devise_two_factor_authentication 3.0.0

data/lib/devise_two_factor_authentication/hooks/two_factor_authenticatable.rb

@@ -0,0 +1,17 @@
+Warden::Manager.after_authentication do |user, auth, options|
+  if auth.env["action_dispatch.cookies"]
+    expected_cookie_value = "#{user.class}-#{user.public_send(Devise.second_factor_resource_id)}"
+    actual_cookie_value = auth.env["action_dispatch.cookies"].signed[DeviseTwoFactorAuthentication::REMEMBER_TFA_COOKIE_NAME]
+    bypass_by_cookie = actual_cookie_value == expected_cookie_value
+  end
+
+  if user.respond_to?(:need_two_factor_authentication?) && !bypass_by_cookie
+    if auth.session(options[:scope])[DeviseTwoFactorAuthentication::NEED_AUTHENTICATION] = user.need_two_factor_authentication?(auth.request)
+      user.send_new_otp if user.send_new_otp_after_login?
+    end
+  end
+end
+
+Warden::Manager.before_logout do |user, auth, _options|
+  auth.cookies.delete DeviseTwoFactorAuthentication::REMEMBER_TFA_COOKIE_NAME if Devise.delete_cookie_on_logout
+end

data/lib/devise_two_factor_authentication/models/two_factor_authenticatable.rb

@@ -0,0 +1,206 @@
+require 'devise_two_factor_authentication/hooks/two_factor_authenticatable'
+require 'rotp'
+require 'encryptor'
+
+module Devise
+  module Models
+    module TwoFactorAuthenticatable
+      extend ActiveSupport::Concern
+
+      module ClassMethods
+        def has_one_time_password(options = {})
+          include InstanceMethodsOnActivation
+          include EncryptionInstanceMethods if options[:encrypted] == true
+        end
+
+        ::Devise::Models.config(
+          self, :max_login_attempts, :allowed_otp_drift_seconds, :otp_length,
+          :remember_otp_session_for_seconds, :otp_secret_encryption_key,
+          :direct_otp_length, :direct_otp_valid_for, :totp_timestamp, :delete_cookie_on_logout
+        )
+      end
+
+      module InstanceMethodsOnActivation
+        def authenticate_otp(code, options = {})
+          return true if direct_otp && authenticate_direct_otp(code)
+          return true if totp_enabled? && authenticate_totp(code, options)
+          false
+        end
+
+        def authenticate_direct_otp(code)
+          return false if direct_otp.nil? || direct_otp != code || direct_otp_expired?
+          clear_direct_otp
+          true
+        end
+
+        def authenticate_totp(code, options = {})
+          totp_secret = options[:otp_secret_key] || otp_secret_key
+          digits = options[:otp_length] || self.class.otp_length
+          drift = options[:drift] || self.class.allowed_otp_drift_seconds
+          raise "authenticate_totp called with no otp_secret_key set" if totp_secret.nil?
+          totp = ROTP::TOTP.new(totp_secret, digits: digits)
+          new_timestamp = totp.verify(
+            without_spaces(code),
+            drift_ahead: drift, drift_behind: drift, after: totp_timestamp
+          )
+          return false unless new_timestamp
+          self.totp_timestamp = new_timestamp
+          true
+        end
+
+        def provisioning_uri(account = nil, options = {})
+          totp_secret = options[:otp_secret_key] || otp_secret_key
+          options[:digits] ||= options[:otp_length] || self.class.otp_length
+          raise "provisioning_uri called with no otp_secret_key set" if totp_secret.nil?
+          account ||= email if respond_to?(:email)
+          ROTP::TOTP.new(totp_secret, options).provisioning_uri(account)
+        end
+
+        def need_two_factor_authentication?(request)
+          true
+        end
+
+        def send_new_otp(options = {})
+          create_direct_otp options
+          send_two_factor_authentication_code(direct_otp)
+        end
+
+        def send_new_otp_after_login?
+          !totp_enabled?
+        end
+
+        def send_two_factor_authentication_code(code)
+          raise NotImplementedError.new("No default implementation - please define in your class.")
+        end
+
+        def max_login_attempts?
+          second_factor_attempts_count.to_i >= max_login_attempts.to_i
+        end
+
+        def max_login_attempts
+          self.class.max_login_attempts
+        end
+
+        def totp_enabled?
+          respond_to?(:otp_secret_key) && !otp_secret_key.nil?
+        end
+
+        def confirm_totp_secret(secret, code, options = {})
+          return false unless authenticate_totp(code, {otp_secret_key: secret})
+          self.otp_secret_key = secret
+          true
+        end
+
+        def generate_totp_secret
+          # ROTP gem since version 5 to version 5.1
+          # at version 5.1 ROTP gem reinstates.
+          # Details: https://github.com/mdp/rotp/blob/master/CHANGELOG.md#510
+          ROTP::Base32.try(:random) || ROTP::Base32.random_base32
+        end
+
+        def create_direct_otp(options = {})
+          # Create a new random OTP and store it in the database
+          digits = options[:length] || self.class.direct_otp_length || 6
+          update(
+            direct_otp: random_base10(digits),
+            direct_otp_sent_at: Time.now.utc
+          )
+        end
+
+        private
+
+        def without_spaces(code)
+          code.gsub(/\s/, '')
+        end
+
+        def random_base10(digits)
+          SecureRandom.random_number(10**digits).to_s.rjust(digits, '0')
+        end
+
+        def direct_otp_expired?
+          Time.now.utc > direct_otp_sent_at + self.class.direct_otp_valid_for
+        end
+
+        def clear_direct_otp
+          update(direct_otp: nil, direct_otp_sent_at: nil)
+        end
+      end
+
+      module EncryptionInstanceMethods
+        def otp_secret_key
+          otp_decrypt(encrypted_otp_secret_key)
+        end
+
+        def otp_secret_key=(value)
+          self.encrypted_otp_secret_key = otp_encrypt(value)
+        end
+
+        private
+
+        def otp_decrypt(encrypted_value)
+          return encrypted_value if encrypted_value.blank?
+
+          encrypted_value = encrypted_value.unpack('m').first
+
+          value = ::Encryptor.decrypt(encryption_options_for(encrypted_value))
+
+          if defined?(Encoding)
+            encoding = Encoding.default_internal || Encoding.default_external
+            value = value.force_encoding(encoding.name)
+          end
+
+          value
+        end
+
+        def otp_encrypt(value)
+          return value if value.blank?
+
+          value = value.to_s
+          encrypted_value = ::Encryptor.encrypt(encryption_options_for(value))
+
+          encrypted_value = [encrypted_value].pack('m')
+
+          encrypted_value
+        end
+
+        def encryption_options_for(value)
+          {
+            value: value,
+            key: Devise.otp_secret_encryption_key,
+            iv: iv_for_attribute,
+            salt: salt_for_attribute,
+            algorithm: 'aes-256-cbc'
+          }
+        end
+
+        def iv_for_attribute(algorithm = 'aes-256-cbc')
+          iv = encrypted_otp_secret_key_iv
+
+          if iv.nil?
+            algo = OpenSSL::Cipher.new(algorithm)
+            iv = [algo.random_iv].pack('m')
+            self.encrypted_otp_secret_key_iv = iv
+          end
+
+          iv.unpack('m').first if iv.present?
+        end
+
+        def salt_for_attribute
+          salt = encrypted_otp_secret_key_salt ||
+                 self.encrypted_otp_secret_key_salt = generate_random_base64_encoded_salt
+
+          decode_salt_if_encoded(salt)
+        end
+
+        def generate_random_base64_encoded_salt
+          prefix = '_'
+          prefix + [SecureRandom.random_bytes].pack('m')
+        end
+
+        def decode_salt_if_encoded(salt)
+          salt.slice(0).eql?('_') ? salt.slice(1..-1).unpack('m').first : salt
+        end
+      end
+    end
+  end
+end

data/lib/devise_two_factor_authentication/orm/active_record.rb

@@ -0,0 +1,14 @@
+require "active_record"
+
+module Devise2Fa
+  module Orm
+    module ActiveRecord
+      module Schema
+        # include Devise2Fa::Schema
+      end
+    end
+  end
+end
+
+ActiveRecord::ConnectionAdapters::Table.send :include, Devise2Fa::Orm::ActiveRecord::Schema
+ActiveRecord::ConnectionAdapters::TableDefinition.send :include, Devise2Fa::Orm::ActiveRecord::Schema

data/lib/devise_two_factor_authentication/rails.rb

@@ -0,0 +1,7 @@
+module DeviseTwoFactorAuthentication
+  class Engine < ::Rails::Engine
+    ActiveSupport.on_load(:action_controller) do
+      include DeviseTwoFactorAuthentication::Controllers::Helpers
+    end
+  end
+end

data/lib/devise_two_factor_authentication/routes.rb

@@ -0,0 +1,19 @@
+module ActionDispatch::Routing
+  class Mapper
+    protected
+
+      def devise_two_factor_authentication(mapping, controllers)
+        resource :two_factor_authentication, :only => [:show, :update, :resend_code], :path => mapping.path_names[:two_factor_authentication], :controller => controllers[:two_factor_authentication] do
+          collection { get resend_code_path(mapping), as: "resend_code" }
+        end
+      end
+
+      def resend_code_path(mapping)
+        Devise.mappings[resource_name(mapping)].path_names[:two_factor_authentication_resend_code] || "resend_code"
+      end
+
+      def resource_name(mapping)
+        mapping.class_name.underscore.to_sym
+      end
+  end
+end

data/lib/devise_two_factor_authentication/schema.rb

@@ -0,0 +1,31 @@
+module DeviseTwoFactorAuthentication
+  module Schema
+    def second_factor_attempts_count
+      apply_devise_schema :second_factor_attempts_count, Integer, :default => 0
+    end
+
+    def encrypted_otp_secret_key
+      apply_devise_schema :encrypted_otp_secret_key, String
+    end
+
+    def encrypted_otp_secret_key_iv
+      apply_devise_schema :encrypted_otp_secret_key_iv, String
+    end
+
+    def encrypted_otp_secret_key_salt
+      apply_devise_schema :encrypted_otp_secret_key_salt, String
+    end
+
+    def direct_otp
+      apply_devise_schema :direct_otp, String
+    end
+
+    def direct_otp_sent_at
+      apply_devise_schema :direct_otp_sent_at, DateTime
+    end
+
+    def totp_timestamp
+      apply_devise_schema :totp_timestamp, Timestamp
+    end
+  end
+end

data/lib/devise_two_factor_authentication/version.rb

@@ -0,0 +1,3 @@
+module DeviseTwoFactorAuthentication
+  VERSION = "3.0.0".freeze
+end

data/lib/devise_two_factor_authentication.rb

@@ -0,0 +1,52 @@
+require 'devise_two_factor_authentication/version'
+require 'devise'
+require 'active_support/concern'
+require "active_model"
+require "active_support/core_ext/class/attribute_accessors"
+require "cgi"
+
+module Devise
+  mattr_accessor :max_login_attempts
+  @@max_login_attempts = 3
+
+  mattr_accessor :allowed_otp_drift_seconds
+  @@allowed_otp_drift_seconds = 30
+
+  mattr_accessor :otp_length
+  @@otp_length = 6
+
+  mattr_accessor :direct_otp_length
+  @@direct_otp_length = 6
+
+  mattr_accessor :direct_otp_valid_for
+  @@direct_otp_valid_for = 5.minutes
+
+  mattr_accessor :remember_otp_session_for_seconds
+  @@remember_otp_session_for_seconds = 0
+
+  mattr_accessor :otp_secret_encryption_key
+  @@otp_secret_encryption_key = ''
+
+  mattr_accessor :second_factor_resource_id
+  @@second_factor_resource_id = 'id'
+
+  mattr_accessor :delete_cookie_on_logout
+  @@delete_cookie_on_logout = false
+end
+
+module DeviseTwoFactorAuthentication
+  NEED_AUTHENTICATION = 'need_two_factor_authentication'
+  REMEMBER_TFA_COOKIE_NAME = "remember_tfa"
+
+  autoload :Schema, 'devise_two_factor_authentication/schema'
+  module Controllers
+    autoload :Helpers, 'devise_two_factor_authentication/controllers/helpers'
+  end
+end
+
+Devise.add_module :two_factor_authenticatable, :model => 'devise_two_factor_authentication/models/two_factor_authenticatable', :controller => :two_factor_authentication, :route => :two_factor_authentication
+
+require 'devise_two_factor_authentication/orm/active_record' if defined?(ActiveRecord::Base)
+require 'devise_two_factor_authentication/routes'
+require 'devise_two_factor_authentication/models/two_factor_authenticatable'
+require 'devise_two_factor_authentication/rails'

data/lib/generators/active_record/templates/migration.rb

@@ -0,0 +1,15 @@
+class TwoFactorAuthenticationAddTo<%= table_name.camelize %> < ActiveRecord::Migration
+  disable_ddl_transaction!
+
+  def change
+    add_column :<%= table_name %>, :second_factor_attempts_count, :integer, default: 0
+    add_column :<%= table_name %>, :encrypted_otp_secret_key, :string
+    add_column :<%= table_name %>, :encrypted_otp_secret_key_iv, :string
+    add_column :<%= table_name %>, :encrypted_otp_secret_key_salt, :string
+    add_column :<%= table_name %>, :direct_otp, :string
+    add_column :<%= table_name %>, :direct_otp_sent_at, :datetime
+    add_column :<%= table_name %>, :totp_timestamp, :timestamp
+
+    add_index :<%= table_name %>, :encrypted_otp_secret_key, unique: true, algorithm: :concurrently
+  end
+end

data/lib/generators/active_record/two_factor_authentication_generator.rb

@@ -0,0 +1,14 @@
+require 'rails/generators/active_record'
+
+module ActiveRecord
+  module Generators
+    class TwoFactorAuthenticationGenerator < ActiveRecord::Generators::Base
+      source_root File.expand_path("../templates", __FILE__)
+
+      def copy_two_factor_authentication_migration
+        migration_template "migration.rb", "db/migrate/two_factor_authentication_add_to_#{table_name}.rb"
+      end
+
+    end
+  end
+end

data/lib/generators/two_factor_authentication/two_factor_authentication_generator.rb

@@ -0,0 +1,17 @@
+module TwoFactorAuthenticatable
+  module Generators
+    class TwoFactorAuthenticationGenerator < Rails::Generators::NamedBase
+      namespace "two_factor_authentication"
+
+      desc "Adds :two_factor_authenticable directive in the given model. It also generates an active record migration."
+
+      def inject_two_factor_authentication_content
+        path = File.join("app", "models", "#{file_path}.rb")
+        inject_into_file(path, "two_factor_authenticatable, :", :after => "devise :") if File.exists?(path)
+      end
+
+      hook_for :orm
+
+    end
+  end
+end

data/spec/controllers/two_factor_authentication_controller_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+
+describe Devise::TwoFactorAuthenticationController, type: :controller do
+  describe 'is_fully_authenticated? helper' do
+    def post_code(code)
+      if Rails::VERSION::MAJOR >= 5
+        post :update, params: { code: code }
+      else
+        post :update, code: code
+      end
+    end
+
+    before do
+      sign_in
+    end
+
+    context 'after user enters valid OTP code' do
+      it 'returns true' do
+        controller.current_user.send_new_otp
+        post_code controller.current_user.direct_otp
+        expect(subject.is_fully_authenticated?).to eq true
+      end
+    end
+
+    context 'when user has not entered any OTP yet' do
+      it 'returns false' do
+        get :show
+
+        expect(subject.is_fully_authenticated?).to eq false
+      end
+    end
+
+    context 'when user enters an invalid OTP' do
+      it 'returns false' do
+        post_code '12345'
+
+        expect(subject.is_fully_authenticated?).to eq false
+      end
+    end
+  end
+end

data/spec/features/two_factor_authenticatable_spec.rb

@@ -0,0 +1,236 @@
+require 'spec_helper'
+include AuthenticatedModelHelper
+
+feature "User of two factor authentication" do
+  context 'sending two factor authentication code via SMS' do
+    shared_examples 'sends and authenticates code' do |user, type|
+      before do
+        user.reload
+        if type == 'encrypted'
+          allow(User).to receive(:has_one_time_password).with(encrypted: true)
+        end
+      end
+
+      it 'does not send an SMS before the user has signed in' do
+        expect(SmsProvider.messages).to be_empty
+      end
+
+      it 'sends code via SMS after sign in' do
+        visit new_user_session_path
+        complete_sign_in_form_for(user)
+
+        expect(page).to have_content 'Enter the code that was sent to you'
+
+        expect(SmsProvider.messages.size).to eq(1)
+        message = SmsProvider.last_message
+        expect(message.to).to eq(user.phone_number)
+        expect(message.body).to eq(user.reload.direct_otp)
+      end
+
+      it 'authenticates a valid OTP code' do
+        visit new_user_session_path
+        complete_sign_in_form_for(user)
+
+        expect(page).to have_content('You are signed in as Marissa')
+
+        fill_in 'code', with: SmsProvider.last_message.body
+        click_button 'Submit'
+
+        expect(page).to have_selector(
+          ".notice",
+          text: "Two factor authentication successful."
+        )
+
+        expect(current_path).to eq root_path
+      end
+    end
+
+    it_behaves_like 'sends and authenticates code', create_user('not_encrypted')
+    it_behaves_like 'sends and authenticates code', create_user, 'encrypted'
+  end
+
+  scenario "must be logged in" do
+    visit user_two_factor_authentication_path
+
+    expect(page).to have_content("Welcome Home")
+    expect(page).to have_content("You are signed out")
+  end
+
+  context "when logged in" do
+    let(:user) { create_user }
+
+    background do
+      login_as user
+    end
+
+    scenario "is redirected to TFA when path requires authentication" do
+      visit dashboard_path + "?A=param%20a&B=param%20b"
+
+      expect(page).to_not have_content("Your Personal Dashboard")
+
+      fill_in "code", with: SmsProvider.last_message.body
+      click_button "Submit"
+
+      expect(page).to have_content("Your Personal Dashboard")
+      expect(page).to have_content("You are signed in as Marissa")
+      expect(page).to have_content("Param A is param a")
+      expect(page).to have_content("Param B is param b")
+    end
+
+    scenario "is locked out after max failed attempts" do
+      visit user_two_factor_authentication_path
+
+      max_attempts = User.max_login_attempts
+
+      max_attempts.times do
+        fill_in "code", with: "incorrect#{rand(100)}"
+        click_button "Submit"
+
+        expect(page).to have_selector(".alert", text: "Attempt failed")
+      end
+
+      expect(page).to have_content("Access completely denied")
+      expect(page).to have_content("You are signed out")
+    end
+
+    scenario "cannot retry authentication after max attempts" do
+      user.update_attribute(:second_factor_attempts_count, User.max_login_attempts)
+
+      visit user_two_factor_authentication_path
+
+      expect(page).to have_content("Access completely denied")
+      expect(page).to have_content("You are signed out")
+    end
+
+    describe "rememberable TFA" do
+      before do
+        @original_remember_otp_session_for_seconds = User.remember_otp_session_for_seconds
+        User.remember_otp_session_for_seconds = 30.days
+      end
+
+      after do
+        User.remember_otp_session_for_seconds = @original_remember_otp_session_for_seconds
+      end
+
+      scenario "doesn't require TFA code again within 30 days" do
+        sms_sign_in
+
+        logout
+
+        login_as user
+        visit dashboard_path
+        expect(page).to have_content("Your Personal Dashboard")
+        expect(page).to have_content("You are signed in as Marissa")
+      end
+
+      scenario "requires TFA code again after 30 days" do
+        sms_sign_in
+
+        logout
+
+        Timecop.travel(30.days.from_now)
+        login_as user
+        visit dashboard_path
+        expect(page).to have_content("You are signed in as Marissa")
+        expect(page).to have_content("Enter the code that was sent to you")
+      end
+
+      scenario 'TFA should be different for different users' do
+        sms_sign_in
+
+        tfa_cookie1 = get_tfa_cookie()
+
+        logout
+        reset_session!
+
+        user2 = create_user()
+        login_as(user2)
+        sms_sign_in
+
+        tfa_cookie2 = get_tfa_cookie()
+
+        expect(tfa_cookie1).not_to eq tfa_cookie2
+      end
+
+      def sms_sign_in
+        SmsProvider.messages.clear()
+        visit user_two_factor_authentication_path
+        fill_in 'code', with: SmsProvider.last_message.body
+        click_button 'Submit'
+      end
+
+      scenario 'TFA should be unique for specific user' do
+        sms_sign_in
+
+        tfa_cookie1 = get_tfa_cookie()
+
+        logout
+        reset_session!
+
+        user2 = create_user()
+        set_tfa_cookie(tfa_cookie1)
+        login_as(user2)
+        visit dashboard_path
+        expect(page).to have_content("Enter the code that was sent to you")
+      end
+
+      scenario 'Delete cookie when user logs out if enabled' do
+        user.class.delete_cookie_on_logout = true
+
+        login_as user
+        logout
+
+        login_as user
+
+        visit dashboard_path
+        expect(page).to have_content("Enter the code that was sent to you")
+      end
+    end
+
+    it 'sets the warden session need_two_factor_authentication key to true' do
+      session_hash = { 'need_two_factor_authentication' => true }
+
+      expect(page.get_rack_session_key('warden.user.user.session')).to eq session_hash
+    end
+  end
+
+  describe 'signing in' do
+    let(:user) { create_user }
+    let(:admin) { create_admin }
+
+    scenario 'user signs is' do
+      visit new_user_session_path
+      complete_sign_in_form_for(user)
+
+      expect(page).to have_content('Signed in successfully.')
+    end
+
+    scenario 'admin signs in' do
+      visit new_admin_session_path
+      complete_sign_in_form_for(admin)
+
+      expect(page).to have_content('Signed in successfully.')
+    end
+  end
+
+  describe 'signing out' do
+    let(:user) { create_user }
+    let(:admin) { create_admin }
+
+    scenario 'user signs out' do
+      visit new_user_session_path
+      complete_sign_in_form_for(user)
+      visit destroy_user_session_path
+
+      expect(page).to have_content('Signed out successfully.')
+    end
+
+    scenario 'admin signs out' do
+      visit new_admin_session_path
+      complete_sign_in_form_for(admin)
+      visit destroy_admin_session_path
+
+      expect(page).to have_content('Signed out successfully.')
+    end
+  end
+end