orthodox 0.2.4 → 0.3.0

data/lib/generators/authentication/templates/controllers/sessions_controller.rb.erb

@@ -0,0 +1,36 @@
+# frozen_string_literal
+
+# Controller for managing sessions for <%= plural_class_name %>.
+# Automatically generated by the orthodox gem (https://github.com/katanacode/orthodox)
+# (c) Copyright 2019 Katana Code Ltd. All Rights Reserved. 
+class <%= plural_class_name %>::SessionsController < <%= plural_class_name %>::BaseController
+  
+  skip_before_action :authenticate_<%= singular_name %>
+
+  def new
+    @<%= singular_name %>_session = <%= class_name %>Session.new(<%= singular_name %>_session_params)
+  end
+
+  def create
+    @<%= singular_name %>_session = <%= class_name %>Session.new(<%= singular_name %>_session_params)
+    if @<%= singular_name %>_session.valid?
+      sign_in(@<%= singular_name %>_session.<%= singular_name %>, as: :<%= singular_name %>)
+      redirect_to(<%= plural_name %>_dashboard_url, notice: "Successfully signed in")
+    else
+      render :new
+    end
+  end
+  
+  def destroy
+    sign_out(:<%= singular_name %>)
+    redirect_to root_url, notice: "Successfully signed out"
+  end
+
+  private
+
+  def <%= singular_name %>_session_params
+    return {} unless params.key?(:<%= singular_name %>_session)
+    params.require(:<%= singular_name %>_session).permit(:email, :password)
+  end
+
+end

data/lib/generators/authentication/templates/controllers/tfa_sessions_controller.rb.erb

@@ -0,0 +1,48 @@
+# frozen_string_literal
+#
+# Controller for managing two-factor sessions for <%= plural_class_name %>.
+# Automatically generated by the orthodox gem (https://github.com/katanacode/orthodox)
+# (c) Copyright 2019 Katana Code Ltd. All Rights Reserved. 
+class <%= plural_class_name %>::TfaSessionsController < <%= plural_class_name %>::BaseController
+  
+  skip_before_action :authenticate_<%= singular_name %>
+  
+  before_action :authenticate_<%= singular_name %>_without_tfa
+
+  before_action :ensure_<%= singular_name %>_has_active_tfa
+  
+  before_action :ensure_<%= singular_name %>_not_tfa_authenticated
+  
+  def new
+    @tfa_session = TfaSession.new
+  end
+
+  def create
+    @tfa_session = TfaSession.new(permitted_params.merge(record: current_<%= singular_name %>))
+    if @tfa_session.valid?
+      current_<%= singular_name %>.otp_credential.consume_recovery_code!(permitted_params[:recovery_code])
+      sign_in(current_<%= singular_name %>, as: :<%= singular_name %>, tfa: true)
+      redirect_to <%= singular_name %>_tfa_success_redirect_url
+    else
+      render :new
+    end
+  end
+  
+  private
+  
+  def permitted_params
+    params.require(:tfa_session).permit(:otp, :recovery_code)
+  end
+  
+  def ensure_<%= singular_name %>_has_active_tfa
+    return if current_<%= singular_name %>.tfa?
+    redirect_to <%= singular_name %>_tfa_success_redirect_url
+  end
+
+  def ensure_<%= singular_name %>_not_tfa_authenticated
+    if current_<%= singular_name %>_tfa_authenticated?
+      redirect_to <%= singular_name %>_tfa_success_redirect_url    
+    end
+  end
+
+end

data/lib/generators/authentication/templates/controllers/tfas_controller.rb.erb

@@ -0,0 +1,38 @@
+# frozen_string_literal
+#
+# Controller for managing two-factor credentials for <%= plural_class_name %>.
+# Automatically generated by the orthodox gem (https://github.com/katanacode/orthodox)
+# (c) Copyright 2019 Katana Code Ltd. All Rights Reserved. 
+class <%= plural_class_name %>::TfasController < <%= plural_class_name %>::BaseController
+  
+  skip_before_action :authenticate_<%= singular_name %>
+  
+  before_action :authenticate_<%= singular_name %>_without_tfa
+  
+  ##
+  # How long will we show the QRCode and recovery codes before they can no longer be
+  # accessed?
+  CAPTURE_TIME_ALLOWANCE = 15.seconds
+  
+  def create
+    current_<%= singular_name %>.create_otp_credential!
+    redirect_to(<%= plural_name %>_tfa_url, 
+                notice: "Successfully activated Two-Factor Authentication")
+  end
+
+  # This is where the <%= singular_name %> gets to see their recovery codes and QR Code.
+  # After CAPTURE_TIME_ALLOWANCE they cannot re-visit this page
+  def show
+    if current_<%= singular_name %>.otp_credential.created_at < CAPTURE_TIME_ALLOWANCE.ago
+      redirect_to <%= plural_name %>_dashboard_url
+    end
+  end
+
+  def destroy
+    current_<%= singular_name %>.destroy_otp_credential
+    redirect_to(<%= plural_name %>_dashboard_url, 
+                notice: "Successfully de-activated Two-Factor Authentication")
+    
+  end
+
+end

data/lib/generators/authentication/templates/helpers/otp_credentials_helper.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal
+
+# Helper for one-time-password authentication methods
+#
+# Automatically generated by the orthodox gem (https://github.com/katanacode/orthodox)
+# (c) Copyright 2019 Katana Code Ltd. All Rights Reserved. 
+module OtpCredentialsHelper
+
+  require 'rqrcode'
+
+  # SVG code for a given OtpCredential. Use this to add a QR code to a page
+  #
+  # otp_credential - An OtpCredential to show the SVG for.
+  #
+  # Retuns String of valid HTML
+  def svg_url_for_otp_credential(otp_credential)
+    qrcode = qrcode(otp_credential)
+    qrcode.as_svg({
+      offset: 0,
+      color: '000',
+      shape_rendering: 'crispEdges',
+      module_size: 3,
+      standalone: true      
+    }).html_safe
+  end
+
+  private
+  
+  def qrcode(otp_credential)
+    RQRCode::QRCode.new(otp_credential.url)
+  end
+    
+end

data/lib/generators/authentication/templates/javascript/tfa_forms.js

@@ -0,0 +1,19 @@
+// Basic JS functionality for one-time-password form. Designed to be used with jQuery and 
+// Bootstrap.
+//
+// Automatically generated by the orthodox gem (https://github.com/katanacode/orthodox)
+// (c) Copyright 2019 Katana Code Ltd. All Rights Reserved. 
+  
+// Initialize method called when jQuery ready
+function init() {
+  $("body").on("click", ".js-tfa-link", onClick);
+}
+
+// Callback when toggle links are clicked. Shows/hides form fields and links
+function onClick(e){
+  e.preventDefault();
+  $(".js-tfa-link").toggleClass("d-none");
+  $(".js-tfa-field-group").toggleClass("d-none");
+}
+
+jQuery(init);

data/lib/generators/authentication/templates/models/concerns/authenticateable.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal
+
+# Model concern to provide shared behaviour for authenticating records.
+#
+# Automatically generated by the orthodox gem (https://github.com/katanacode/orthodox)
+# (c) Copyright 2019 Katana Code Ltd. All Rights Reserved. 
+module Authenticateable
+
+  extend ActiveSupport::Concern
+  
+  MINIMUM_PASSWORD_LENGTH = 6
+  
+  MAXIMUM_PASSWORD_LENGTH = 128
+  
+  included do
+    
+    has_secure_password
+    
+    validates :email, email_format: { allow_blank: true }, presence: true
+    
+    validates :password, presence: { if: :validate_presence_of_password? }, 
+                         length: { minimum: MINIMUM_PASSWORD_LENGTH, 
+                                   maximum: MAXIMUM_PASSWORD_LENGTH,
+                                   allow_blank: true }
+    
+  end
+  
+  private
+  
+  def validate_presence_of_password?
+    new_record? || changes.include?("password")
+  end
+  
+  module ClassMethods
+  end
+  
+end

data/lib/generators/authentication/templates/models/concerns/otpable.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal
+#
+# Model concern to provide shared behaviour for two-factor auth (one-time password)
+#
+# Automatically generated by the orthodox gem (https://github.com/katanacode/orthodox)
+# (c) Copyright 2019 Katana Code Ltd. All Rights Reserved. 
+module Otpable
+  extend ActiveSupport::Concern
+  
+  included do
+    
+    has_one :otp_credential, as: :authable  
+    
+    delegate :valid_otp?, :valid_recovery_code?, to: :otp_credential
+    
+  end
+  
+  def tfa?
+    otp_credential.present?
+  end
+    
+  def destroy_otp_credential
+    otp_credential.destroy
+  end
+  
+end

data/lib/generators/authentication/templates/models/concerns/password_resetable.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal
+#
+# Model concern to provide shared behaviour for password resets
+#
+# Automatically generated by the orthodox gem (https://github.com/katanacode/orthodox)
+# (c) Copyright 2019 Katana Code Ltd. All Rights Reserved. 
+module PasswordResetable
+  
+  extend ActiveSupport::Concern
+  
+  included do
+    has_one :password_reset_token, as: :resetable, dependent: :destroy
+  end
+  
+  def destroy_password_reset_token
+    password_reset_token.try(:destroy)
+  end
+  
+end

data/lib/generators/authentication/templates/models/otp_credential.rb.erb

@@ -0,0 +1,133 @@
+# frozen_string_literal
+# 
+# Model for managing one-time password credentials for a given Member
+#
+# Automatically generated by the orthodox gem (https://github.com/katanacode/orthodox)
+# (c) Copyright 2019 Katana Code Ltd. All Rights Reserved. 
+#
+# == Schema Information
+#
+# Table name: otp_credentials
+#
+#  id             :bigint           not null, primary key
+#  authable_type  :string           not null
+#  last_used_at   :datetime
+#  recovery_codes :json
+#  secret         :string(32)
+#  authable_id    :bigint           not null
+#
+# Indexes
+#
+#  index_otp_credentials_on_authable_type_and_authable_id  (authable_type,authable_id)
+#
+
+class OtpCredential < ApplicationRecord
+  
+  ##
+  # How much of a 'grace' period should we give the user, after which we will accept
+  # expired OTPs. Time in seconds.
+  DRIFT_ALLOWANCE = 15
+  
+  # ==============
+  # = Attributes =
+  # ==============
+  
+  attr_readonly :authable_type, :authable_id
+    
+  serialize :recovery_codes
+
+  # ================
+  # = Associations =
+  # ================
+  
+  belongs_to :authable, polymorphic: true
+  
+  
+  # =============
+  # = Callbacks =
+  # =============
+  
+  before_create :set_secret
+
+  before_create :set_last_used_at
+  
+  before_create :set_recovery_codes
+    
+    
+  # ===========================
+  # = Public instance methods =
+  # ===========================
+  
+  # URL for generating QR code for this OTP.
+  #
+  # Returns String
+  def url
+    totp.provisioning_uri(authable.email)
+  end
+  
+  # Test the given code against the expected current value.
+  #
+  # Returns Integer (Timestamp)
+  # Returns nil
+  def valid_otp?(test_value)
+    if result = totp.verify(test_value, 
+                            after: last_used_at, 
+                            drift_behind: DRIFT_ALLOWANCE)
+      touch(:last_used_at)
+    end
+    result
+  end
+    
+  # Test the given recovery code against the stored recovery_codes 
+  #
+  # Returns Boolean
+  def valid_recovery_code?(test_value)
+    test_value.to_s.in?(recovery_codes)
+  end
+  
+  # Removes a used recovery code from the recovery_codes list.
+  #
+  # Returns Boolean
+  def consume_recovery_code!(recovery_code)
+    array = recovery_codes
+    array.delete(recovery_code)
+    update_attribute(:recovery_codes, array)
+  end
+
+  private
+  
+  # The expected current OTP value. This shouldn't need to be required in production
+  #
+  # Returns String
+  def current_otp
+    totp.now
+  end
+  
+  # Set the secret value to a random base 32 String
+  #
+  # Returns String
+  def set_secret
+    self.secret = ROTP::Base32.random
+  end
+  
+  # Ensure the last_used_at time is always present and a past datetime.
+  def set_last_used_at
+    self.last_used_at = 5.minutes.ago
+  end
+    
+  def set_recovery_codes
+    self.recovery_codes = 10.times.map { generate_recovery_code }
+  end
+  
+  def generate_recovery_code
+    "#{SecureRandom.hex(3)[0..4]}-#{SecureRandom.hex(3)[0..4]}"
+  end
+  
+  # An instance of the TOTP to test codes against.
+  #
+  # Returns ROTP::TOTP
+  def totp
+    @totp ||= ROTP::TOTP.new(secret, issuer: "<%= Rails.application.class.module_parent.name %>")
+  end
+ 
+end

data/lib/generators/authentication/templates/models/password_reset_token.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal
+
+# 
+# Model for managing password reset tokens
+#
+# Automatically generated by the orthodox gem (https://github.com/katanacode/orthodox)
+# (c) Copyright 2019 Katana Code Ltd. All Rights Reserved. 
+#
+# == Schema Information
+#
+# Table name: password_reset_tokens
+#
+#  id             :bigint           not null, primary key
+#  expires_at     :datetime
+#  resetable_type :string           not null
+#  secret         :string
+#  created_at     :datetime         not null
+#  updated_at     :datetime         not null
+#  resetable_id   :bigint           not null
+#
+# Indexes
+#
+#  index_password_reset_tokens_on_expires_at                       (expires_at)
+#  index_password_reset_tokens_on_resetable_type_and_resetable_id  (resetable_type,resetable_id)
+#  index_password_reset_tokens_on_secret                           (secret) UNIQUE
+#
+
+class PasswordResetToken < ApplicationRecord
+  
+  # =============
+  # = Constants =
+  # =============
+  
+  ##
+  # How long should password reset links be valid for?
+  EXPIRES_AFTER = 15.minutes
+  
+  # ================
+  # = Associations =
+  # ================
+  
+  belongs_to :resetable, polymorphic: true
+  
+  # ==============
+  # = Attributes =
+  # ==============
+  
+  has_secure_token :secret
+  
+  attr_readonly :resetable_type, :resetable_id, :expires_at, :secret
+  
+  before_create :set_expires_at
+  
+  def expired?
+    expires_at <= Time.current
+  end
+  
+  private
+  
+  def set_expires_at
+    self.expires_at = EXPIRES_AFTER.from_now
+  end
+  
+end