElementById('waiting');
+  var $error = document.getElementById('error');
+  var errorMap = {
+    1: 'Unknown error, try again',
+    2: "Bad request error, try again" ,
+    3: "This key isn't supported, please try another one",
+    4: 'The device is already registered, please login',
+    5: 'Authentication timed out. Please reload to try again.'
+  };
+  var setError = function(code) {
+    $waiting.style.display = 'none';
+    $error.style.display = 'block';
+    $error.innerHTML = errorMap[code];
+  };
+  u2f.register(appId, registerRequests, signRequests, function(registerResponse) {
+    var form, reg;
+    if (registerResponse.errorCode) {
+      return setError(registerResponse.errorCode);
+    }
+    form = document.forms[0];
+    response = document.querySelector('[name=response]');
+    response.value = JSON.stringify(registerResponse);
+    form.submit();
+  }, 15);
+</script>

data/app/views/devise/fido_usf_registrations/show.html.erb ADDED Viewed

@@ -0,0 +1,5 @@
+<h2> FIDO U2F Devices</h2>
+<p>List of registered devices:</p>
+<%= render 'devise/fido_usf_registrations/devices' %>
+<p><%= link_to 'Back', root_path() %></p>
+<p><%= link_to 'Add', new_user_fido_usf_registration_path() %></p>

data/config/locales/en.yml ADDED Viewed

@@ -0,0 +1,24 @@
+en:
+  fido_usf:
+    pages:
+      devices: "2FA Devices"
+    flashs:
+      device:
+        removed:  "Device removed."
+        registered:  "New 2FA device successfully registered."
+  common:
+    actions: 'Actions'
+  forms:
+    device:
+      add: "Add 2FA Device"
+      delete: "Delete"
+      delete_confirm: "Do you really want to delete the 2FA device \"%{device_name}\"?"
+  activerecord:
+    attributes:
+      fido_usf/fido_usf_device:
+        last_authenticated_at: "Last used"

data/lib/devise_fido_usf.rb ADDED Viewed

@@ -0,0 +1,13 @@
+module DeviseFidoUsf
+  module Controllers
+    autoload :Helpers, 'devise_fido_usf/controllers/helpers'
+  end
+end
+require 'devise'
+require 'u2f'
+require 'devise_fido_usf/routes'
+require 'devise_fido_usf/rails'
+Devise.add_module :fido_usf_registerable, :model => 'devise_fido_usf/models/fido_usf_registerable', :controller => :fido_usf_registrations, :route => :fido_usf_registration
+Devise.add_module :fido_usf_authenticatable, :model => 'devise_fido_usf/models/fido_usf_authenticatable', :controller => :fido_usf_authentications, :route => :fido_usf_authentication

data/lib/devise_fido_usf/controllers/helpers.rb ADDED Viewed

@@ -0,0 +1,54 @@
+# Code loosely based on authy-devise gem from https://github.com/authy/authy-devise
+module DeviseFidoUsf
+  module Controllers
+    module Helpers
+      extend ActiveSupport::Concern
+      included do
+        before_action :check_request_and_redirect_to_verify_fido_usf, :if => :is_user_signing_in?
+      end
+      private
+      def is_devise_sessions_controller?
+        self.class == Devise::SessionsController || self.class.ancestors.include?(Devise::SessionsController)
+      end
+      def is_user_signing_in?
+        if devise_controller? && signed_in?(resource_name) &&
+          is_devise_sessions_controller? &&
+          self.action_name == "create"
+          return true
+        end
+        return false
+      end
+      def check_request_and_redirect_to_verify_fido_usf
+        if signed_in?(resource_name) && warden.session(resource_name)[:with_fido_usf_authentication]
+          # login with 2fa
+          id = warden.session(resource_name)[:id]
+          return_to = session["#{resource_name}_return_to"]
+          remember_me = Devise::TRUE_VALUES.include?(sign_in_params[:remember_me])
+          sign_out
+          # It is secure to put these information in a Rails 5 session
+          # because cookies are signed and encrypted.
+          session["#{resource_name}_id"] = id
+          session["#{resource_name}_remember_me"] = remember_me
+          session["#{resource_name}_password_checked"] = true
+          session["#{resource_name}_return_to"] = return_to if return_to
+          redirect_to verify_fido_usf_path_for(resource_name)
+          return
+        end
+      end
+      def verify_fido_usf_path_for(resource_or_scope = nil)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        send(:"new_#{scope}_fido_usf_authentication_path")
+      end
+    end
+  end
+end

data/lib/devise_fido_usf/hooks/fido_usf_authenticatable.rb ADDED Viewed

@@ -0,0 +1,10 @@
+Warden::Manager.after_authentication do |user, auth, options|
+  if user.respond_to?(:with_fido_usf_authentication?)
+    with_fido_usf_authentication = user.with_fido_usf_authentication?()
+    auth.session(options[:scope])[:with_fido_usf_authentication] = with_fido_usf_authentication
+    if with_fido_usf_authentication
+      auth.session(options[:scope])[:id] = user.id
+    end
+  end
+end

data/lib/devise_fido_usf/models/fido_usf_authenticatable.rb ADDED Viewed

@@ -0,0 +1,15 @@
+require 'devise_fido_usf/hooks/fido_usf_authenticatable'
+module Devise
+  module Models
+    module FidoUsfAuthenticatable
+      extend ActiveSupport::Concern
+      # Does the user has a registered FIDO U2F device?
+      def with_fido_usf_authentication?()
+        FidoUsf::FidoUsfDevice.where(user: self).count()>0
+      end
+    end
+  end
+end

data/lib/devise_fido_usf/models/fido_usf_registerable.rb ADDED Viewed

@@ -0,0 +1,12 @@
+module Devise
+  module Models
+    module FidoUsfRegisterable
+      extend ActiveSupport::Concern
+      included do
+        has_many :fido_usf_devices, class_name: 'FidoUsf::FidoUsfDevice', foreign_key: 'user_id', dependent: :destroy
+      end
+    end
+  end
+end

data/lib/devise_fido_usf/rails.rb ADDED Viewed

@@ -0,0 +1,8 @@
+module DeviseFidoUsf
+  class Engine < ::Rails::Engine
+    ActiveSupport.on_load(:action_controller) do
+      include DeviseFidoUsf::Controllers::Helpers
+    end
+  end
+end

data/lib/devise_fido_usf/routes.rb ADDED Viewed

@@ -0,0 +1,15 @@
+module ActionDispatch::Routing
+  class Mapper
+    def devise_fido_usf_registration(mapping, controllers)
+      resource :fido_usf_registration, :only => [:show, :new, :create, :destroy],
+        :path => mapping.path_names[:fido_usf_registration], :controller => controllers[:fido_usf_registrations] do
+      end
+    end
+    def devise_fido_usf_authentication(mapping, controllers)
+      resource :fido_usf_authentication, :only => [:new, :create],
+        :path => mapping.path_names[:fido_usf_authentication], :controller => controllers[:fido_usf_authentications] do
+      end
+    end
+  end
+end

data/lib/devise_fido_usf/version.rb ADDED Viewed

@@ -0,0 +1,3 @@
+module DeviseFidoUsf
+  VERSION = '0.1.0'
+end

data/lib/generators/devise_fido_usf/install_generator.rb ADDED Viewed

@@ -0,0 +1,59 @@
+require 'rails/generators/base'
+module DeviseFidoUsf
+  module Generators
+    MissingORMError = Class.new(Thor::Error)
+    class InstallGenerator < Rails::Generators::Base
+      source_root File.expand_path("../../templates", __FILE__)
+      desc "Creates a FIDO U2F initializer for devise and copy locale files to your application."
+      class_option :orm
+      def copy_initializer
+        unless options[:orm]
+          raise MissingORMError, <<-ERROR.strip_heredoc
+          An ORM must be set to install Devise in your application.
+          Be sure to have an ORM like Active Record or Mongoid loaded in your
+          app or configure your own at `config/application.rb`.
+            config.generators do |g|
+              g.orm :your_orm_gem
+            end
+          ERROR
+        end
+      end
+      def add_application_helper
+        in_root do
+          inject_into_module "app/helpers/application_helper.rb", ApplicationHelper, application_helper_data
+        end
+      end
+      def copy_locale
+        copy_file "../../../config/locales/en.yml", "config/locales/fido_usf.en.yml"
+      end
+      def run_migration
+        invoke("devise_fido_usf:migrate", ["FidoUsfDevices"])
+      end
+      def show_readme
+        readme("README") if behavior == :invoke
+      end
+      def application_helper_data
+<<RUBY
+  def u2f
+    # use base_url as app_id, e.g. 'http://localhost:3000'
+    @u2f ||= U2F::U2F.new(request.base_url)
+  end
+RUBY
+      end
+    end
+  end
+end