orthodox 0.2.4 → 0.3.0

data/lib/generators/authentication/templates/models/session.rb.erb

@@ -0,0 +1,80 @@
+# frozen_string_literal
+
+# Form object for authenticating <%= class_name %> records.
+# Automatically generated by the orthodox gem (https://github.com/katanacode/orthodox)
+# (c) Copyright 2019 Katana Code Ltd. All Rights Reserved. 
+class <%= class_name %>Session
+  
+  include ActiveModel::Model
+  include ActiveModel::Attributes
+
+  INVALID_CREDENTIALS = "These credentials don't look valid"
+  
+  # ======================================================================================
+  # = Attributes                                                                         =
+  # ======================================================================================
+  
+  ##
+  # The authenticated <%= class_name %> if authentication is successful
+  #
+  # Returns ApplicationRecord
+  attr_accessor :<%= singular_name %>
+
+  ##
+  # The provided email address String
+  #
+  # Returns String
+  attribute :email, :string
+  
+  ##
+  # The provided password String
+  #
+  # Returns String
+  attribute :password, :string
+
+
+  # ======================================================================================
+  # = Validations                                                                        =
+  # ======================================================================================
+  
+  validates :email, presence: true, email_format: { allow_blank: true }
+  
+  validates :password, presence: true
+  
+  validate :record_authenticateable
+  
+  validate :password_matches
+  
+  
+  private
+  
+  
+  # If the record can be loaded from the scope, sets <%= singular_name %>, otherwise
+  # adds errors to :base
+  #
+  def record_authenticateable
+    <%= singular_name %> = <%= singular_name %>_scope.find_by(email: email)
+    if <%= singular_name %>.present?
+      self.<%= singular_name %> = <%= singular_name %>
+    else
+      errors.add(:base, INVALID_CREDENTIALS)
+    end
+  end
+  
+  # If the password isn't correct, add errors to :base
+  def password_matches
+    return unless <%= singular_name %>
+    unless <%= singular_name %>.authenticate(password)
+      errors.add(:password, INVALID_CREDENTIALS)
+    end
+  end
+  
+  # The scope to load <%= plural_class_name %> through. Modify this if there are 
+  # particular conditions that records should be filtered by.
+  #
+  # Returns ActiveRecord::Relation
+  def <%= singular_name %>_scope
+    <%= class_name %>.all
+  end
+  
+end

data/lib/generators/authentication/templates/models/tfa_session.rb

@@ -0,0 +1,77 @@
+# Form object for handling two-factor authentication sessions
+#
+# Automatically generated by the orthodox gem (https://github.com/katanacode/orthodox)
+# (c) Copyright 2019 Katana Code Ltd. All Rights Reserved. 
+class TfaSession
+  include ActiveModel::Model
+  include ActiveModel::Attributes
+  
+  # =============
+  # = Constants =
+  # =============
+  
+  ##
+  # Regex for OTP format
+  OTP_FORMAT = /\A\d{3,5}\Z|/
+  
+  ##
+  # Regex for recovery code format
+  RECOVERY_CODE_FORMAT = /\A\w{5}\-\w{5}\Z/
+  
+  # ==============
+  # = Attributes =
+  # ==============
+  
+  attribute :otp, :string
+  
+  attribute :recovery_code, :string
+  
+  attribute :record
+  
+  
+  # ===============
+  # = Validations =
+  # ===============
+  
+  validates :otp, format: { with: OTP_FORMAT }, 
+                  numericality: { allow_blank: true },
+                  presence: { unless: :recovery_code? }
+  
+  validates :record, presence: true
+  
+  validate :otp_correct, if: :otp?, unless: :recovery_code?
+
+  validate :recovery_code_correct, if: :recovery_code?, unless: :otp?
+  
+  
+  # ===========================
+  # = Public instance methods =
+  # ===========================
+  
+  def otp?
+    otp.present?
+  end
+  
+  def recovery_code?
+    recovery_code.present?
+  end
+  
+  private
+  
+  # ============================
+  # = Private instance methods =
+  # ============================
+  
+  def otp_correct
+    unless record.valid_otp?(otp.to_s)
+      errors.add(:base, "OTP code was not correct")
+    end
+  end
+  
+  def recovery_code_correct
+    unless record.valid_recovery_code?(recovery_code.to_s)
+      errors.add(:base, "Recovery code was not correct")
+    end    
+  end
+  
+end

data/lib/generators/authentication/templates/spec/models/otp_credential_spec.rb

@@ -0,0 +1,215 @@
+# Automatically generated by the orthodox gem (https://github.com/katanacode/orthodox)
+# (c) Copyright 2019 Katana Code Ltd. All Rights Reserved. 
+#
+# == Schema Information
+#
+# Table name: otp_credentials
+#
+#  id             :bigint           not null, primary key
+#  authable_type  :string           not null
+#  last_used_at   :datetime
+#  recovery_codes :json
+#  secret         :string(32)
+#  authable_id    :bigint           not null
+#
+# Indexes
+#
+#  index_otp_credentials_on_authable_type_and_authable_id  (authable_type,authable_id)
+#
+
+require 'rails_helper'
+
+RSpec.describe OtpCredential, type: :model do
+  
+  include ActiveSupport::Testing::TimeHelpers
+
+  describe "on create" do
+
+    subject do
+      record = build(:otp_credential, authable_type: "User", authable_id: 1)
+      record.save(validate: false) 
+      record
+    end
+    
+    it "generates a random secret" do
+      expect(subject.secret).to be_present
+    end
+
+    it "generates 10 recovery codes" do
+      expect(subject.recovery_codes.size).to eql(10)
+    end
+    
+    it "sets last_used_at to a past time" do
+      expect(subject.last_used_at).to be_past
+    end
+    
+  end
+  
+  describe "#url" do
+        
+    let(:otp_credential) do
+      record = build(:otp_credential, authable_type: "User", authable_id: 1)
+      record.save(validate: false) 
+      record
+    end
+    
+    subject { URI(otp_credential.url) }
+      
+    before do
+      test_user = instance_double("TestUser", email: "user-email@example.com")
+      allow(otp_credential).to receive(:authable).and_return(test_user)
+    end
+    
+    it "contains the otpauth scheme" do
+      expect(subject.scheme).to eql("otpauth")
+    end
+    
+    it "contains the autheticateable's email" do
+      expect(subject.to_s).to include("user-email@example.com")
+    end
+    
+    it "contains the application name" do
+      expect(subject.to_s).to include(Rails.application.class.module_parent.name) 
+    end
+    
+  end
+
+  describe "valid_otp?" do
+    
+    let!(:otp_credential) do
+      record = build(:otp_credential, authable_type: "User", authable_id: 1)
+      record.save(validate: false) 
+      record
+    end
+    
+    subject { otp_credential.valid_otp?(code) }
+    
+    
+    context "when code is correct" do
+      
+      let(:code) { otp_credential.send(:current_otp) }
+      
+      it { is_expected.to be_truthy }
+
+    end
+    
+    context "when code is correct but already used" do
+      
+      let(:code) { otp_credential.send(:current_otp) }
+      
+      before do
+        otp_credential.valid_otp?(code)
+      end
+      
+      it { is_expected.to be_falsey }
+      
+    end
+
+    context "when code is correct and expired less than DRIFT_ALLOWANCE" do
+      
+      let!(:code) { otp_credential.send(:current_otp) }
+      
+      it "is exepected to be truthy" do
+        
+        time_to_travel = seconds_until_next_otp + 14
+        travel(time_to_travel.seconds) {
+          expect(otp_credential).to be_valid_otp(code)
+        }
+      end
+      
+    end
+    
+    context "when code is correct but expired" do
+      
+      let!(:code) { otp_credential.send(:current_otp) }
+      
+      it "is exepected to be truthy" do
+        time_to_travel = seconds_until_next_otp + 15
+        travel(time_to_travel.seconds) {
+          expect(subject).to be_falsey
+        }
+      end
+      
+    end
+    
+    context "when otp is incorrect" do
+      
+      let(:code) { "99999" }
+      
+      it { is_expected.to be_falsey }
+      
+    end
+    
+  end
+
+  describe "valid_recovery_code?" do
+    
+    let!(:otp_credential) do
+      record = build(:otp_credential, authable_type: "User", authable_id: 1)
+      record.save(validate: false) 
+      record
+    end
+    
+    context "when recovery_code is in the list" do
+      
+      it "is expected to return true" do
+        recovery_code = otp_credential.recovery_codes.sample
+        expect(otp_credential.valid_recovery_code?(recovery_code)).to be_truthy
+      end
+      
+    end
+    
+    context "when recovery_code is not in the list" do
+      
+      it "is expected to return false" do
+        recovery_code = "not-in-list"
+        expect(otp_credential.valid_recovery_code?(recovery_code)).to be_falsey
+      end
+      
+    end
+    
+  end
+  
+  describe "consume_recovery_code!" do
+    
+    let(:otp_credential) do
+      record = build(:otp_credential, authable_type: "User", authable_id: 1)
+      record.save(validate: false) 
+      record
+    end
+
+    
+    
+    context "when recovery_code is in the list" do
+        
+      it "removes it from the list" do
+        recovery_code = otp_credential.recovery_codes.sample
+        expect(otp_credential.valid_recovery_code?(recovery_code)).to eql(true)
+        otp_credential.consume_recovery_code!(recovery_code)
+        expect(otp_credential.valid_recovery_code?(recovery_code)).to eql(false)
+      end
+      
+    end
+    
+    context "when recovery_code is not in the list" do
+      
+      it "fails silently" do
+        recovery_code = "not-in-list"
+        expect(otp_credential.valid_recovery_code?(recovery_code)).to eql(false)
+        otp_credential.consume_recovery_code!(recovery_code)
+        expect(otp_credential.valid_recovery_code?(recovery_code)).to eql(false)
+      end
+      
+    end
+    
+  end
+  
+  private
+  
+  def seconds_until_next_otp
+    change_window = 30 # seconds
+    diff_since_last_change = Time.now.sec % change_window
+    change_window - diff_since_last_change
+  end
+  
+end

data/lib/generators/authentication/templates/spec/models/password_reset_token_spec.rb

@@ -0,0 +1,146 @@
+# Automatically generated by the orthodox gem (https://github.com/katanacode/orthodox)
+# (c) Copyright 2019 Katana Code Ltd. All Rights Reserved. 
+#
+# == Schema Information
+#
+# Table name: password_reset_tokens
+#
+#  id             :bigint           not null, primary key
+#  expires_at     :datetime
+#  resetable_type :string           not null
+#  secret         :string
+#  created_at     :datetime         not null
+#  updated_at     :datetime         not null
+#  resetable_id   :bigint           not null
+#
+# Indexes
+#
+#  index_password_reset_tokens_on_expires_at                       (expires_at)
+#  index_password_reset_tokens_on_resetable_type_and_resetable_id  (resetable_type,resetable_id)
+#  index_password_reset_tokens_on_secret                           (secret) UNIQUE
+#
+
+require 'rails_helper'
+
+RSpec.describe PasswordResetToken, type: :model do
+  
+  include ActiveSupport::Testing::TimeHelpers
+  
+  describe "#secret" do
+      
+    let(:password_reset_token) do
+      token = PasswordResetToken.new(resetable_id: 1, resetable_type: "User")
+      token.save(validate: false)
+      token
+    end
+    
+    it "is set on creation" do
+      expect(password_reset_token.secret).to be_present
+    end
+    
+    it "is readonly" do
+      original_secret = password_reset_token.secret
+      password_reset_token.secret = "somenewvalue"
+      password_reset_token.save(validate: false)
+      password_reset_token.reload
+      expect(password_reset_token.secret).to eql(original_secret)
+    end
+    
+  end
+
+  describe "#expires_at" do
+      
+    let(:password_reset_token) do
+      token = PasswordResetToken.new(resetable_id: 1, resetable_type: "User")
+      token.save(validate: false)
+      token
+    end
+    
+    it "is set on creation" do
+      expect(password_reset_token.expires_at).to be_present
+    end
+    
+    it "is readonly" do
+      original_expires_at = password_reset_token.expires_at
+      password_reset_token.expires_at = 1.day.from_now
+      password_reset_token.save(validate: false)
+      password_reset_token.reload
+      expect(password_reset_token.expires_at).to eql(original_expires_at)
+    end
+    
+  end
+
+  describe "#resetable_id" do
+      
+    let(:password_reset_token) do
+      token = PasswordResetToken.new(resetable_id: 1, resetable_type: "User")
+      token.save(validate: false)
+      token
+    end
+    
+    it "is set on creation" do
+      expect(password_reset_token.resetable_id).to be_present
+    end
+    
+    it "is readonly" do
+      original_resetable_id = password_reset_token.resetable_id
+      password_reset_token.resetable_id = 1.day.from_now
+      password_reset_token.save(validate: false)
+      password_reset_token.reload
+      expect(password_reset_token.resetable_id).to eql(original_resetable_id)
+    end
+    
+  end
+    
+  describe "#resetable_type" do
+      
+    let(:password_reset_token) do
+      token = PasswordResetToken.new(resetable_id: 1, resetable_type: "User")
+      token.save(validate: false)
+      token
+    end
+    
+    it "is set on creation" do
+      expect(password_reset_token.resetable_type).to be_present
+    end
+    
+    it "is readonly" do
+      original_resetable_type = password_reset_token.resetable_type
+      password_reset_token.resetable_type = 1.day.from_now
+      password_reset_token.save(validate: false)
+      password_reset_token.reload
+      expect(password_reset_token.resetable_type).to eql(original_resetable_type)
+    end
+    
+  end
+  
+  describe "#expired?" do
+    
+    let(:password_reset_token) do
+      token = PasswordResetToken.new(resetable_id: 1, resetable_type: "User")
+      token.save(validate: false)
+      token
+    end
+    
+    context "when still within time threshhold" do
+      
+      it "is not expired" do
+        expect(password_reset_token).not_to be_expired
+      end
+      
+    end
+
+    context "when outwith time threshhold" do
+      
+      it "is expected to be false" do
+        password_reset_token
+        travel(16.minutes) do
+          expect(password_reset_token).to be_expired
+        end
+      end
+      
+    end
+    
+  end
+  
+end