quo_vadis 1.4.2 → 2.0.0

data/app/models/quo_vadis/token.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module QuoVadis
+  class Token
+    extend Hmacable
+
+    class << self
+
+      def generate(account)
+        public_data = "#{account.id}-#{expires_at}"
+        data = data_for_hmac public_data, account
+        "#{public_data}--#{compute_hmac(data)}"
+      end
+
+      def find_account(token)
+        provided_public_data, provided_hmac = token.split '--'
+        id, expires_at = provided_public_data.split '-'
+        account = Account.find id
+        data = data_for_hmac provided_public_data, account
+        actual_hmac = compute_hmac data
+        return nil unless timing_safe_eql? provided_hmac, actual_hmac
+        return nil if expires_at.to_i < Time.current.to_i
+        account
+      rescue
+        nil
+      end
+
+      private
+
+      attr_reader :account
+
+      def expires_at
+        raise NotImplementedError
+      end
+
+      def data_for_hmac(public_data, account)
+        raise NotImplementedError
+      end
+
+    end
+  end
+end

data/app/models/quo_vadis/totp.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require 'rotp'
+require 'rqrcode'
+
+module QuoVadis
+  class Totp < ActiveRecord::Base
+    extend Hmacable
+
+    attribute :key, :qv_encrypted, default: -> { ROTP::Base32.random }
+    attribute :hmac_key, :string
+    attribute :provided_hmac_key, :string
+
+    belongs_to :account
+
+    validate :key_not_tampered_with, if: -> { provided_hmac_key.present? }
+    validates :key, presence: true
+
+
+    def qr_code
+      RQRCode::QRCode.new(
+        ROTP::TOTP.new(key, issuer: QuoVadis.app_name).provisioning_uri(account.identifier)
+      )
+    end
+
+
+    def hmac_key
+      self.class.compute_hmac key
+    end
+
+
+    # Returns true and saves the record if `otp` is valid, false otherwise.
+    def verify(otp)
+      if (_last_used_at = ROTP::TOTP.new(key).verify otp, after: last_used_at)
+        self.last_used_at = _last_used_at
+        save
+      else
+        false
+      end
+    end
+
+
+    def reused?(otp)
+      totp = ROTP::TOTP.new key
+      !totp.verify(otp, after: last_used_at) && totp.verify(otp)
+    end
+
+
+    private
+
+    def key_not_tampered_with
+      errors.add :key, :invalid unless self.class.timing_safe_eql? provided_hmac_key, hmac_key
+    end
+
+  end
+end

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "bundler/setup"
+require "quo_vadis"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/rails

@@ -0,0 +1,21 @@
+#!/usr/bin/env ruby
+# This command will automatically be run when you run "rails" with Rails gems
+# installed from the root of your application.
+
+ENGINE_ROOT = File.expand_path('..', __dir__)
+ENGINE_PATH = File.expand_path('../lib/quo_vadis/engine', __dir__)
+APP_PATH = File.expand_path('../test/dummy/config/application', __dir__)
+
+# Set up gems listed in the Gemfile.
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
+require "bundler/setup" if File.exist?(ENV["BUNDLE_GEMFILE"])
+
+require "active_model/railtie"
+require "active_record/railtie"
+# require "action_controller/railtie"
+# require "action_view/railtie"
+# require "action_mailer/railtie"
+require "rails/test_unit/railtie"
+
+# require "rails/all"
+require "rails/engine/commands"

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/config/locales/quo_vadis.en.yml

@@ -1,28 +1,55 @@
 en:
   quo_vadis:
     flash:
-      sign_in:
-        before: 'Please sign in first.'
-        after: 'You have successfully signed in.'
-        failed: 'Sorry, we did not recognise you.'
-        blocked: 'Sorry, your account is blocked.'
+      login:
+        failed: Sorry, we did not recognise you.
+        success: Welcome back!
+      logout:
+        self: You have logged out.
+        other: You have logged out of the other session.
+      require_authentication: Please log in first.
+      password:
+        update: Your password has been changed.
+      password_reset:
+        create: A link to change your password has been emailed to you.
+        unknown: Either the link has expired or you have already reset your password.
+        reset: Your password has been changed and you are logged in.
+      confirmation:
+        create: A link to confirm your account has been emailed to you.
+        required: Please confirm your account first.
+        identifier: Sorry, your account could not be found.  Please try again.
+        unknown: Either the link has expired or your account has already been confirmed.
+        confirmed: Thanks for confirming your account.  You are now logged in.
+      totp:
+        unverified: Sorry, the code was incorrect. Please check your system clock is correct and try again.
+        setup: Please set up two factor authentication.
+      recovery_code:
+        unverified: Sorry, the code was incorrect. Please try again (you cannot reuse a code you have used before).
+        success:
+          zero: You have used up all your recovery codes now. Please generate a new set.
+          one: You have one recovery code left.
+          other: You have %{count} recovery codes left.
+      2fa:
+        invalidated: You have invalidated your 2FA credentials and recovery codes.
 
-      sign_out: 'You have successfully signed out.'
-
-      forgotten:
-        unknown: "Sorry, we did not recognise you."
-        no_email: "Sorry, we don't have an email address for you."
-        sent_email: "We've emailed you a link where you can change your password."
-        invalid_token: "Sorry, this link isn't valid anymore."
-        password_changed: "You have successfully changed your password and you're now signed in."
-
-      activation:
-        accepted: "Your account is active and you're now signed in."
-        invalid_token: "Sorry, this link isn't valid anymore."
-        invalid_credentials: "Sorry, we couldn't accept that username and/or password."
-
-    notifier:
-      change_password:
+    mailer:
+      password_reset:
         subject: Change your password
-      invite:
-        subject: Activate your account
+      confirmation:
+        subject: Please confirm your account
+      notification:
+        email_change: Your email address has been changed
+        identifier_change: Your %{identifier} has been changed
+        password_change: Your password has been changed
+        password_reset: Your password has been reset
+        totp_setup: Two-factor authentication was set up just now
+        totp_reuse: Your two-factor authentication code was reused just now
+        twofa_deactivated: Two-factor authentication was deactivated just now
+        recovery_codes_generation: Recovery codes have been generated for your account
+  activerecord:
+    errors:
+      models:
+        quo_vadis/password:
+          attributes:
+            password:
+              incorrect: is incorrect

data/config/routes.rb

@@ -1,15 +1,43 @@
-Rails.application.routes.draw do
-  scope :module => 'quo_vadis' do
-    get  'sign-in'                 => 'sessions#new',       :as => 'sign_in'
-    post 'sign-in'                 => 'sessions#create',    :as => 'sign_in'
-    get  'sign-out'                => 'sessions#destroy',   :as => 'sign_out'
-    get  'sign-in/forgotten'       => 'sessions#forgotten', :as => 'forgotten_sign_in'
-    post 'sign-in/forgotten'       => 'sessions#forgotten', :as => 'forgotten_sign_in'
-    constraints :token => /.+/ do
-      get  'sign-in/change-password/:token' => 'sessions#edit',   :as => 'change_password'
-      put  'sign-in/change-password/:token' => 'sessions#update', :as => 'change_password'
-      get  'sign-in/invite/:token'          => 'sessions#invite', :as => 'invitation'
-      post 'sign-in/accept/:token'          => 'sessions#accept', :as => 'activation'
+# frozen_string_literal: true
+
+QuoVadis::Engine.routes.draw do
+  get    'login',  to: 'sessions#new'
+  post   'login',  to: 'sessions#create'
+  delete 'logout', to: 'sessions#destroy'
+
+  resources :logs, only: :index
+
+  resources :sessions, only: [:index, :destroy]
+
+  resource  :password, only: [:edit, :update]
+
+  resources :password_resets, only: [:new, :create, :index]
+  get '/pwd-reset/:token', to: 'password_resets#edit',   as: 'edit_password_reset'
+  put '/pwd-reset/:token', to: 'password_resets#update', as: 'password_reset'
+
+  resources :confirmations, only: [:new, :create, :index]
+  get '/confirm/:token', to: 'confirmations#edit',   as: 'edit_confirmation'
+  put '/confirm/:token', to: 'confirmations#update', as: 'confirmation'
+
+  resources :totps, only: [:new, :create] do
+    collection do
+      get :challenge
+      post :authenticate
+    end
+  end
+
+  resources :recovery_codes, only: [:index] do
+    collection do
+      get :challenge
+      post :authenticate
+      post :generate
     end
   end
+
+  resource :twofa, path: '2fa'
+end
+
+
+Rails.application.routes.draw do
+  mount QuoVadis::Engine, at: QuoVadis.mount_point, as: :quo_vadis
 end

data/db/migrate/202102150904_setup.rb

@@ -0,0 +1,48 @@
+class Setup < ActiveRecord::Migration[6.0]
+  def change
+    create_table :qv_accounts do |t|
+      t.references :model, polymorphic: true, index: {unique: true}, null: false
+      t.string :identifier, index: {unique: true}, null: false
+      t.datetime :confirmed_at
+      t.timestamps
+    end
+
+    create_table :qv_passwords do |t|
+      t.references :account, foreign_key: {to_table: :qv_accounts}, null: false
+      t.string :password_digest, null: false
+      t.timestamps
+    end
+
+    create_table :qv_sessions do |t|
+      t.references :account, foreign_key: {to_table: :qv_accounts}, null: false
+      t.string :ip, null: false
+      t.string :user_agent, null: false
+      t.datetime :lifetime_expires_at
+      t.datetime :last_seen_at
+      t.datetime :second_factor_at
+      t.timestamps
+    end
+
+    create_table :qv_totps do |t|
+      t.references :account, foreign_key: {to_table: :qv_accounts}, null: false
+      t.string :key, null: false
+      t.integer :last_used_at, null: false
+      t.timestamps
+    end
+
+    create_table :qv_recovery_codes do |t|
+      t.references :account, foreign_key: {to_table: :qv_accounts}, null: false
+      t.string :code_digest, null: false
+      t.timestamps
+    end
+
+    create_table :qv_logs do |t|
+      t.references :account, foreign_key: {to_table: :qv_accounts}
+      t.string :action, null: false
+      t.string :ip, null: false
+      t.json :metadata, null: false, default: {}
+      t.timestamps
+    end
+  end
+end
+

data/lib/generators/quo_vadis/install_generator.rb

@@ -1,29 +1,10 @@
-require 'rails/generators'
-require 'rails/generators/migration'
-require 'rails/generators/active_record/migration'
-
 module QuoVadis
   class InstallGenerator < Rails::Generators::Base
-    include Rails::Generators::Migration
-    extend ActiveRecord::Generators::Migration
-
-    source_root File.expand_path('../templates', __FILE__)
-    argument :model_name, :type => :string, :default => 'User'
-
-    desc 'Copies an initializer, a locale file, and a migration to your application.'
+    source_root Pathname.new(__dir__) / '..' / '..' / '..' / 'test' / 'dummy' / 'app' / 'views' / 'quo_vadis'
 
-
-    def copy_locale_file
-      copy_file '../../../../config/locales/quo_vadis.en.yml', 'config/locales/quo_vadis.en.yml'
+    desc "Copy QuoVadis' views into your app."
+    def copy_views
+      directory '.', Pathname.new('app') / 'views' / 'quo_vadis'
     end
-
-    def copy_initializer_file
-      template 'quo_vadis.rb.erb', 'config/initializers/quo_vadis.rb'
-    end
-
-    def create_migration_file
-      migration_template 'migration.rb.erb', "db/migrate/add_authentication_to_#{model_name.tableize}.rb"
-    end
-
   end
 end

data/lib/quo_vadis.rb

@@ -1,119 +1,121 @@
-require 'quo_vadis/engine'
-require 'active_support/core_ext/numeric/time'
+# frozen_string_literal: true
 
 module QuoVadis
 
-  # The model we want to authenticate.
-  mattr_accessor :model # :nodoc:
-  @@model = 'User'
-
-  def self.model_class # :nodoc
-    @@model.constantize
-  end
-
-  def self.model_instance_name # :nodoc
-    @@model.tableize.singularize  # e.g. 'user'
-  end
-
-
-  #
-  # Sign in
-  #
-
-  # The URL to redirect the user to after s/he signs in.
-  mattr_accessor :signed_in_url
-  @@signed_in_url = :root
-
-  # Whether the `:signed_in_url` should override the URL the user was trying
-  # to reach when they were made to authenticate.
-  mattr_accessor :override_original_url
-  @@override_original_url = false
-
-  def self.signed_in_url(user, original_url, controller) # :nodoc:
-    if original_url && !@@override_original_url
-      original_url
-    else
-      @@signed_in_url.respond_to?(:call) ?  @@signed_in_url.call(user, controller) : @@signed_in_url
+  Error = Class.new StandardError
+  PasswordExistsError = Class.new QuoVadis::Error
+
+  def self.accessor(*names)
+    names.each do |name|
+      define_singleton_method name do |val = nil|
+        if !val.nil?
+          instance_variable_set :"@#{name}", val
+        else
+          instance_variable_get :"@#{name}"
+        end
+      end
     end
   end
 
-  # Code to run when the user has signed in.
-  mattr_accessor :signed_in_hook
-  @@signed_in_hook = nil
-
-  def self.signed_in_hook(user, controller) # :nodoc:
-    @@signed_in_hook.call(user, controller) if @@signed_in_hook
-  end
-
-  # Code to run when someone has tried but failed to sign in.
-  mattr_accessor :failed_sign_in_hook
-  @@failed_sign_in_hook = nil
-
-  def self.failed_sign_in_hook(controller) # :nodoc:
-    @@failed_sign_in_hook.call(controller) if @@failed_sign_in_hook
-  end
-
-  # How long to remember user across browser sessions.
-  mattr_accessor :remember_for
-  @@remember_for = 2.weeks
+  accessor \
+    :password_minimum_length,              # integer
+    :mask_ips,                             # true | false
+    :cookie_name,                          # string
+    :session_lifetime,                     # :session | ActiveSupport::Duration | [integer] seconds
+    :session_lifetime_extend_to_end_of_day,# true | false
+    :session_idle_timeout,                 # :lifetime | ActiveSupport::Duration | [integer] seconds
+    :password_reset_token_lifetime,        # ActiveSupport::Duration | [integer] seconds
+    :mail_headers,                         # hash
+    :accounts_require_confirmation,        # true | false
+    :account_confirmation_token_lifetime,  # ActiveSupport::Duration | [integer] seconds
+    :enqueue_transactional_emails,         # true | false
+    :app_name,                             # string
+    :two_factor_authentication_mandatory,  # true | false
+    :mount_point                           # string
+
+  class << self
+    def configure(&block)
+      module_eval &block
+    end
 
-  # The domain to use for remember-me cookies.
-  mattr_accessor :cookie_domain
-  @@cookie_domain = :all
+    # name - string class name, e.g. 'User'
+    # identifier - attribute symbol, e.g. :username
+    def register_model(name, identifier)
+      models[name] = identifier
+    end
 
+    def find_account_by_identifier_in_params(params)
+      identifier = detect_identifier params.keys
+      Account.find_by identifier: params[identifier]
+    end
 
-  # Whether the sign-in process is blocked to the user.
-  mattr_writer :blocked
-  @@blocked = false
+    # model - string class name, e.g. 'User'
+    # returns string humanised name for the model's identifier, e.g. "Username"
+    def humanise_identifier(model)
+      klass = model.constantize
+      klass.human_attribute_name identifier(model)
+    end
 
-  def self.blocked?(controller) # :nodoc:
-    @@blocked.respond_to?(:call) ? @@blocked.call(controller) : @@blocked
-  end
+    # Translates the key in the :quo_vadis scope, returning nil if it does not exist.
+    # This allows applications to suppress a QuoVadis translation.
+    # For example:
+    #
+    #     en:
+    #       quo_vadis:
+    #         require_authentication:
+    #
+    def translate(key, **options)
+      I18n.t key, **options.merge(scope: :quo_vadis, raise: true) rescue nil
+    end
 
+    def notify(action, params)
+      QuoVadis::Mailer.with(params).send(action).deliver_later
+    end
 
-  #
-  # Sign out
-  #
+    def deliver(action, params)
+      mail = QuoVadis::Mailer.with(params).send(action)
+      QuoVadis.enqueue_transactional_emails ?
+        mail.deliver_later :
+        mail.deliver_now
+    end
 
-  # The URL to redirect the user to after s/he signs out.
-  mattr_accessor :signed_out_url
-  @@signed_out_url = :root
+    # model - string class name, e.g. 'User'
+    # returns attribute symbol, e.g. :username
+    def identifier(model)
+      models[model]
+    end
 
-  def self.signed_out_url(controller) # :nodoc:
-    @@signed_out_url.respond_to?(:call) ? @@signed_out_url.call(controller) : @@signed_out_url
-  end
+    private
 
+    def models
+      @models ||= {}
+    end
 
-  # Code to run just before the user has signed out.
-  mattr_accessor :signed_out_hook
-  @@signed_out_hook = nil
+    def detect_identifier(candidates)
+      (identifiers.map(&:to_s) & candidates.map(&:to_s)).first
+    end
 
-  def self.signed_out_hook(user, controller) # :nodoc:
-    @@signed_out_hook.call(user, controller) if @@signed_out_hook
+    def identifiers
+      models.values.uniq
+    end
   end
+end
 
+require_relative 'quo_vadis/defaults'
+require_relative 'quo_vadis/engine'
+require_relative 'quo_vadis/crypt'
+require_relative 'quo_vadis/encrypted_type'
+require_relative 'quo_vadis/hmacable'
+require_relative 'quo_vadis/ip_masking'
+require_relative 'quo_vadis/model'
+require_relative 'quo_vadis/current_request_details'
+require_relative 'quo_vadis/controller'
+
+ActiveSupport.on_load(:action_controller) do
+  include QuoVadis::Controller
+end
 
-  #
-  # Forgotten-password and activation Mailer
-  #
-
-  # From whom the forgotten-password email should be sent.
-  mattr_accessor :from
-  @@from = 'noreply@example.com'
-
-
-  #
-  # Miscellaneous
-  #
-
-  # Layout for the sign-in view.
-  mattr_accessor :layout
-  @@layout = nil
-
-
-  # Configure from the initializer.
-  def self.configure
-    yield self
-  end
-
+ActiveSupport.on_load(:active_record) do
+  include QuoVadis::Model
 end
+