omniauth-onetime 1.0.3

data/COPYING.LESSER

@@ -0,0 +1,165 @@
+                   GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+
+  This version of the GNU Lesser General Public License incorporates
+the terms and conditions of version 3 of the GNU General Public
+License, supplemented by the additional permissions listed below.
+
+  0. Additional Definitions.
+
+  As used herein, "this License" refers to version 3 of the GNU Lesser
+General Public License, and the "GNU GPL" refers to version 3 of the GNU
+General Public License.
+
+  "The Library" refers to a covered work governed by this License,
+other than an Application or a Combined Work as defined below.
+
+  An "Application" is any work that makes use of an interface provided
+by the Library, but which is not otherwise based on the Library.
+Defining a subclass of a class defined by the Library is deemed a mode
+of using an interface provided by the Library.
+
+  A "Combined Work" is a work produced by combining or linking an
+Application with the Library.  The particular version of the Library
+with which the Combined Work was made is also called the "Linked
+Version".
+
+  The "Minimal Corresponding Source" for a Combined Work means the
+Corresponding Source for the Combined Work, excluding any source code
+for portions of the Combined Work that, considered in isolation, are
+based on the Application, and not on the Linked Version.
+
+  The "Corresponding Application Code" for a Combined Work means the
+object code and/or source code for the Application, including any data
+and utility programs needed for reproducing the Combined Work from the
+Application, but excluding the System Libraries of the Combined Work.
+
+  1. Exception to Section 3 of the GNU GPL.
+
+  You may convey a covered work under sections 3 and 4 of this License
+without being bound by section 3 of the GNU GPL.
+
+  2. Conveying Modified Versions.
+
+  If you modify a copy of the Library, and, in your modifications, a
+facility refers to a function or data to be supplied by an Application
+that uses the facility (other than as an argument passed when the
+facility is invoked), then you may convey a copy of the modified
+version:
+
+   a) under this License, provided that you make a good faith effort to
+   ensure that, in the event an Application does not supply the
+   function or data, the facility still operates, and performs
+   whatever part of its purpose remains meaningful, or
+
+   b) under the GNU GPL, with none of the additional permissions of
+   this License applicable to that copy.
+
+  3. Object Code Incorporating Material from Library Header Files.
+
+  The object code form of an Application may incorporate material from
+a header file that is part of the Library.  You may convey such object
+code under terms of your choice, provided that, if the incorporated
+material is not limited to numerical parameters, data structure
+layouts and accessors, or small macros, inline functions and templates
+(ten or fewer lines in length), you do both of the following:
+
+   a) Give prominent notice with each copy of the object code that the
+   Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the object code with a copy of the GNU GPL and this license
+   document.
+
+  4. Combined Works.
+
+  You may convey a Combined Work under terms of your choice that,
+taken together, effectively do not restrict modification of the
+portions of the Library contained in the Combined Work and reverse
+engineering for debugging such modifications, if you also do each of
+the following:
+
+   a) Give prominent notice with each copy of the Combined Work that
+   the Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the Combined Work with a copy of the GNU GPL and this license
+   document.
+
+   c) For a Combined Work that displays copyright notices during
+   execution, include the copyright notice for the Library among
+   these notices, as well as a reference directing the user to the
+   copies of the GNU GPL and this license document.
+
+   d) Do one of the following:
+
+       0) Convey the Minimal Corresponding Source under the terms of this
+       License, and the Corresponding Application Code in a form
+       suitable for, and under terms that permit, the user to
+       recombine or relink the Application with a modified version of
+       the Linked Version to produce a modified Combined Work, in the
+       manner specified by section 6 of the GNU GPL for conveying
+       Corresponding Source.
+
+       1) Use a suitable shared library mechanism for linking with the
+       Library.  A suitable mechanism is one that (a) uses at run time
+       a copy of the Library already present on the user's computer
+       system, and (b) will operate properly with a modified version
+       of the Library that is interface-compatible with the Linked
+       Version.
+
+   e) Provide Installation Information, but only if you would otherwise
+   be required to provide such information under section 6 of the
+   GNU GPL, and only to the extent that such information is
+   necessary to install and execute a modified version of the
+   Combined Work produced by recombining or relinking the
+   Application with a modified version of the Linked Version. (If
+   you use option 4d0, the Installation Information must accompany
+   the Minimal Corresponding Source and Corresponding Application
+   Code. If you use option 4d1, you must provide the Installation
+   Information in the manner specified by section 6 of the GNU GPL
+   for conveying Corresponding Source.)
+
+  5. Combined Libraries.
+
+  You may place library facilities that are a work based on the
+Library side by side in a single library together with other library
+facilities that are not Applications and are not covered by this
+License, and convey such a combined library under terms of your
+choice, if you do both of the following:
+
+   a) Accompany the combined library with a copy of the same work based
+   on the Library, uncombined with any other library facilities,
+   conveyed under the terms of this License.
+
+   b) Give prominent notice with the combined library that part of it
+   is a work based on the Library, and explaining where to find the
+   accompanying uncombined form of the same work.
+
+  6. Revised Versions of the GNU Lesser General Public License.
+
+  The Free Software Foundation may publish revised and/or new versions
+of the GNU Lesser General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+  Each version is given a distinguishing version number. If the
+Library as you received it specifies that a certain numbered version
+of the GNU Lesser General Public License "or any later version"
+applies to it, you have the option of following the terms and
+conditions either of that published version or of any later version
+published by the Free Software Foundation. If the Library as you
+received it does not specify a version number of the GNU Lesser
+General Public License, you may choose any version of the GNU Lesser
+General Public License ever published by the Free Software Foundation.
+
+  If the Library as you received it specifies that a proxy can decide
+whether future versions of the GNU Lesser General Public License shall
+apply, that proxy's public statement of acceptance of any version is
+permanent authorization for you to choose that version for the
+Library.

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in omniauth-onetime.gemspec
+gemspec

data/README.md

@@ -0,0 +1,244 @@
+# OmniAuth One-Time
+
+[![Code Climate](https://codeclimate.com/github/thoughtafter/omniauth-onetime/badges/gpa.svg)](https://codeclimate.com/github/thoughtafter/omniauth-onetime)
+[![Test Coverage](https://codeclimate.com/github/thoughtafter/omniauth-onetime/badges/coverage.svg)](https://codeclimate.com/github/thoughtafter/omniauth-onetime/coverage)
+[![Issue Count](https://codeclimate.com/github/thoughtafter/omniauth-onetime/badges/issue_count.svg)](https://codeclimate.com/github/thoughtafter/omniauth-onetime)
+
+An [OmniAuth](https://github.com/omniauth/omniauth) strategy using secure
+onetime passwords.
+
+I released this code on Dec 14, 2016 after having used it in production for some
+time. Coincidentally, this is the same day that
+[Yahoo disclosed a breach of 1 billion accounts](https://yahoo.tumblr.com/post/154479236569/important-security-information-for-yahoo-users)
+which may have included MD5 hashed passwords. In the wake of this and numerous
+other password breaches every web development team needs to ask:
+
+**Is it worth storing long term user generated passwords?**
+
+I suggest that it very rarely is.
+
+## Vision
+
+Strong passwords are difficult to remember. Rememberable passwords are usually
+weak. Thus asking users to create and remember strong passwords is a limited
+proposition.
+
+The purpose of this gem is to provide a way for developers to quickly add a
+secure authentication system to Rack based projects. This system is based on
+one-time passwords which are emailed to the user at sign in time. These
+passwords quickly expire (5 minute default, expiration time is configurable)
+in order to thwart brute-force attacks.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'omniauth-onetime'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install omniauth-onetime
+
+## Usage
+
+Enable omniauth-onetime using a Rails initializer at
+`config/initializers/omniauth.rb`:
+
+```ruby
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider :onetime
+end
+```
+
+`config/routes.rb` file something like this:
+
+```ruby
+get '/auth/:provider/callback', to: 'sessions#create'
+```
+
+`app/controllers/sessions_controller.rb` file something like this:
+
+```ruby
+class SessionsController < ApplicationController
+  def create
+    @user = User.omniauth(auth_hash)
+    session[:user_id] = user.id
+    redirect_to request.env['omniauth.origin'] || root_path,
+      notice: "Signed in!"
+  end
+
+  def destroy
+    session[:user_id] = nil
+    redirect_to root_url, notice: "Signed out!"
+  end
+
+  protected
+
+  def auth_hash
+    request.env['omniauth.auth']
+  end
+end
+```
+
+`app/models/user.rb` file something like this:
+
+```ruby
+class User < ActiveRecord::Base
+  def self.omniauth(auth)
+    User.find_or_create_by!(provider: auth['provider'], email: auth['email'])
+  end
+end
+```
+
+### Configuration
+
+These settings can be passed as a hash in the initializer.
+
+* password_length - length of generated random passwords (default: 8)
+* password_time - time in seconds that a generated password is valid
+  (default: 300)
+* password_cost - bcrypt cost/rounds (default: 12), be sure you understand the
+  implications of changing this
+* email_options - a hash to be sent to ActionMailer::Base.mail (default:
+  { subject: 'Sign In Details' })
+* password_cache - a cache to store the passwords (default: Rails.cache for
+  Rails apps, none otherwise), expected to function like
+  [ActiveSupport::Cache::Store](http://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html),
+  make sure this cache is appropriate for your deployment
+  * must implement: write, read, delete, exist?
+
+## Details
+
+Reading List:
+
+* 2014-04-12: [Passwords are Obsolete](https://medium.com/@ninjudd/passwords-are-obsolete-9ed56d483eb)
+* 2014-10-15: [Passwordless authentication: Secure, simple, and fast to deploy](https://hacks.mozilla.org/2014/10/passwordless-authentication-secure-simple-and-fast-to-deploy/)
+* 2015-06-30: [Why passwords suck](https://medium.engineering/why-passwords-suck-d1d1f38c1bb4)
+* 2016-08-12: [Securing access to genetic and personal information without a password](https://biogeniq.ca/en/articles/securing-access-to-genetic-and-personal-information-without-a-password/)
+* [Passwordless](https://passwordless.net/)
+
+The nomenclature has been settling on calling this approach "passwordless".
+That makes sense if the email sent the user contains a link such that the user
+never has to enter a password. However, this gem assumes that the device
+receiving the password and the device being used to sign in may not be the same
+and thus a password that can be read and entered is also a requirement. This
+password can be used as a token for a "passwordless" authentication link. This
+gem is "passwordless" but I believe more accurately it uses out-of-band
+transmission of quickly expiring one-time passwords.
+
+This approach may sound counter-intuitive, especially with a default password
+length of 8 characters. However, the real key to the security is that the
+passwords are sufficiently random and the window of opportunity is very short.
+A traditional username / password system fails because the passwords are not
+sufficiently random as truly random passwords are difficult to remember and
+because the password lifetime is often very long. An issue which compounds
+these traditional systems is password reuse which puts accounts at risk
+whenever any system containing a user's password becomes compromised and
+subject to a brute force attack.
+
+### Benefits:
+
+* No passwords to create - Users are generally very bad at creating passwords
+unless they are somewhat knowledgeable and  highly disciplined. The requirement
+to remember the password is directly at odds with the strength of the password.
+See also: [xkcd: Password Strength](https://xkcd.com/936/)
+* No passwords to remember - Passwords can be random and arbitrarily
+strong by increasing password length.
+* Passwords are short lived - Brute-force attacks are thwarted even with
+shorter passwords such as 8 random letters.
+* Passwords are not reused - A system using this gem cannot divulge useful
+password secrets if compromised. It is also immune from secrets divulged from
+other systems, whether they use this gem or not. It also does not require user
+trust that the website will not use passwords submitted by users for nefarious
+ends. See also: [xkcd: Password Reuse](https://xkcd.com/792/)
+* Easy for users - To Sign In:
+  1. enter your email
+  2. enter the password that has been emailed to you or click a link in the
+     email.
+
+### Limitations:
+
+* A compromised email account will compromise the user account. **However, this
+is also true of any traditional password system that allows for email reset or
+recovery of passwords.** The only way to circumvent this attack vector is to
+handle password resets in a way that verifies a person's identity manually and
+likely in person and with identification. Since most websites are probably not
+willing to take that step (though financial institutions should be at the very
+least considering it) then emailed one-time passwords are just as secure as
+any website employing an automated email password reset system.
+* Users must divulge an email account under their control to sign in. This does
+not seem like a huge hurdle. If people are concerned with their privacy they
+would likely have to create an anonymous/pseudonymous email for use with these
+systems. Many websites require divulging an email even with a traditional
+password system.
+* Password emails can potentially create a log of usage. The existence of the
+email cannot prove a user signed in or was trying to sign in since such emails
+can be triggered by anyone. However, this is still a notable difference from
+traditional systems.
+* Relies on external email systems to deliver passwords. Any downtime in either
+the email service used by the system or that used by the user will disrupt the
+user's ability to sign in.
+
+### Brute-force attacks:
+
+Let's assume a malicious agent wants to brute-force a user's password on a
+system using this gem. Using the default settings of an 8 letter password:
+
+26^8 = 208,827,064,576 permutations
+
+In order to compromise a password in 5 minutes an adversary will have to
+hash nearly 700 million passwords per second.
+
+26^8 permutations / 300 seconds = 696,090,216 hashes per second
+
+This is far beyond what computing power can deliver for the bcrypt with a
+default cost of 12. This scenario also assumes instantaneous access to the
+stored crypted passwords which is highly unlikely without a greater breach of
+security having already occurred.
+
+On my development system the speed of bcrypt at cost 12 is roughly
+4 hashes per second per core. A 2015 attempt to crack bcrypt passwords with a
+cost of 12 using a GPU was able to achieve
+[156 hashes per second per GPU](http://www.pxdojo.net/2015/08/what-i-learned-from-cracking-4000.html "What I learned from cracking 4000 Ashley Madison passwords").
+A Zynq 7045 FPGA device was able to achieve
+[226 hashes per second](http://www.openwall.com/presentations/Passwords14-Energy-Efficient-Cracking/slide-50.html "Energy-efficient bcrypt cracking, slide 50")
+at bcrypt cost 12.
+
+It's probably wise to keep this in mind:
+
+[![xlcd: Security](http://imgs.xkcd.com/comics/security.png)](https://xkcd.com/538/)
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at
+https://github.com/thoughtafter/omniauth-onetime. This project is intended to be
+a safe, welcoming space for collaboration, and contributors are expected to
+adhere to the [Contributor Covenant](http://contributor-covenant.org) code of
+conduct.
+
+## License
+
+omniauth-onetime is free software: you can redistribute it and/or modify
+it under the terms of the GNU Lesser General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+omniauth-onetime is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Lesser General Public License for more details.
+
+You should have received a copy of the GNU Lesser General Public License
+along with omniauth-onetime.  If not, see <http://www.gnu.org/licenses/>.

data/Rakefile

@@ -0,0 +1,10 @@
+require 'bundler/gem_tasks'
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.libs << 'lib'
+  t.test_files = FileList['test/**/*_test.rb']
+end
+
+task default: :test

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'omniauth-onetime'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/omniauth/omniauth-onetime/version.rb

@@ -0,0 +1,24 @@
+#
+# omniauth-onetime - An omniauth strategy using secure onetime passwords.
+# Copyright (C) 2016 thoughtafter@gmail.com
+#
+# This file is part of omniauth-onetime.
+#
+# omniauth-onetime is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# omniauth-onetime is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with omniauth-onetime.  If not, see <http://www.gnu.org/licenses/>.
+#
+module OmniAuth
+  module Onetime
+    VERSION = '1.0.3'.freeze
+  end
+end

data/lib/omniauth/strategies/onetime.rb

@@ -0,0 +1,205 @@
+#
+# omniauth-onetime - An omniauth strategy using secure onetime passwords.
+# Copyright (C) 2016 thoughtafter@gmail.com
+#
+# This file is part of omniauth-onetime.
+#
+# omniauth-onetime is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# omniauth-onetime is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with omniauth-onetime.  If not, see <http://www.gnu.org/licenses/>.
+#
+module OmniAuth
+  module Strategies
+    # An omniauth strategy using secure onetime passwords
+    class Onetime
+      include OmniAuth::Strategy
+
+      option :password_length, 8
+      option :password_time, 300
+      option :password_cost, 12
+      option :password_cache, nil
+      option :email_options, subject: 'Sign In Details'
+
+      # these options are a means of modeling a theoretical adversary and
+      # ensuring some minimum level of security against that adversary
+      # the default is roughly a cluster of 100 GPU's, this is not inexpensive
+      # keep this in mind: https://xkcd.com/538/
+      # cost = bcrypt cost
+      # speed = hashes per second per device at cost
+      # devices = number of devices
+      AdversarySingleDevice = { cost: 12, speed: 300, devices: 1 }
+      AdversaryMultiDevice = { cost: 12, speed: 300, devices: 128 }
+      option :adversary, AdversaryMultiDevice
+
+      # 1 = 100 percent chance of the adversary cracking within the time
+      # 100 = 1% chance, 1000 = 0.1% chance, 10_000 = 0.01%
+      # or, 10_000 means there is 1 in 10,000 chance of brute-forcing a password
+      # in the time allotted
+      option :minimum_security, 10_000
+
+      def initialize(app, *args, &block)
+        super
+
+        if options[:password_cache].nil? && defined?(Rails)
+          options[:password_cache] = Rails.cache
+        end
+
+        if options[:password_cache].nil?
+          raise 'omniauth-onetime must be configured with a password cache.'
+        end
+      end
+
+      # hashes per second needed for 100% complete brute force
+      # higher is more secure
+      def self.difficulty
+        (26**default_options[:password_length]) /
+          default_options[:password_time]
+      end
+
+      # factor to adjust bcrypt costs
+      def self.adversary_adjust
+        2**(default_options[:adversary][:cost] -
+            default_options[:password_cost])
+      end
+
+      # hashes per second (total) at password_cost
+      def self.adversary_speed
+        default_options[:adversary][:speed] *
+          default_options[:adversary][:devices] * adversary_adjust
+      end
+
+      # ratio of hashes per second needed to brute-force to the theoretical
+      # adversary, <= 1 means the adversary can crack within the time alloted
+      # higher is more secure, chance of cracking = 1 in adversary_ratio
+      def self.adversary_ratio
+        Rational(difficulty, adversary_speed)
+      end
+
+      # percentage chance of the adversary cracking the password
+      def self.adversary_chance
+        100 / adversary_ratio
+      end
+
+      class_eval do
+        if (s = adversary_ratio) < (m = default_options[:minimum_security])
+          raise ArgumentError, 'Omniauth-Onetime options do not reach minimum' \
+          " security requirements (#{s.to_i}<#{m}), please increase" \
+          ' password_length, increase password_cost, or decrease password_time.'
+        end
+      end
+
+      private
+
+      # generate password of options[:password_length] length of uppercase
+      # letters A-Z
+      def new_password
+        Array.new(options[:password_length]) do
+          SecureRandom.random_number(26) + 65
+        end.pack('c*')
+      end
+
+      # create cryoted oassword from plaintext using Bcrypt and save it to the
+      # password cache
+      def save_password(email, plaintext)
+        crypted = BCrypt::Password
+                  .create(plaintext, cost: options[:password_cost])
+        options[:password_cache]
+          .write(email, crypted, expires_in: options[:password_time])
+      end
+
+      # verify password, case is insensitive and all spaces and characters
+      # other than A-Z are stripped out
+      def verify_password(email, plaintext)
+        crypted = options[:password_cache].read(email)
+
+        begin
+          (BCrypt::Password.new(crypted) == plaintext.upcase.gsub(/\W/, ''))
+        rescue BCrypt::Errors::InvalidHash
+          false
+        end
+      end
+
+      uid do
+        request.env['omniauth.params']['email']
+      end
+
+      info do
+        {
+          name: uid,
+          email: uid
+        }
+      end
+
+      def send_password(email, plaintext)
+        # break the password into groups of 4 letters for readability and
+        # usability
+        body = plaintext.scan(/.{4}/).join(' ')
+        ActionMailer::Base
+          .mail(options[:email_options].merge(to: email, body: body))
+          .deliver_now
+      end
+
+      def prepare_password(email)
+        # to prevent DOS do not send another password until previous one has
+        # expired
+        unless options[:password_cache].exist?(email)
+          plaintext = new_password
+          save_password(email, plaintext)
+          send_password(email, plaintext)
+        end
+      end
+
+      def request_email
+        log :debug, 'STEP 1: Ask user for email'
+
+        form = OmniAuth::Form.new(title: 'User Info')
+        form.text_field :email, :email
+        form.button 'Request Password'
+        form.to_response
+      end
+
+      def request_password(email)
+        log :debug, 'STEP 2: prepare password then ask user for password'
+        prepare_password(email)
+
+        form = OmniAuth::Form.new(title: 'User Info')
+        form.text_field :password, :password
+        form.html("<input type=\"hidden\" name=\"email\" value=\"#{email}\">")
+        form.button 'Sign In'
+        form.to_response
+      end
+
+      def request_verification(email, plaintext)
+        log :debug, 'STEP 3: verify password'
+        if verify_password(email, plaintext)
+          options[:password_cache].delete(email) # expire password
+          redirect callback_path
+        else
+          redirect request_path
+        end
+      end
+
+      def request_phase
+        email = request.params['email']
+        plaintext = request.params['password']
+
+        if email.blank?
+          request_email
+        elsif plaintext.blank?
+          request_password(email)
+        else
+          request_verification(email, plaintext)
+        end
+      end
+    end
+  end
+end