devise_gauth 0.4.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: e9a3c30a2e628f5e3fe99a0c4dedaf30f0dcbeced3c6a52a199fa150dd393b4b
+  data.tar.gz: 3259e009ed15a53e1e154451ad95963e862726f10f3966d46a9f910dfab80fa8
+SHA512:
+  metadata.gz: bc4bacfe402e8e98667326ec1c73cca6f2c05c545a7e5b450dc3c50d917ef90565aeb1942de381addd3782f83747d324f796148800f1770bc537f2b6af84ce82
+  data.tar.gz: aba6c26a7a3e7d667425a9aac361ae1a1dd7e60e76600f6b2ebc55f58fd904f98a654caa80528382d507305eae4cf54775bf210361d7e35654f3c719c0a5539d

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2024 Pharmony SA
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,144 @@
+# Devise Google Authenticator
+
+This is a fork of the [devise](https://github.com/plataformatec/devise) extension to allow your app to utilise [Google Authenticator](http://code.google.com/p/google-authenticator/) for Time-based One Time Passwords (TOTP).
+
+The current version of this gem support Rails 4.x, 5.x and 6.x.
+
+## Installation
+
+Add the gem to your Gemfile (don't forget devise too):
+
+```ruby
+gem 'devise_gauth', '0.3.16'
+```
+
+Don't forget to "bundle install"
+
+Before you can setup Devise Google Authenticator you need to [setup Devise first](https://github.com/heartcombo/devise#getting-started).
+
+### Automatic Installation (Lets assume this is a bare bones app)
+
+Run the following generator to add the necessary configuration options to Devise's config file:
+
+```bash
+rails g devise_google_authenticator:install
+```
+
+After you've created your Devise user models (which is usually done with a "rails g devise MODEL"), set up your Google Authenticator additions:
+
+```bash
+rails g devise_google_authenticator MODEL
+```
+
+Don't forget to migrate if you're NOT using Mongoid as your database ORM, Mongoid installations will have appropriate fields added to the model after the command above:
+
+```bash
+rake db:migrate
+```
+
+### Installation With Existing Users
+
+After the above steps have been performed, you'll need to generate secrets for each user:
+
+```ruby
+ User.where(gauth_secret: nil).find_each do |user|
+  user.send(:assign_auth_secret)
+  user.save!
+ end
+```
+
+By default, users won't need to perform two-factor authentication (gauth_enabled='0'). By visiting /MODEL/displayqr (eg: /users/displayqr)
+and submitting the form, two-factor authentication will then be turned on (gauth_enabled=1) and required for subsequent logins.
+
+## Configuration Options
+
+The install generator adds some options to the end of your Devise config file (config/initializers/devise.rb)
+
+* `config.ga_timeout` - how long should the user be able to authenticate with their Google Authenticator token
+* `config.ga_timedrift` - a multiplier which provides for drift between a user's clock (and therefore their OTP) and the system clock. This should be fine at 3.
+* `config.ga_remembertime` - how long to remember the token for before requiring another. By default this is 1 month. To disable this setting change it to nil.
+* `config.ga_appname` - If you want to set a custom application name instead of using the name of the Rails app.
+* `config.ga_bypass_signup` - If you don't want to immediately forward newly registered or signed-up users to the Display QR page. If this is enabled, users will have to visit the /displayqr page to enable Google Authenticator.
+
+## Custom Views
+
+If you want to customise your views (which you likely will want to, as they're pretty ugly right now), you can use the generator:
+
+```bash
+rails g devise_google_authenticator:views
+```
+
+## Usage
+
+With this extension enabled, the following is expected behaviour:
+
+* When a user registers, they are forwarded onto the Display QR page (unless ga_bypass_signup is set to true). This allows them to add their new "token" to their mobile device, and enable, or disable, the functionality. To enable/disable the functionality, the user has to enter the current token.
+* If users can't self-register, they're still able to visit this page by visiting /MODEL/displayqr (eg: /users/displayqr).
+* If the function is enabled (for that user), when they sign in, they'll be prompted for their password (as per normal), but then redirected into the Check QR page. They have to enter their token (from their device) to then successfully authenticate.
+* If configured (by default to 1 month), the user will only be prompted for the token every 1 month.
+
+## I18n
+
+The install generator also installs an english copy of a Devise Google Authenticator i18n file. This can be modified (or used to create other language versions) and is located at: config/locales/devise.google_authenticator.en.yml
+
+## Testing
+
+You can use [Docker](https://www.docker.com/) to build & run tests. To make it
+even more easier this project uses [Earthly](https://earthly.dev/) so that you
+can build the project's docker image with:
+
+```
+earthly +dev
+```
+
+Then you can run the tests using [Docker Compose](https://docs.docker.com/compose/):
+
+```
+docker compose run --rm gem
+```
+
+Or you can run the tests like on the CI using Earthly
+(This reduces random failures between the CI and you environment):
+
+```
+earthly --allow-privileged +test
+```
+
+And in the case you'd like to test a different version of Ruby/Rails/Devise:
+
+```
+earthly --allow-privileged +test --EARTHLY_RUBY_VERSION=2.5 --EARTHLY_RAILS_VERSION=5.2.8.1 --EARTHLY_DEVISE_VERSION=4.8.1
+```
+
+## Thanks (and unknown contributors)
+
+This extension would not exist without the following other projects and associated authors (Whom I have turned to for inspiration and definitely have helped contributing by providing awesome Devise extensions. A lot of this code has been refactored from various sources, in particular these - in particular Sergio and Devise_invitable for his excellent unit test code):
+
+* Devise (José Valim, Carlos Antônio da Silva, Rodrigo Flores) https://github.com/plataformatec/devise
+* Devise_invitable (Sergio Cambra) https://github.com/scambra/devise_invitable
+* Devise_openid_authenticatable (Nat Budin) https://github.com/nbudin/devise_openid_authenticatable
+* Devise_security_extension (Team Phatworx, Marco Scholl, Alexander Dreher) https://github.com/phatworx/devise_security_extension
+* Ronald Arias https://github.com/ronald05arias
+* Sunny Ng https://github.com/blahblahblah-
+* Michael Guymon https://github.com/mguymon
+* Mikkel Garcia https://github.com/mikkel
+* Ricky Reusser https://github.com/rreusser
+* Felipe Lima https://github.com/felipecsl
+* Sylvain Utard https://github.com/redox
+
+
+## Contributing to devise_gauth
+ 
+* Check out the latest master to make sure the feature hasn't been implemented or the bug hasn't been fixed yet
+* Check out the issue tracker to make sure someone already hasn't requested it and/or contributed it
+* Fork the project
+* Start a feature/bugfix branch
+* Commit and push until you are happy with your contribution
+* Make sure to add tests for it. This is important so I don't break it in a future version unintentionally.
+* Please try not to mess with the Rakefile, version, or history. If you want to have your own version, or is otherwise necessary, that is fine, but please isolate to its own commit so I can cherry-pick around it.
+
+## Copyright
+
+Copyright (c) 2014 Christian Frichot. See LICENSE.txt for
+further details.
+

data/app/controllers/devise/checkga_controller.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+class Devise::CheckgaController < Devise::SessionsController
+  if Rails.version >= '4'
+    prepend_before_action :devise_resource, only: [:show]
+    prepend_before_action :require_no_authentication, only: %i[show update]
+  else
+    prepend_before_filter :devise_resource, only: [:show]
+    prepend_before_filter :require_no_authentication, only: %i[show update]
+  end
+
+  include Devise::Controllers::Helpers
+
+  def show
+    @tmpid = params[:id]
+    if @tmpid.nil?
+      redirect_to :root
+    else
+      render :show
+    end
+  end
+
+  def update
+    resource = resource_class.find_by_gauth_tmp(params[resource_name]['tmpid'])
+
+    if resource
+
+      if resource.validate_token(params[resource_name]['gauth_token'].to_i)
+        set_flash_message(:notice, :signed_in) if is_navigational_format?
+        sign_in(resource_name, resource)
+        warden.manager._run_callbacks(:after_set_user, resource, warden, { event: :authentication })
+        respond_with resource, location: after_sign_in_path_for(resource)
+
+        if resource.class.ga_remembertime
+          cookies.signed[:gauth] = {
+            value: resource.email << ',' << Time.now.to_i.to_s,
+            secure: !(Rails.env.test? || Rails.env.development?),
+            expires: (resource.class.ga_remembertime + 1.days).from_now
+          }
+        end
+      else
+        set_flash_message(:error, :error)
+        redirect_to :root
+      end
+
+    else
+      set_flash_message(:error, :error)
+      redirect_to :root
+    end
+  end
+
+  private
+
+  def devise_resource
+    self.resource = resource_class.new
+  end
+end

data/app/controllers/devise/displayqr_controller.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+require 'devise/version'
+
+class Devise::DisplayqrController < DeviseController
+  if Rails.version >= '4'
+    prepend_before_action :authenticate_scope!, only: %i[show update refresh]
+  else
+    prepend_before_filter :authenticate_scope!, only: %i[show update refresh]
+  end
+
+  include Devise::Controllers::Helpers
+
+  # GET /resource/displayqr
+  def show
+    if resource.nil? || resource.gauth_secret.nil?
+      sign_in resource_class.new, resource
+      redirect_to stored_location_for(scope) || :root
+    else
+      @tmpid = resource.assign_tmp
+      render :show
+    end
+  end
+
+  def update
+    if resource.gauth_tmp != params[resource_name]['tmpid'] || !resource.validate_token(params[resource_name]['gauth_token'].to_i)
+      set_flash_message(:error, :invalid_token)
+      render :show
+      return
+    end
+
+    if resource.set_gauth_enabled(params[resource_name]['gauth_enabled'])
+      set_flash_message :notice, (resource.gauth_enabled? ? :enabled : :disabled)
+      if Gem::Version.new(Devise::VERSION) < Gem::Version.new('4.2.0')
+        sign_in scope, resource, bypass: true
+      else
+        bypass_sign_in resource, scope: scope
+      end
+
+      respond_with resource, location: after_sign_in_path_for(resource)
+    else
+      render :show
+    end
+  end
+
+  def refresh
+    unless resource.nil?
+      resource.send(:assign_auth_secret)
+      resource.save
+      set_flash_message :notice, :newtoken
+      sign_in scope, resource, bypass: true
+      redirect_to [resource_name, :displayqr]
+    else
+      redirect_to :root
+    end
+  end
+
+  private
+
+  def scope
+    resource_name.to_sym
+  end
+
+  def authenticate_scope!
+    # https://github.com/AsteriskLabs/devise_google_authenticator/issues/29
+    send(:"authenticate_#{resource_name}!", force: true)
+    self.resource = send("current_#{resource_name}")
+  end
+
+  # 7/2/15 - Unsure if this is used anymore - @xntrik
+  def resource_params
+    if strong_parameters_enabled?
+      return params.require(resource_name.to_sym).permit(:gauth_enabled)
+    end
+
+    params
+  end
+
+  def strong_parameters_enabled?
+    defined?(ActionController::StrongParameters)
+  end
+end

data/app/views/devise/checkga/show.html.erb

@@ -0,0 +1,7 @@
+<h2><%= I18n.t('submit_token_title', { scope: 'devise' }) %></h2>
+
+<%= form_for(resource, as: resource_name, url: [resource_name, :checkga], html: { method: :put }) do |f| %>
+	<%= f.hidden_field :tmpid, { value: @tmpid } %>
+	<%= f.text_field :gauth_token, autocomplete: :off%>
+	<p><%= f.submit I18n.t('submit_token', { scope: 'devise' }) %></p>
+<% end %>

data/app/views/devise/displayqr/show.html.erb

@@ -0,0 +1,20 @@
+<h2><%= I18n.t('title', { scope: 'devise.registration' }) %></h2>
+
+<%= google_authenticator_qrcode(resource) %>
+
+<%= form_for(resource, as: resource_name, url: [:refresh, resource_name, :displayqr], html: { method: :post }) do |f|%>
+	<p><%= f.submit I18n.t('newtoken', { scope: 'devise.registration' }) %></p>
+<% end %>
+
+<%= form_for(resource, as: resource_name, url: [resource_name, :displayqr], html: { method: :put }) do |f| %>
+	<%= devise_error_messages! %>
+	<h3><%= I18n.t('nice_request', { scope: 'devise.registration' }) %></h3>
+	<p><%= f.label :gauth_enabled, I18n.t('qrstatus', { scope: 'devise.registration' }) %><br />
+	<%= f.check_box :gauth_enabled %></p>
+	<%= f.hidden_field :tmpid, value: @tmpid %>
+	<p><%= f.label :gauth_token, I18n.t('enter_token', { scope: 'devise.registration' }) %><br />
+	<%= f.number_field :gauth_token, autocomplete: :off %>
+
+	<p><%= f.submit I18n.t('submit', { scope: 'devise.registration' }) %></p>
+<% end %>
+

data/config/locales/en.yml

@@ -0,0 +1,21 @@
+en:
+  devise:
+    submit_token: "Check Token"
+    submit_token_title: "Please enter your Google Authenticator token:"
+    registration:
+      title: "Your QR Code:"
+      nice_request: "Would you like to enable Google Authenticator?"
+      qrstatus: "Google Authenticator Status:"
+      enter_token: "Please enter your token number to continue"
+      submit: "Continue..."
+      newtoken: "Generate new token"
+    checkga:
+      user:
+        signed_in: "Signed in successfully from token."
+        error: "Sign in failed"
+    displayqr:
+      user:
+        status: "User status updated!"
+        newtoken: "You have updated to a new token - make sure you update your Google Authenticator application before continuing!!"
+        disabled: "2FA is currently disabled"
+        enabled: "2FA is currently enabled"

data/lib/devise_google_authenticatable/controllers/helpers.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+module DeviseGoogleAuthenticator
+  module Controllers
+    module Helpers
+      extend ActiveSupport::Concern
+
+      included do
+        if Rails.version >= '4'
+          before_action :check_request_and_redirect_to_check_totp,
+                         if: :user_signing_in?
+        else
+          before_filter :check_request_and_redirect_to_check_totp,
+                         if: :user_signing_in?
+        end
+
+        define_method :checkga_resource_path_name do |resource, id|
+          name = resource.class.name.singularize.underscore
+          name = name.split('/').last
+          "#{name}_checkga_path(id:'#{id}')"
+        end
+      end
+
+      private
+
+      def devise_sessions_controller?
+        instance_of?(Devise::SessionsController) ||
+          self.class.ancestors.include?(Devise::SessionsController)
+      end
+
+      def user_signing_in?
+        if devise_controller? && signed_in?(resource_name) &&
+           devise_sessions_controller? &&
+           action_name == 'create'
+          return true
+        end
+
+        false
+      end
+
+      def check_request_and_redirect_to_check_totp
+        # User successfully signed in AND has enabled 2FA
+        if signed_in?(resource_name) &&
+           warden.session(resource_name)[:with_totp_authentication]
+
+          resource = warden.authenticate!(auth_options)
+
+          # The user has 2FA and token has expired
+          if resource.respond_to?(:get_qr) && resource.require_token?(cookies.signed[:gauth])
+
+            tmpid = resource.assign_tmp # Assign a temporary key and fetch it
+            warden.logout # log the user out
+
+            # We head back into the checkga controller with the temporary id
+            # Because the model used for google auth may not always be the same,
+            # and may be a sub-model, the eval will evaluate the appropriate path
+            # name
+            # This change addresses https://github.com/AsteriskLabs/devise_google_authenticator/issues/7
+            respond_with resource,
+                         location: eval(checkga_resource_path_name(resource,
+                                                                   tmpid))
+          # User is not using, OR not enabled for Google 2FA, OR is remembering
+          # token and therefore not asking for the moment
+          # carry on, nothing to see here.
+          else
+            respond_with resource, location: after_sign_in_path_for(resource)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/devise_google_authenticatable/hooks/totp_authenticatable.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+Warden::Manager.after_authentication do |user, auth, _|
+  gauth_enabled = true
+  gauth_enabled = user.gauth_enabled? if user.respond_to?(:gauth_enabled?)
+
+  if gauth_enabled && user.respond_to?(:with_totp_authentication?)
+    with_totp_authentication = user.with_totp_authentication?
+    # Build Warden scope from user class name
+    user_scope = user.class.name.underscore.to_sym
+    # Ensure Warden knows about it
+    if auth.config[:default_strategies].keys.include?(user_scope)
+      scope = auth.session(user_scope)
+      scope[:with_totp_authentication] = with_totp_authentication
+    end
+  end
+end

data/lib/devise_google_authenticatable/models/google_authenticatable.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+require 'rotp'
+require 'devise_google_authenticatable/hooks/totp_authenticatable'
+
+module Devise
+  module Models
+    module GoogleAuthenticatable
+      def self.included(base)
+        base.extend ClassMethods
+
+        base.class_eval do
+          before_validation :assign_auth_secret, on: :create
+          include InstanceMethods
+
+          # Allow base model to override the gauth_enabled? method
+          unless base.method_defined?(:gauth_enabled?)
+            include GauthEnabledInstanceMethod
+          end
+        end
+      end
+
+      module InstanceMethods
+        # Is the TOTP Authentication enabled
+        def with_totp_authentication?
+          gauth_enabled.to_i != 0
+        end
+
+        def get_qr
+          gauth_secret
+        end
+
+        def set_gauth_enabled(param)
+          update(gauth_enabled: param)
+        end
+
+        def assign_tmp
+          update(gauth_tmp: ROTP::Base32.random_base32(32),
+                 gauth_tmp_datetime: Time.now)
+          gauth_tmp
+        end
+
+        def validate_token(token)
+          return false if gauth_tmp_datetime.nil?
+
+          return false if gauth_tmp_datetime < self.class.ga_timeout.ago
+
+          valid_vals = []
+          valid_vals << ROTP::TOTP.new(get_qr).at(Time.now)
+          (1..self.class.ga_timedrift).each do |cc|
+            valid_vals << ROTP::TOTP.new(get_qr).at(Time.now.ago(30 * cc))
+            valid_vals << ROTP::TOTP.new(get_qr).at(Time.now.in(30 * cc))
+          end
+
+          valid_vals.include?(token.to_i)
+        end
+
+        def require_token?(cookie)
+          return true if self.class.ga_remembertime.nil? || cookie.blank?
+
+          array = cookie.to_s.split ','
+          return true if array.count != 2
+
+          last_logged_in_email = array[0]
+          last_logged_in_time = array[1].to_i
+
+          last_logged_in_email != email ||
+            (Time.now.to_i - last_logged_in_time) > self.class.ga_remembertime
+                                                        .to_i
+        end
+
+        private
+
+        def assign_auth_secret
+          self.gauth_secret = ROTP::Base32.random_base32(64)
+        end
+      end
+
+      module GauthEnabledInstanceMethod
+        def gauth_enabled?
+          # Active_record seems to handle determining the status better this way
+          if gauth_enabled.respond_to?('to_i')
+            gauth_enabled.to_i != 0
+          # Mongoid does NOT have a .to_i for the Boolean return value, hence,
+          # we can just return it
+          else
+            gauth_enabled
+          end
+        end
+      end
+
+      module ClassMethods
+        def find_by_gauth_tmp(gauth_tmp)
+          where(gauth_tmp: gauth_tmp).first
+        end
+        ::Devise::Models.config(self, :ga_timeout, :ga_timedrift,
+                                :ga_remembertime, :ga_appname,
+                                :ga_bypass_signup)
+      end
+    end
+  end
+end

data/lib/devise_google_authenticatable/orm/active_record.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module DeviseGoogleAuthenticator
+  module Orm
+    # This module contains handle schema (migrations):
+    #
+    #  create_table :accounts do |t|
+    #    t.gauth_secret
+    #    t.gauth_enabled
+    #  end
+    #
+
+    module ActiveRecord
+      module Schema
+        include DeviseGoogleAuthenticator::Schema
+      end
+    end
+
+  end
+end
+
+ActiveRecord::ConnectionAdapters::Table.send :include, DeviseGoogleAuthenticator::Orm::ActiveRecord::Schema
+ActiveRecord::ConnectionAdapters::TableDefinition.send :include, DeviseGoogleAuthenticator::Orm::ActiveRecord::Schema

data/lib/devise_google_authenticatable/patches/display_qr.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module DeviseGoogleAuthenticator::Patches
+  # patch Registrations controller to display the QR code
+  module DisplayQR
+    extend ActiveSupport::Concern
+
+    included do
+      # arrr be the patch
+      alias_method :create_original, :create
+
+      define_method :create do
+        build_resource(sign_up_params)
+
+        if resource.save
+          yield resource if block_given?
+          if resource.active_for_authentication?
+            set_flash_message :notice, :signed_up if is_flashing_format?
+            sign_in(resource_name, resource)
+
+            if resource.respond_to? :gauth_enabled?
+              if resource.class.ga_bypass_signup
+                respond_with resource, location: after_sign_up_path_for(resource)
+              else
+                respond_with resource, location: { controller: 'displayqr', action: 'show' }
+              end
+            else
+              respond_with resource, location: after_sign_up_path_for(resource)
+            end
+
+          else
+            set_flash_message :notice, :"signed_up_but_#{resource.inactive_message}" if is_flashing_format?
+            expire_data_after_sign_in!
+            respond_with resource, location: after_inactive_sign_up_path_for(resource)
+          end
+        else
+          clean_up_passwords resource
+          respond_with resource
+        end
+      end
+    end
+  end
+end

data/lib/devise_google_authenticatable/patches.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module DeviseGoogleAuthenticator
+  module Patches
+    autoload :DisplayQR, 'devise_google_authenticatable/patches/display_qr'
+
+    class << self
+      def apply
+        Devise::RegistrationsController.send(:include, Patches::DisplayQR)
+      end
+    end
+  end
+end

data/lib/devise_google_authenticatable/rails.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require 'devise_google_authenticatable/controllers/helpers'
+
+module DeviseGoogleAuthenticator
+  class Engine < ::Rails::Engine
+    if Rails.version > '5'
+      ActiveSupport::Reloader.to_prepare do
+        DeviseGoogleAuthenticator::Patches.apply
+      end
+    else
+      ActionDispatch::Callbacks.to_prepare do
+        DeviseGoogleAuthenticator::Patches.apply
+      end
+    end
+
+    ActiveSupport.on_load(:action_controller) do
+      include DeviseGoogleAuthenticator::Controllers::Helpers
+    end
+  end
+end

data/lib/devise_google_authenticatable/routes.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module ActionDispatch
+  module Routing
+    class Mapper
+      protected
+
+      # route for handle expired passwords
+      def devise_displayqr(mapping, controllers)
+        resource :displayqr, only: %i[show update], path: mapping.path_names[:displayqr], controller: controllers[:displayqr] do
+          post :refresh, path: mapping.path_names[:refresh], as: :refresh
+        end
+
+        resource :checkga, only: %i[show update], path: mapping.path_names[:checkga], controller: controllers[:checkga]
+      end
+    end
+  end
+end

data/lib/devise_google_authenticatable/schema.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module DeviseGoogleAuthenticator
+  # add schema helper for migrations
+  module Schema
+    # Add gauth_secret columns in the resource's database tables
+    #
+    # Examples
+    #
+    # # For a new resource migration:
+    # create_table :the_resources do |t|
+    #   t.gauth_secret
+    #   t.gauth_enabled
+    # ...
+    # end
+    #
+    # # or if the resource's table already exists, define a migration and put this in:
+    # change_table :the_resources do |t|
+    #   t.string :gauth_secret
+    #   t.boolean :gauth_enabled
+    # end
+    #
+    def gauth_secret
+      apply_devise_schema :gauth_secret, String
+    end
+
+    def gauth_enabled
+      apply_devise_schema :gauth_enabled, Integer, { default: 0 }
+    end
+
+    def gauth_tmp
+      apply_devise_schema :gauth_tmp, String
+    end
+
+    def gauth_tmp_datetime
+      apply_devise_schema :gauth_tmp_datetime, Datetime
+    end
+  end
+end

data/lib/devise_google_authenticatable/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module DeviseGoogleAuthenticator
+  VERSION = '0.4.0'
+end

data/lib/devise_google_authenticatable/views/helpers.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require 'rqrcode'
+require 'base64'
+
+module DeviseGoogleAuthenticator
+  module Views
+    module Helpers
+      def build_qrcode_data_from(username, app, gauth_secret, qualifier = nil, issuer = nil)
+        data = "otpauth://totp/#{otpauth_user(username, app, qualifier)}"
+        data += "?secret=#{gauth_secret}"
+        data += "&issuer=#{issuer}" unless issuer.nil?
+        data
+      end
+
+      def build_qrcode_from(data)
+        qrcode = RQRCode::QRCode.new(data, level: :m, mode: :byte_8bit)
+        png = qrcode.as_png(fill: 'white', color: 'black', border_modules: 1, module_px_size: 4)
+        "data:image/png;base64,#{Base64.encode64(png.to_s).strip}"
+      end
+
+      def application_name_from(user)
+        user.class.ga_appname || if Rails.version < '6'
+                                   Rails.application.class.parent_name
+                                 else
+                                   Rails.application.class.module_parent_name
+                                 end
+      end
+
+      def google_authenticator_qrcode(user, qualifier = nil, issuer = nil)
+        data = build_qrcode_data_from(
+          username_from_email(user.email),
+          application_name_from(user),
+          user.gauth_secret,
+          qualifier,
+          issuer
+        )
+
+        # data-uri is easier, so...
+        image_tag(build_qrcode_from(data), alt: 'Google Authenticator QRCode')
+      end
+
+      def otpauth_user(username, app, qualifier = nil)
+        "#{username}@#{app}#{qualifier}"
+      end
+
+      def username_from_email(email)
+        /^(.*)@/.match(email)[1]
+      end
+    end
+  end
+end

data/lib/devise_google_authenticator.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require 'active_record/connection_adapters/abstract/schema_definitions'
+require 'active_support/core_ext/integer'
+require 'active_support/core_ext/string'
+require 'active_support/ordered_hash'
+require 'active_support/concern'
+require 'devise'
+
+module Devise # :nodoc:
+  mattr_accessor :ga_timeout
+  @@ga_timeout = 3.minutes
+
+  mattr_accessor :ga_timedrift
+  @@ga_timedrift = 3
+
+  mattr_accessor :ga_remembertime
+  @@ga_remembertime = 1.month
+
+  mattr_accessor :ga_appname
+  @@ga_appname = if Rails.version < '6'
+                   Rails.application.class.parent_name
+                 else
+                   Rails.application.class.module_parent_name
+                 end
+
+  mattr_accessor :ga_bypass_signup
+  @@ga_bypass_signup = false
+end
+
+# a security extension for devise
+module DeviseGoogleAuthenticator
+  autoload :Schema, 'devise_google_authenticatable/schema'
+  autoload :Patches, 'devise_google_authenticatable/patches'
+end
+
+require 'devise_google_authenticatable/routes'
+require 'devise_google_authenticatable/rails'
+require 'devise_google_authenticatable/orm/active_record'
+require 'devise_google_authenticatable/controllers/helpers'
+require 'devise_google_authenticatable/views/helpers'
+ActionView::Base.send :include, DeviseGoogleAuthenticator::Views::Helpers
+
+Devise.add_module :google_authenticatable, controller: :google_authenticatable, model: 'devise_google_authenticatable/models/google_authenticatable', route: :displayqr

data/lib/generators/active_record/devise_google_authenticator_generator.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require 'rails/generators/active_record'
+
+module ActiveRecord
+  module Generators
+    class DeviseGoogleAuthenticatorGenerator < ActiveRecord::Generators::Base
+      source_root File.expand_path("../templates", __FILE__)
+
+      def copy_devise_migration
+        migration_template "migration.rb", "db/migrate/devise_google_authenticator_add_to_#{table_name}.rb"
+      end
+    end
+  end
+end

data/lib/generators/active_record/templates/migration.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class DeviseGoogleAuthenticatorAddTo<%= table_name.camelize %> < ActiveRecord::Migration
+  def self.up
+    change_table :<%= table_name %> do |t|
+      t.string  :gauth_secret
+      t.string  :gauth_enabled, default: '0'
+      t.string  :gauth_tmp
+      t.datetime  :gauth_tmp_datetime
+    end
+
+  end
+  
+  def self.down
+    change_table :<%= table_name %> do |t|
+      t.remove :gauth_secret, :gauth_enabled, :gauth_tmp, :gauth_tmp_datetime
+    end
+  end
+end

data/lib/generators/devise_google_authenticator/devise_google_authenticator_generator.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module DeviseGoogleAuthenticator
+  module Generators
+    class DeviseGoogleAuthenticatorGenerator < Rails::Generators::NamedBase
+      namespace 'devise_google_authenticator'
+
+      desc 'Add :google_authenticatable directive in the given model, plus accessors. Also generate migration for ActiveRecord'
+
+      def inject_devise_google_authenticator_content
+        path = File.join('app', 'models', "#{file_path}.rb")
+
+        return unless File.exist?(path)
+
+        inject_into_file(path, 'google_authenticatable, :', after: 'devise :')
+        inject_into_file(path, 'gauth_enabled, :gauth_tmp, :gauth_tmp_datetime, :', after: 'attr_accessible :') if needs_attr_accessible?
+        inject_into_class(path, class_name, "\tattr_accessor :gauth_token\n")
+      end
+
+      hook_for :orm
+
+      private
+
+      def needs_attr_accessible?
+        rails_3? && !strong_parameters_enabled?
+      end
+
+      def rails_3?
+        Rails::VERSION::MAJOR == 3
+      end
+
+      def strong_parameters_enabled?
+        defined?(ActionController::StrongParameters)
+      end
+    end
+  end
+end

data/lib/generators/devise_google_authenticator/install_generator.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module DeviseGoogleAuthenticator
+  module Generators
+    # Install Generator
+    class InstallGenerator < Rails::Generators::Base
+      source_root File.expand_path('../../templates', __FILE__)
+
+      desc 'Install the devise google authenticator extension'
+
+      def add_configs
+        inject_into_file 'config/initializers/devise.rb', "\n  # ==> Devise Google Authenticator Extension\n  # Configure extension for devise\n\n" +
+        "  # How long should the user have to enter their token. To change the default, uncomment and change the below:\n" +
+        "  # config.ga_timeout = 3.minutes\n\n" +
+        "  # Change time drift settings for valid token values. To change the default, uncomment and change the below:\n" +
+        "  # config.ga_timedrift = 3\n\n" +
+        "  # Change setting to how long to remember device before requiring another token. Change to nil to turn feature off.\n" +
+        "  # To change the default, uncomment and change the below:\n" +
+        "  # config.ga_remembertime = 1.month\n\n" +
+        "  # Change setting to assign the application name used by code generator. Defaults to Rails.application.class.parent_name.\n" +
+        "  # To change the default, uncomment and change the below:\n" +
+        "  # config.ga_appname = 'example.com'\n\n" +
+        "  # Change setting to bypass the Display QR page immediately after a user sign's up\n" +
+        "  # To change the default, uncomment and change the below. Defaults to false:\n" +
+        "  # config.ga_bypass_signup = true\n\n" + 
+        "\n", before: /end[ |\n|]+\Z/
+      end
+
+      def copy_locale
+        copy_file '../../../config/locales/en.yml', 'config/locales/devise.google_authenticator.en.yml'
+      end
+    end
+  end
+end

data/lib/generators/devise_google_authenticator/views_generator.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require 'generators/devise/views_generator'
+
+module DeviseGoogleAuthenticator
+  module Generators
+    class ViewsGenerator < Rails::Generators::Base
+      desc 'Copies all Devise Google Authenticator views to your application.'
+
+      argument :scope, required: false, default: nil,
+                       desc: 'The scope to copy views to'
+
+      include ::Devise::Generators::ViewPathTemplates
+      source_root File.expand_path('../../../../app/views/devise', __FILE__)
+      def copy_views
+        view_directory :checkga
+        view_directory :displayqr
+      end
+    end
+  end
+end

data/lib/generators/mongoid/devise_google_authenticator_generator.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require 'rails/generators/named_base'
+require 'generators/devise/orm_helpers'
+
+module Mongoid
+  module Generators
+    class DeviseGoogleAuthenticatorGenerator < Rails::Generators::NamedBase
+      include Devise::Generators::OrmHelpers
+
+      def inject_field_types
+        inject_into_file model_path, migration_data, after: "include Mongoid::Document\n" if model_exists?
+      end
+
+      def migration_data
+<<RUBY
+  # Google Authenticator
+  field :gauth_secret, type: String
+  field :gauth_enabled, type: Boolean, default: 'f'
+  field :gauth_tmp, type: String
+  field :gauth_tmp_datetime, type: DateTime
+
+RUBY
+      end
+    end
+  end
+end
+

metadata

@@ -0,0 +1,155 @@
+--- !ruby/object:Gem::Specification
+name: devise_gauth
+version: !ruby/object:Gem::Version
+  version: 0.4.0
+platform: ruby
+authors:
+- Pharmony SA
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2024-01-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: actionmailer
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.2.8.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.2.8.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6'
+- !ruby/object:Gem::Dependency
+  name: devise
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.9.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.9.3
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.2.8.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.2.8.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6'
+- !ruby/object:Gem::Dependency
+  name: rotp
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+- !ruby/object:Gem::Dependency
+  name: rqrcode
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.1.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.1.2
+description: Devise Google Authenticator Extension, for adding Google's OTP to your
+  Rails apps!
+email:
+- dev@pharmony.eu
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE.txt
+- README.md
+- app/controllers/devise/checkga_controller.rb
+- app/controllers/devise/displayqr_controller.rb
+- app/views/devise/checkga/show.html.erb
+- app/views/devise/displayqr/show.html.erb
+- config/locales/en.yml
+- lib/devise_google_authenticatable/controllers/helpers.rb
+- lib/devise_google_authenticatable/hooks/totp_authenticatable.rb
+- lib/devise_google_authenticatable/models/google_authenticatable.rb
+- lib/devise_google_authenticatable/orm/active_record.rb
+- lib/devise_google_authenticatable/patches.rb
+- lib/devise_google_authenticatable/patches/display_qr.rb
+- lib/devise_google_authenticatable/rails.rb
+- lib/devise_google_authenticatable/routes.rb
+- lib/devise_google_authenticatable/schema.rb
+- lib/devise_google_authenticatable/version.rb
+- lib/devise_google_authenticatable/views/helpers.rb
+- lib/devise_google_authenticator.rb
+- lib/generators/active_record/devise_google_authenticator_generator.rb
+- lib/generators/active_record/templates/migration.rb
+- lib/generators/devise_google_authenticator/devise_google_authenticator_generator.rb
+- lib/generators/devise_google_authenticator/install_generator.rb
+- lib/generators/devise_google_authenticator/views_generator.rb
+- lib/generators/mongoid/devise_google_authenticator_generator.rb
+homepage: http://github.com/pharmony/devise_gauth
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+  homepage_uri: http://github.com/pharmony/devise_gauth
+  source_code_uri: http://github.com/pharmony/devise_gauth
+  changelog_uri: http://github.com/pharmony/devise_gauth/blob/master/CHANGELOG.md
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.7'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.6
+signing_key: 
+specification_version: 4
+summary: Devise Google Authenticator Extension
+test_files: []