quo_vadis 1.3.2 → 2.0.1

data/app/controllers/quo_vadis/totps_controller.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+module QuoVadis
+  class TotpsController < ApplicationController
+    before_action :require_password_authentication
+
+
+    def new
+      @totp = authenticated_model.qv_account.build_totp
+    end
+
+
+    def create
+      @totp = authenticated_model.qv_account.build_totp(
+        key:               totp_params[:key],
+        provided_hmac_key: totp_params[:hmac_key]
+      )
+      if @totp.verify params[:totp][:otp]
+        qv.log authenticated_model.qv_account, Log::TOTP_SETUP
+        QuoVadis.notify :totp_setup_notification, email: authenticated_model.email
+        qv.session_authenticated_with_second_factor
+        flash[:recovery_codes] = generate_recovery_codes
+        redirect_to recovery_codes_path
+      else
+        redirect_to new_totp_path, alert: QuoVadis.translate('flash.totp.unverified')
+      end
+    end
+
+
+    def challenge
+      account = authenticated_model.qv_account
+
+      unless account.has_two_factors?
+        redirect_to new_totp_path, alert: QuoVadis.translate('flash.totp.setup') and return
+      end
+
+      @totp = account.totp
+    end
+
+
+    def authenticate
+      @totp = authenticated_model.qv_account.totp
+      if @totp.verify params[:totp]
+        qv.log authenticated_model.qv_account, Log::TOTP_SUCCESS
+        qv.replace_session
+        qv.session_authenticated_with_second_factor
+        redirect_to qv.path_after_authentication, notice: QuoVadis.translate('flash.login.success')
+      else
+        if @totp.reused? params[:totp]
+          qv.log authenticated_model.qv_account, Log::TOTP_REUSE
+          QuoVadis.notify :totp_reuse_notification, email: authenticated_model.email
+        else
+          qv.log authenticated_model.qv_account, Log::TOTP_FAILURE
+        end
+        flash.now[:alert] = QuoVadis.translate('flash.totp.unverified')
+        render :challenge
+      end
+    end
+
+
+    private
+
+    def totp_params
+      params.require(:totp).permit(:key, :hmac_key, :otp)
+    end
+
+    def generate_recovery_codes
+      authenticated_model.qv_account.generate_recovery_codes
+    end
+
+  end
+end

data/app/controllers/quo_vadis/twofas_controller.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module QuoVadis
+  class TwofasController < ApplicationController
+    before_action :require_password_authentication
+
+    def show
+      @recovery_codes_count = account.recovery_codes.count
+    end
+
+    def destroy
+      account.totp&.destroy
+      account.recovery_codes.delete_all
+      account.sessions.each &:reset_authenticated_with_second_factor  # OWASP ASV v4.0, 2.8.6
+      qv.log account, Log::TWOFA_DEACTIVATED
+      QuoVadis.notify :twofa_deactivated_notification, email: authenticated_model.email
+      redirect_to twofa_path, notice: QuoVadis.translate('flash.2fa.invalidated')
+    end
+
+    private
+
+    def account
+      authenticated_model.qv_account
+    end
+  end
+end

data/app/mailers/quo_vadis/mailer.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+module QuoVadis
+  class Mailer < ::ActionMailer::Base
+
+    def reset_password
+      @url = params[:url]
+      _mail params[:email], QuoVadis.translate('mailer.password_reset.subject')
+    end
+
+    def account_confirmation
+      @url = params[:url]
+      _mail params[:email], QuoVadis.translate('mailer.confirmation.subject')
+    end
+
+    def email_change_notification
+      @timestamp = Time.now
+      @ip = QuoVadis::CurrentRequestDetails.ip
+      _mail params[:email], QuoVadis.translate('mailer.notification.email_change')
+    end
+
+    def identifier_change_notification
+      @timestamp = Time.now
+      @identifier = params[:identifier]
+      @ip = QuoVadis::CurrentRequestDetails.ip
+      _mail params[:email], QuoVadis.translate('mailer.notification.identifier_change',
+                                               identifier: params[:identifier])
+    end
+
+    def password_change_notification
+      @timestamp = Time.now
+      @ip = QuoVadis::CurrentRequestDetails.ip
+      _mail params[:email], QuoVadis.translate('mailer.notification.password_change')
+    end
+
+    def password_reset_notification
+      @timestamp = Time.now
+      @ip = QuoVadis::CurrentRequestDetails.ip
+      _mail params[:email], QuoVadis.translate('mailer.notification.password_reset')
+    end
+
+    def totp_setup_notification
+      @timestamp = Time.now
+      @ip = QuoVadis::CurrentRequestDetails.ip
+      _mail params[:email], QuoVadis.translate('mailer.notification.totp_setup')
+    end
+
+    def totp_reuse_notification
+      @timestamp = Time.now
+      @ip = QuoVadis::CurrentRequestDetails.ip
+      _mail params[:email], QuoVadis.translate('mailer.notification.totp_reuse')
+    end
+
+    def twofa_deactivated_notification
+      @timestamp = Time.now
+      @ip = QuoVadis::CurrentRequestDetails.ip
+      _mail params[:email], QuoVadis.translate('mailer.notification.twofa_deactivated')
+    end
+
+    def recovery_codes_generation_notification
+      @timestamp = Time.now
+      @ip = QuoVadis::CurrentRequestDetails.ip
+      _mail params[:email], QuoVadis.translate('mailer.notification.recovery_codes_generation')
+    end
+
+    private
+
+    def _mail(to, subject)
+      mail QuoVadis.mail_headers.merge(to: to, subject: subject)
+    end
+
+  end
+end

data/app/models/quo_vadis/account.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module QuoVadis
+  class Account < ActiveRecord::Base
+
+    MAX_NUMBER_OF_RECOVERY_CODES = 5
+
+    belongs_to :model, polymorphic: true
+
+    has_one :password, dependent: :destroy
+    has_many :sessions, dependent: :destroy
+    has_one :totp, dependent: :destroy
+    has_many :recovery_codes, dependent: :destroy
+    has_many :logs, dependent: :destroy
+
+    validates :identifier, presence: true, uniqueness: {case_sensitive: false}
+
+    after_update :log_identifier_change, if: :saved_change_to_identifier?
+    after_update :notify_identifier_change, if: :saved_change_to_identifier?
+
+    def confirmed?
+      confirmed_at.present?
+    end
+
+    def confirmed!
+      touch :confirmed_at
+    end
+
+    def has_two_factors?
+      password.present? && totp.present?
+    end
+
+    # Returns an array of the recovery codes' codes.
+    def generate_recovery_codes
+      Array.new(MAX_NUMBER_OF_RECOVERY_CODES) { recovery_codes.create }.map &:code
+    end
+
+    private
+
+    def log_identifier_change
+      from, to = saved_change_to_identifier
+      Log.create(
+        account:  self,
+        action:   Log::IDENTIFIER_CHANGE,
+        ip:       (CurrentRequestDetails.ip || ''),
+        metadata: {from: from, to: to}
+      )
+    end
+
+    def notify_identifier_change
+      # No need to notify if the identifier is :email because
+      # the email-is-changed notification in the model mixin handles it.
+      QuoVadis.notify(:identifier_change_notification,
+        email: model.email,
+        identifier: QuoVadis.humanise_identifier(model.class.name).downcase
+      ) unless QuoVadis.identifier(model.class.name) == :email
+    end
+  end
+end

data/app/models/quo_vadis/account_confirmation_token.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module QuoVadis
+  class AccountConfirmationToken < Token
+    class << self
+
+      def expires_at
+        QuoVadis.account_confirmation_token_lifetime.from_now.to_i
+      end
+
+      def data_for_hmac(data, account)
+        "#{data}-#{account.confirmed?}"
+      end
+
+    end
+  end
+end

data/app/models/quo_vadis/log.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+module QuoVadis
+  class Log < ActiveRecord::Base
+    include IpMasking
+
+    LOGIN_SUCCESS          = 'login.success'
+    LOGIN_FAILURE          = 'login.failure'
+    LOGIN_UNKNOWN          = 'login.unknown'
+    TOTP_SETUP             = 'totp.setup'
+    TOTP_SUCCESS           = 'totp.success'
+    TOTP_FAILURE           = 'totp.failure'
+    TOTP_REUSE             = 'totp.reuse'
+    RECOVERY_CODE_SUCCESS  = 'recovery_code.success'
+    RECOVERY_CODE_FAILURE  = 'recovery_code.failure'
+    RECOVERY_CODE_GENERATE = 'recovery_code.generate'
+    TWOFA_DEACTIVATED      = '2fa.deactivated'
+    IDENTIFIER_CHANGE      = 'identifier.change'
+    EMAIL_CHANGE           = 'email.change'
+    PASSWORD_CHANGE        = 'password.change'
+    PASSWORD_RESET         = 'password.reset'
+    ACCOUNT_CONFIRMATION   = 'account.confirmation'
+    LOGOUT_OTHER           = 'logout.other'
+    LOGOUT                 = 'logout'
+
+    ACTIONS = [
+      LOGIN_SUCCESS,
+      LOGIN_FAILURE,
+      LOGIN_UNKNOWN,
+      TOTP_SETUP,
+      TOTP_SUCCESS,
+      TOTP_FAILURE,
+      TOTP_REUSE,
+      RECOVERY_CODE_SUCCESS,
+      RECOVERY_CODE_FAILURE,
+      RECOVERY_CODE_GENERATE,
+      TWOFA_DEACTIVATED,
+      IDENTIFIER_CHANGE,
+      EMAIL_CHANGE,
+      PASSWORD_CHANGE,
+      PASSWORD_RESET,
+      ACCOUNT_CONFIRMATION,
+      LOGOUT_OTHER,
+      LOGOUT
+    ]
+
+    belongs_to :account, optional: true  # optional only for LOGIN_UNKNOWN
+
+    validates :action, inclusion: {in: ACTIONS}
+
+    scope :new_to_old, -> { order created_at: :desc }
+
+    scope :page, ->(page, per_page) {
+      limit(per_page).offset((page - 1) * per_page)
+    }
+  end
+end

data/app/models/quo_vadis/password.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module QuoVadis
+  class Password < ActiveRecord::Base
+    belongs_to :account
+
+    has_secure_password
+
+    validates_length_of :password, minimum: QuoVadis.password_minimum_length, allow_blank: true
+
+    attr_accessor :new_password
+
+
+    def change(current_plaintext, new_plaintext, new_plaintext_confirmation)
+      unless authenticate current_plaintext
+        errors.add :password, :incorrect
+        return false
+      end
+
+      # has_secure_password ignores empty passwords ("") on update so reject them here.
+      if new_plaintext.empty?
+        errors.add :new_password, :blank
+        return false
+      end
+
+      self.password = new_plaintext
+      self.password_confirmation = new_plaintext_confirmation
+
+      if save
+        true
+      else
+        errors.delete(:password)&.each { |e| errors.add :new_password, e }
+        errors.delete(:password_confirmation)&.each { |e| errors.add :new_password_confirmation, e }
+        false
+      end
+    end
+
+
+    def reset(new_plaintext, new_plaintext_confirmation)
+      # has_secure_password ignores empty passwords ("") on update so reject them here.
+      if new_plaintext.empty?
+        errors.add :password, :blank
+        return false
+      end
+
+      self.password = new_plaintext
+      self.password_confirmation = new_plaintext_confirmation
+      save
+    end
+
+  end
+end

data/app/models/quo_vadis/password_reset_token.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module QuoVadis
+  class PasswordResetToken < Token
+    class << self
+
+      def expires_at
+        QuoVadis.password_reset_token_lifetime.from_now.to_i
+      end
+
+      def data_for_hmac(data, account)
+        "#{data}-#{account.password.password_digest}"
+      end
+
+    end
+  end
+end

data/app/models/quo_vadis/recovery_code.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module QuoVadis
+  class RecoveryCode < ActiveRecord::Base
+    belongs_to :account
+
+    has_secure_password :code
+    before_validation { send("code=", self.class.generate_code) unless code }
+
+    # Returns true and destroys this instance if the plaintext code is authentic, false otherwise.
+    def authenticate_code(plaintext_code)
+      !!(destroy if super)
+    end
+
+    private
+
+    CODE_LENGTH = 11  # odd number
+
+    # Returns a string of length CODE_LENGTH, with two hexadecimal groups
+    # separated by a hyphen.
+    def self.generate_code
+      group_length = (CODE_LENGTH - 1) / 2
+      SecureRandom.hex(group_length).insert(group_length, '-')
+    end
+  end
+end

data/app/models/quo_vadis/session.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module QuoVadis
+
+  # A session is started once a user logs in with a password,
+  # regardless of whether 2FA is also required.
+  class Session < ActiveRecord::Base
+    include IpMasking
+
+    belongs_to :account
+    validates :ip, presence: true
+
+    attribute :last_seen_at, :datetime, default: -> { Time.now.utc }
+
+    def logout_other_sessions
+      account.sessions.reject { |s| s == self }.each &:destroy
+    end
+
+    def authenticated_with_second_factor
+      touch :second_factor_at
+    end
+
+    def reset_authenticated_with_second_factor
+      update second_factor_at: nil
+    end
+
+    def second_factor_authenticated?
+      !second_factor_at.nil?
+    end
+
+    def expired?
+      exceeded_lifetime? || exceeded_idle_timeout?
+    end
+
+    def replace
+      destroy.dup.tap &:save
+    end
+
+    private
+
+    def exceeded_lifetime?
+      return false if browser_session?
+      lifetime_expires_at < Time.now.utc
+    end
+
+    def browser_session?
+      lifetime_expires_at.nil?
+    end
+
+    def exceeded_idle_timeout?
+      return false if QuoVadis.session_idle_timeout == :lifetime
+      QuoVadis.session_idle_timeout.since(last_seen_at) < Time.now.utc
+    end
+  end
+end