devise_two_factor_authentication 3.0.0

data/spec/generators/active_record/two_factor_authentication_generator_spec.rb

@@ -0,0 +1,36 @@
+require 'spec_helper'
+
+require 'generators/active_record/two_factor_authentication_generator'
+
+describe ActiveRecord::Generators::TwoFactorAuthenticationGenerator, type: :generator do
+  destination File.expand_path('../../../../../tmp', __FILE__)
+
+  before do
+    prepare_destination
+  end
+
+  it 'runs all methods in the generator' do
+    gen = generator %w(users)
+    expect(gen).to receive(:copy_two_factor_authentication_migration)
+    gen.invoke_all
+  end
+
+  describe 'the generated files' do
+    before do
+      run_generator %w(users)
+    end
+
+    describe 'the migration' do
+      subject { migration_file('db/migrate/two_factor_authentication_add_to_users.rb') }
+
+      it { is_expected.to exist }
+      it { is_expected.to be_a_migration }
+      it { is_expected.to contain /def change/ }
+      it { is_expected.to contain /add_column :users, :second_factor_attempts_count, :integer, default: 0/ }
+      it { is_expected.to contain /add_column :users, :encrypted_otp_secret_key, :string/ }
+      it { is_expected.to contain /add_column :users, :encrypted_otp_secret_key_iv, :string/ }
+      it { is_expected.to contain /add_column :users, :encrypted_otp_secret_key_salt, :string/ }
+      it { is_expected.to contain /add_index :users, :encrypted_otp_secret_key, unique: true/ }
+    end
+  end
+end

data/spec/lib/two_factor_authentication/models/two_factor_authenticatable_spec.rb

@@ -0,0 +1,326 @@
+require 'spec_helper'
+include AuthenticatedModelHelper
+
+describe Devise::Models::TwoFactorAuthenticatable do
+  describe '#create_direct_otp' do
+    let(:instance) { build_guest_user }
+
+    it 'set direct_otp field' do
+      expect(instance.direct_otp).to be_nil
+      instance.create_direct_otp
+      expect(instance.direct_otp).not_to be_nil
+    end
+
+    it 'set direct_otp_send_at field to current time' do
+      Timecop.freeze() do
+        instance.create_direct_otp
+        expect(instance.direct_otp_sent_at).to eq(Time.now)
+      end
+    end
+
+    it 'honors .direct_otp_length' do
+      expect(instance.class).to receive(:direct_otp_length).and_return(10)
+      instance.create_direct_otp
+      expect(instance.direct_otp.length).to equal(10)
+
+      expect(instance.class).to receive(:direct_otp_length).and_return(6)
+      instance.create_direct_otp
+      expect(instance.direct_otp.length).to equal(6)
+    end
+
+    it "honors 'direct_otp_length' in options paramater" do
+      instance.create_direct_otp(length: 8)
+      expect(instance.direct_otp.length).to equal(8)
+      instance.create_direct_otp(length: 10)
+      expect(instance.direct_otp.length).to equal(10)
+    end
+  end
+
+  describe '#authenticate_direct_otp' do
+    let(:instance) { build_guest_user }
+    it 'fails if no direct_otp has been set' do
+      expect(instance.authenticate_direct_otp('12345')).to eq(false)
+    end
+
+    context 'after generating an OTP' do
+      before :each do
+        instance.create_direct_otp
+      end
+
+      it 'accepts correct OTP' do
+        Timecop.freeze(Time.now + instance.class.direct_otp_valid_for - 1.second)
+        expect(instance.authenticate_direct_otp(instance.direct_otp)).to eq(true)
+      end
+
+      it 'rejects invalid OTP' do
+        Timecop.freeze(Time.now + instance.class.direct_otp_valid_for - 1.second)
+        expect(instance.authenticate_direct_otp('12340')).to eq(false)
+      end
+
+      it 'rejects expired OTP' do
+        Timecop.freeze(Time.now + instance.class.direct_otp_valid_for + 1.second)
+        expect(instance.authenticate_direct_otp(instance.direct_otp)).to eq(false)
+      end
+
+      it 'prevents code re-use' do
+        expect(instance.authenticate_direct_otp(instance.direct_otp)).to eq(true)
+        expect(instance.authenticate_direct_otp(instance.direct_otp)).to eq(false)
+      end
+    end
+  end
+
+  describe '#authenticate_totp' do
+    shared_examples 'authenticate_totp' do |instance|
+      before :each do
+        instance.otp_secret_key = '2z6hxkdwi3uvrnpn'
+        instance.totp_timestamp = nil
+        @totp_helper = TotpHelper.new(instance.otp_secret_key, instance.class.otp_length)
+      end
+
+      def do_invoke(code, user)
+        user.authenticate_totp(code)
+      end
+
+      it 'authenticates a recently created code' do
+        code = @totp_helper.totp_code
+        expect(do_invoke(code, instance)).to eq(true)
+      end
+
+      it 'authenticates a code entered with a space' do
+        code = @totp_helper.totp_code.insert(3, ' ')
+        expect(do_invoke(code, instance)).to eq(true)
+      end
+
+      it 'does not authenticate an old code' do
+        code = @totp_helper.totp_code(1.minutes.ago.to_i)
+        expect(do_invoke(code, instance)).to eq(false)
+      end
+
+      it 'prevents code reuse' do
+        code = @totp_helper.totp_code
+        expect(do_invoke(code, instance)).to eq(true)
+        expect(do_invoke(code, instance)).to eq(false)
+      end
+    end
+
+    it_behaves_like 'authenticate_totp', GuestUser.new
+    it_behaves_like 'authenticate_totp', EncryptedUser.new
+  end
+
+  describe '#send_two_factor_authentication_code' do
+    let(:instance) { build_guest_user }
+
+    it 'raises an error by default' do
+      expect { instance.send_two_factor_authentication_code(123) }.
+        to raise_error(NotImplementedError)
+    end
+
+    it 'is overrideable' do
+      def instance.send_two_factor_authentication_code(code)
+        'Code sent'
+      end
+      expect(instance.send_two_factor_authentication_code(123)).to eq('Code sent')
+    end
+  end
+
+  describe '#provisioning_uri' do
+
+    shared_examples 'provisioning_uri' do |instance|
+      it 'fails until generate_totp_secret is called' do
+        expect { instance.provisioning_uri }.to raise_error(Exception)
+      end
+
+      describe 'with secret set' do
+        before do
+          instance.email = 'houdini@example.com'
+          instance.otp_secret_key = instance.generate_totp_secret
+        end
+
+        it "returns uri with user's email" do
+          expect(instance.provisioning_uri).
+            to match(%r{otpauth://totp/houdini%40example.com\?secret=\w{32}})
+        end
+
+        it 'returns uri with issuer option' do
+          expect(instance.provisioning_uri('houdini')).
+            to match(%r{otpauth://totp/houdini\?secret=\w{32}$})
+        end
+
+        it 'returns uri with issuer option' do
+          require 'cgi'
+          uri = URI.parse(instance.provisioning_uri('houdini', issuer: 'Magic'))
+          params = CGI.parse(uri.query)
+
+          expect(uri.scheme).to eq('otpauth')
+          expect(uri.host).to eq('totp')
+          expect(uri.path).to eq('/Magic:houdini')
+          expect(params['issuer'].shift).to eq('Magic')
+          expect(params['secret'].shift).to match(/\w{32}/)
+        end
+      end
+    end
+
+    it_behaves_like 'provisioning_uri', GuestUser.new
+    it_behaves_like 'provisioning_uri', EncryptedUser.new
+  end
+
+  describe '#generate_totp_secret' do
+    shared_examples 'generate_totp_secret' do |klass|
+      let(:instance) { klass.new }
+
+      it 'returns a 32 character string' do
+        secret = instance.generate_totp_secret
+
+        expect(secret).to match(/\w{32}/)
+      end
+    end
+
+    it_behaves_like 'generate_totp_secret', GuestUser
+    it_behaves_like 'generate_totp_secret', EncryptedUser
+  end
+
+  describe '#confirm_totp_secret' do
+    shared_examples 'confirm_totp_secret' do |klass|
+      let(:instance) { klass.new }
+      let(:secret) { instance.generate_totp_secret }
+      let(:totp_helper) { TotpHelper.new(secret, instance.class.otp_length) }
+
+      it 'populates otp_secret_key column when given correct code' do
+        instance.confirm_totp_secret(secret, totp_helper.totp_code)
+
+        expect(instance.otp_secret_key).to match(secret)
+      end
+
+      it 'does not populate otp_secret_key when when given incorrect code' do
+        instance.confirm_totp_secret(secret, '123')
+        expect(instance.otp_secret_key).to be_nil
+      end
+
+      it 'returns true when given correct code' do
+        expect(instance.confirm_totp_secret(secret, totp_helper.totp_code)).to be true
+      end
+
+      it 'returns false when given incorrect code' do
+        expect(instance.confirm_totp_secret(secret, '123')).to be false
+      end
+
+    end
+
+    it_behaves_like 'confirm_totp_secret', GuestUser
+    it_behaves_like 'confirm_totp_secret', EncryptedUser
+  end
+
+  describe '#max_login_attempts' do
+    let(:instance) { build_guest_user }
+
+    before do
+      @original_max_login_attempts = GuestUser.max_login_attempts
+      GuestUser.max_login_attempts = 3
+    end
+
+    after { GuestUser.max_login_attempts = @original_max_login_attempts }
+
+    it 'returns class setting' do
+      expect(instance.max_login_attempts).to eq(3)
+    end
+
+    it 'returns false as boolean' do
+      instance.second_factor_attempts_count = nil
+      expect(instance.max_login_attempts?).to be_falsey
+      instance.second_factor_attempts_count = 0
+      expect(instance.max_login_attempts?).to be_falsey
+      instance.second_factor_attempts_count = 1
+      expect(instance.max_login_attempts?).to be_falsey
+      instance.second_factor_attempts_count = 2
+      expect(instance.max_login_attempts?).to be_falsey
+    end
+
+    it 'returns true as boolean after too many attempts' do
+      instance.second_factor_attempts_count = 3
+      expect(instance.max_login_attempts?).to be_truthy
+      instance.second_factor_attempts_count = 4
+      expect(instance.max_login_attempts?).to be_truthy
+    end
+  end
+
+  describe '.has_one_time_password' do
+    context 'when encrypted: true option is passed' do
+      let(:instance) { EncryptedUser.new }
+
+      it 'encrypts otp_secret_key with iv, salt, and encoding' do
+        instance.otp_secret_key = '2z6hxkdwi3uvrnpn'
+
+        expect(instance.encrypted_otp_secret_key).to match(/.{44}/)
+
+        expect(instance.encrypted_otp_secret_key_iv).to match(/.{24}/)
+
+        expect(instance.encrypted_otp_secret_key_salt).to match(/.{25}/)
+      end
+
+      it 'does not encrypt a nil otp_secret_key' do
+        instance.otp_secret_key = nil
+
+        expect(instance.encrypted_otp_secret_key).to be_nil
+
+        expect(instance.encrypted_otp_secret_key_iv).to be_nil
+
+        expect(instance.encrypted_otp_secret_key_salt).to be_nil
+      end
+
+      it 'does not encrypt an empty otp_secret_key' do
+        instance.otp_secret_key = ''
+
+        expect(instance.encrypted_otp_secret_key).to eq ''
+
+        expect(instance.encrypted_otp_secret_key_iv).to be_nil
+
+        expect(instance.encrypted_otp_secret_key_salt).to be_nil
+      end
+
+      it 'raises an error when Devise.otp_secret_encryption_key is not set' do
+        allow(Devise).to receive(:otp_secret_encryption_key).and_return nil
+
+        # This error is raised by the encryptor gem
+        expect { instance.otp_secret_key = '2z6hxkdwi3uvrnpn' }.
+          to raise_error ArgumentError
+      end
+
+      it 'passes in the correct options to Encryptor.
+          We test here output of
+          Devise::Models::TwoFactorAuthenticatable::EncryptionInstanceMethods.encryption_options_for' do
+        instance.otp_secret_key = 'testing'
+        iv = instance.encrypted_otp_secret_key_iv
+        salt = instance.encrypted_otp_secret_key_salt
+
+        # it's important here to put the same crypto algorithm from that method
+        encrypted = Encryptor.encrypt(
+          value: 'testing',
+          key: Devise.otp_secret_encryption_key,
+          iv: iv.unpack('m').first,
+          salt: salt.unpack('m').first,
+          algorithm: 'aes-256-cbc'
+        )
+
+        expect(instance.encrypted_otp_secret_key).to eq [encrypted].pack('m')
+      end
+
+      it 'varies the iv per instance' do
+        instance.otp_secret_key = 'testing'
+        user2 = EncryptedUser.new
+        user2.otp_secret_key = 'testing'
+
+        expect(user2.encrypted_otp_secret_key_iv).
+          to_not eq instance.encrypted_otp_secret_key_iv
+      end
+
+      it 'varies the salt per instance' do
+        instance.otp_secret_key = 'testing'
+        user2 = EncryptedUser.new
+        user2.otp_secret_key = 'testing'
+
+        expect(user2.encrypted_otp_secret_key_salt).
+          to_not eq instance.encrypted_otp_secret_key_salt
+      end
+    end
+  end
+end

data/spec/rails_app/.gitignore

@@ -0,0 +1,3 @@
+log/
+tmp/
+*.sqlite3

data/spec/rails_app/README.md

@@ -0,0 +1,3 @@
+# Dummy
+
+You have found the dummy rails app used for integration testing of the `two_factor_authentication` gem.

data/spec/rails_app/Rakefile

@@ -0,0 +1,9 @@
+#!/usr/bin/env rake
+# frozen_string_literal: true
+
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('config/application', __dir__)
+
+Dummy::Application.load_tasks

data/spec/rails_app/app/assets/config/manifest.js

@@ -0,0 +1,2 @@
+//= link_directory ../javascripts .js
+//= link_directory ../stylesheets .css

data/spec/rails_app/app/assets/javascripts/application.js

@@ -0,0 +1 @@
+//= require_tree .

data/spec/rails_app/app/assets/stylesheets/application.css

@@ -0,0 +1,4 @@
+/*
+ *= require_self
+ *= require_tree .
+ */

data/spec/rails_app/app/controllers/application_controller.rb

@@ -0,0 +1,3 @@
+class ApplicationController < ActionController::Base
+  protect_from_forgery
+end

data/spec/rails_app/app/controllers/home_controller.rb

@@ -0,0 +1,10 @@
+class HomeController < ApplicationController
+  before_action :authenticate_user!, only: :dashboard
+
+  def index
+  end
+
+  def dashboard
+  end
+
+end

data/spec/rails_app/app/helpers/application_helper.rb

@@ -0,0 +1,8 @@
+module ApplicationHelper
+
+  def render_flash
+    flash.map do |name, message|
+      content_tag(:p, message, class: "flash #{name}")
+    end.join.html_safe
+  end
+end

data/spec/rails_app/app/models/admin.rb

@@ -0,0 +1,6 @@
+class Admin < ActiveRecord::Base
+  # Include default devise modules. Others available are:
+  # :confirmable, :lockable, :timeoutable and :omniauthable
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable, :trackable, :validatable
+end

data/spec/rails_app/app/models/encrypted_user.rb

@@ -0,0 +1,15 @@
+class EncryptedUser
+  extend ActiveModel::Callbacks
+  include ActiveModel::Validations
+  include Devise::Models::TwoFactorAuthenticatable
+
+  define_model_callbacks :create
+  attr_accessor :encrypted_otp_secret_key,
+                :encrypted_otp_secret_key_iv,
+                :encrypted_otp_secret_key_salt,
+                :email,
+                :second_factor_attempts_count,
+                :totp_timestamp
+
+  has_one_time_password(encrypted: true)
+end

data/spec/rails_app/app/models/guest_user.rb

@@ -0,0 +1,17 @@
+class GuestUser
+  extend ActiveModel::Callbacks
+  include ActiveModel::Validations
+  include Devise::Models::TwoFactorAuthenticatable
+
+  define_model_callbacks :create
+  attr_accessor :direct_otp, :direct_otp_sent_at, :otp_secret_key, :email,
+    :second_factor_attempts_count, :totp_timestamp
+
+  def update(attrs)
+    attrs.each do |key, value|
+      send(key.to_s + '=', value)
+    end
+  end
+
+  has_one_time_password
+end

data/spec/rails_app/app/models/user.rb

@@ -0,0 +1,14 @@
+class User < ActiveRecord::Base
+  devise :two_factor_authenticatable, :database_authenticatable, :registerable,
+         :recoverable, :rememberable, :trackable, :validatable
+
+  has_one_time_password
+
+  def send_two_factor_authentication_code(code)
+    SmsProvider.send_message(to: phone_number, body: code)
+  end
+
+  def phone_number
+    '14159341234'
+  end
+end

data/spec/rails_app/app/views/home/dashboard.html.erb

@@ -0,0 +1,11 @@
+<h1>Your Personal Dashboard</h1>
+
+<p>Hi <%= current_user.nickname %></p>
+
+<p>Your registered email address is <%= current_user.email %></p>
+
+<p> Param A is <%= params[:A] %></p>
+
+<p> Param B is <%= params[:B] %></p>
+
+<p>You can only see this page after successfully completing two factor authentication</p>

data/spec/rails_app/app/views/home/index.html.erb

@@ -0,0 +1,3 @@
+<h1>Welcome Home</h1>
+
+<p>Find me in app/views/home/index.html.erb</p>

data/spec/rails_app/app/views/layouts/application.html.erb

@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Dummy</title>
+    <%= stylesheet_link_tag    "application", :media => "all" %>
+    <%= javascript_include_tag "application" %>
+    <%= csrf_meta_tags %>
+  </head>
+  <body>
+    <nav>
+      <% if user_signed_in? %>
+        You are signed in as <%= current_user.nickname %>
+      <% else %>
+        You are signed out
+      <% end %>
+    </nav>
+    <%= render_flash %>
+    <%= yield %>
+  </body>
+</html>

data/spec/rails_app/config/application.rb

@@ -0,0 +1,64 @@
+require File.expand_path('../boot', __FILE__)
+
+require "active_record/railtie"
+require "action_controller/railtie"
+require "action_mailer/railtie"
+require "sprockets/railtie"
+
+Bundler.require(*Rails.groups)
+require "devise_two_factor_authentication"
+
+module Dummy
+  class Application < Rails::Application
+    # Settings in config/environments/* take precedence over those specified here.
+    # Application configuration should go into files in config/initializers
+    # -- all .rb files in that directory are automatically loaded.
+
+    # Custom directories with classes and modules you want to be autoloadable.
+    # config.autoload_paths += %W(#{config.root}/extras)
+    config.autoload_paths += %W(#{config.root}/lib)
+
+    # Only load the plugins named here, in the order given (default is alphabetical).
+    # :all can be used as a placeholder for all plugins not explicitly named.
+    # config.plugins = [ :exception_notification, :ssl_requirement, :all ]
+
+    # Activate observers that should always be running.
+    # config.active_record.observers = :cacher, :garbage_collector, :forum_observer
+
+    # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
+    # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
+    # config.time_zone = 'Central Time (US & Canada)'
+
+    # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
+    # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
+    # config.i18n.default_locale = :de
+
+    # Configure the default encoding used in templates for Ruby 1.9.
+    config.encoding = "utf-8"
+
+    # Configure sensitive parameters which will be filtered from the log file.
+    config.filter_parameters += [:password]
+
+    # Enable escaping HTML in JSON.
+    config.active_support.escape_html_entities_in_json = true
+
+    # Use SQL instead of Active Record's schema dumper when creating the database.
+    # This is necessary if your schema can't be completely dumped by the schema dumper,
+    # like if you have constraints or database-specific column types
+    # config.active_record.schema_format = :sql
+
+    config.active_record.legacy_connection_handling = false
+
+    # Enable the asset pipeline
+    config.assets.enabled = true
+
+    # Version of your assets, change this if you want to expire all your assets
+    config.assets.version = '1.0'
+
+    config.action_mailer.default_url_options = { host: 'localhost:3000' }
+
+    config.i18n.enforce_available_locales = false
+
+    config.secret_key_base = 'secretvalue'
+  end
+end

data/spec/rails_app/config/boot.rb

@@ -0,0 +1,10 @@
+require 'rubygems'
+gemfile = File.expand_path('../../../../Gemfile', __FILE__)
+
+if File.exist?(gemfile)
+  ENV['BUNDLE_GEMFILE'] = gemfile
+  require 'bundler'
+  Bundler.setup
+end
+
+$:.unshift File.expand_path('../../../../lib', __FILE__)

data/spec/rails_app/config/database.yml

@@ -0,0 +1,19 @@
+# SQLite version 3.x
+#   gem install sqlite3
+#
+#   Ensure the SQLite 3 gem is defined in your Gemfile
+#   gem 'sqlite3'
+development:
+  adapter: sqlite3
+  database: db/development.sqlite3
+  pool: 5
+  timeout: 5000
+
+# Warning: The database defined as "test" will be erased and
+# re-generated from your development database when you run "rake".
+# Do not set this db to the same as development or production.
+test:
+  adapter: sqlite3
+  database: db/test.sqlite3
+  pool: 5
+  timeout: 5000

data/spec/rails_app/config/environment.rb

@@ -0,0 +1,5 @@
+# Load the rails application
+require File.expand_path('../application', __FILE__)
+
+# Initialize the rails application
+Dummy::Application.initialize!

data/spec/rails_app/config/environments/development.rb

@@ -0,0 +1,28 @@
+Dummy::Application.configure do
+  # Settings specified here will take precedence over those in config/application.rb
+
+  # In the development environment your application's code is reloaded on
+  # every request. This slows down response time but is perfect for development
+  # since you don't have to restart the web server when you make code changes.
+  config.cache_classes = false
+  config.eager_load = false
+
+  # Show full error reports and disable caching
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Don't care if the mailer can't send
+  config.action_mailer.raise_delivery_errors = false
+
+  # Print deprecation notices to the Rails logger
+  config.active_support.deprecation = :log
+
+  # Only use best-standards-support built into browsers
+  config.action_dispatch.best_standards_support = :builtin
+
+  # Do not compress assets
+  config.assets.compress = false
+
+  # Expands the lines which load the assets
+  config.assets.debug = true
+end