quo_vadis 1.4.2 → 2.1.1

data/app/models/quo_vadis/token.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module QuoVadis
+  class Token
+    extend Hmacable
+
+    class << self
+
+      def generate(account)
+        public_data = "#{account.id}-#{expires_at}"
+        data = data_for_hmac public_data, account
+        "#{public_data}--#{compute_hmac(data)}"
+      end
+
+      def find_account(token)
+        provided_public_data, provided_hmac = token.split '--'
+        id, expires_at = provided_public_data.split '-'
+        account = Account.find id
+        data = data_for_hmac provided_public_data, account
+        actual_hmac = compute_hmac data
+        return nil unless timing_safe_eql? provided_hmac, actual_hmac
+        return nil if expires_at.to_i < Time.current.to_i
+        account
+      rescue
+        nil
+      end
+
+      private
+
+      attr_reader :account
+
+      def expires_at
+        raise NotImplementedError
+      end
+
+      def data_for_hmac(public_data, account)
+        raise NotImplementedError
+      end
+
+    end
+  end
+end

data/app/models/quo_vadis/totp.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require 'rotp'
+require 'rqrcode'
+
+module QuoVadis
+  class Totp < ActiveRecord::Base
+    extend Hmacable
+
+    attribute :key, :qv_encrypted, default: -> { ROTP::Base32.random }
+    attribute :hmac_key, :string
+    attribute :provided_hmac_key, :string
+
+    belongs_to :account
+
+    validate :key_not_tampered_with, if: -> { provided_hmac_key.present? }
+    validates :key, presence: true
+
+
+    def qr_code
+      RQRCode::QRCode.new(
+        ROTP::TOTP.new(key, issuer: QuoVadis.app_name).provisioning_uri(account.identifier)
+      )
+    end
+
+
+    def hmac_key
+      self.class.compute_hmac key
+    end
+
+
+    # Returns true and saves the record if `otp` is valid, false otherwise.
+    def verify(otp)
+      if (_last_used_at = ROTP::TOTP.new(key).verify otp, after: last_used_at)
+        self.last_used_at = _last_used_at
+        save
+      else
+        false
+      end
+    end
+
+
+    def reused?(otp)
+      totp = ROTP::TOTP.new key
+      !totp.verify(otp, after: last_used_at) && totp.verify(otp)
+    end
+
+
+    private
+
+    def key_not_tampered_with
+      errors.add :key, :invalid unless self.class.timing_safe_eql? provided_hmac_key, hmac_key
+    end
+
+  end
+end

data/app/views/quo_vadis/confirmations/edit.html.erb

@@ -0,0 +1,10 @@
+<h1>Confirm account</h1>
+
+<%= form_with url: confirmation_path(params[:token]), method: :put do |f| %>
+
+  <p>
+    <label>Please click the button to confirm your account:</label>
+    <%= f.submit %>
+  </p>
+
+<% end %>

data/app/views/quo_vadis/confirmations/edit_email.html.erb

@@ -0,0 +1,14 @@
+<h1>Account confirmation: change email</h1>
+
+<p>Please update your email address.</p>
+
+<%= form_with url: update_email_confirmations_path, method: :put do |f| %>
+  <p>
+    <%= f.label :email %>
+    <%= f.text_field :email, value: @email, inputmode: 'email', autocomplete: 'email' %>
+  </p>
+
+  <p>
+    <%= f.submit 'Update my email address and send me a new confirmation email' %>
+  </p>
+<% end %>

data/app/views/quo_vadis/confirmations/index.html.erb

@@ -0,0 +1,14 @@
+<h1>Account confirmation</h1>
+
+<% if @account %>
+  <p>We have sent an email to <%= @account.model.email %>.</p>
+
+  <p>Wrong address?  <%= link_to 'Change it', edit_email_confirmations_path %>.</p>
+
+  <p>Didn't receive it?  <%= button_to 'Get another one', resend_confirmations_path %></p>
+
+<% else %>
+  <p>We have sent an email to you.</p>
+
+  <p><%= link_to 'Request a new email', new_confirmation_path %></p>
+<% end %>

data/app/views/quo_vadis/confirmations/new.html.erb

@@ -0,0 +1,16 @@
+<h1>Resend confirmation instructions</h1>
+
+<%# Note that in this example the User identifier is :email. %>
+
+<p>If you didn't receive the confirmation email, please enter your email address and we'll send you another one.</p>
+
+<%= form_with url: confirmations_path, method: :post do |f| %>
+  <p>
+    <%= f.label :email %>
+    <%= f.text_field :email, inputmode: 'email', autocomplete: 'email' %>
+  </p>
+
+  <p>
+    <%= f.submit %>
+  </p>
+<% end %>

data/app/views/quo_vadis/logs/index.html.erb

@@ -0,0 +1,30 @@
+<h1>Logs</h1>
+
+<table>
+  <thead>
+    <tr>
+      <th>Timestamp</th>
+      <th>Action</th>
+      <th>IP</th>
+      <th>Metadata</th>
+    </tr>
+  </thead>
+  <tbody>
+    <% @logs.each do |log| %>
+      <tr>
+        <td><%= log.created_at %></td>
+        <td><%= QuoVadis.translate "log.action.#{log.action}" %></td>
+        <td><%= log.ip %></td>
+        <td><%= log.metadata.empty? ? '' : log.metadata.map {|k,v| "#{k}: #{v}"}.join(', ') %></td>
+      </tr>
+    <% end %>
+  </tbody>
+</table>
+
+<% if @prev_page %>
+  <%= link_to 'Newer', logs_path(page: @prev_page) %>
+<% end %>
+
+<% if @next_page %>
+  <%= link_to 'Older', logs_path(page: @next_page) %>
+<% end %>

data/app/views/quo_vadis/mailer/account_confirmation.text.erb

@@ -0,0 +1,4 @@
+You can confirm your account here:
+
+<%= @url %>
+

data/app/views/quo_vadis/mailer/email_change_notification.text.erb

@@ -0,0 +1,8 @@
+Your email address was changed just now.
+
+Location: <%= @ip %>
+Time: <%= @timestamp.strftime '%e %B at %H:%M (%Z)' %>
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/app/views/quo_vadis/mailer/identifier_change_notification.text.erb

@@ -0,0 +1,8 @@
+Your <%= @identifier %> was changed just now.
+
+Location: <%= @ip %>
+Time: <%= @timestamp.strftime '%e %B at %H:%M (%Z)' %>
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/app/views/quo_vadis/mailer/password_change_notification.text.erb

@@ -0,0 +1,8 @@
+Your password was changed just now.
+
+Location: <%= @ip %>
+Time: <%= @timestamp.strftime '%e %B at %H:%M (%Z)' %>
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/app/views/quo_vadis/mailer/password_reset_notification.text.erb

@@ -0,0 +1,8 @@
+Your password was reset just now.
+
+Location: <%= @ip %>
+Time: <%= @timestamp.strftime '%e %B at %H:%M (%Z)' %>
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/app/views/quo_vadis/mailer/recovery_codes_generation_notification.text.erb

@@ -0,0 +1,8 @@
+Recovery codes for two-factor authentication were generated for your account just now.
+
+Location: <%= @ip %>
+Time: <%= @timestamp.strftime '%e %B at %H:%M (%Z)' %>
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/app/views/quo_vadis/mailer/reset_password.text.erb

@@ -0,0 +1,4 @@
+You can reset your password here:
+
+<%= @url %>
+

data/app/views/quo_vadis/mailer/totp_reuse_notification.text.erb

@@ -0,0 +1,6 @@
+Your two-factor authentication code was reused just now.
+
+It was rejected and whoever reused it was not able to log in.
+
+Location: <%= @ip %>
+Time: <%= @timestamp.strftime '%e %B at %H:%M (%Z)' %>

data/app/views/quo_vadis/mailer/totp_setup_notification.text.erb

@@ -0,0 +1,8 @@
+Two-factor authentication was set up on your account just now.
+
+Location: <%= @ip %>
+Time: <%= @timestamp.strftime '%e %B at %H:%M (%Z)' %>
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/app/views/quo_vadis/mailer/twofa_deactivated_notification.text.erb

@@ -0,0 +1,8 @@
+Two-factor authentication was deactivated on your account just now.
+
+Location: <%= @ip %>
+Time: <%= @timestamp.strftime '%e %B at %H:%M (%Z)' %>
+
+If this was you, you don't need to do anything.
+
+If this wasn't you, please let us know.

data/app/views/quo_vadis/password_resets/edit.html.erb

@@ -0,0 +1,17 @@
+<h1>Reset password</h1>
+
+<%= form_with model: @password, url: password_reset_path(params[:token]), method: :put do |f| %>
+  <p>
+    <%= f.label :password %>
+    <%= f.password_field :password, autocomplete: 'new-password' %>
+  </p>
+
+  <p>
+    <%= f.label :password_confirmation %>
+    <%= f.password_field :password_confirmation, autocomplete: 'new-password' %>
+  </p>
+
+  <p>
+    <%= f.submit %>
+  </p>
+<% end %>

data/app/views/quo_vadis/password_resets/index.html.erb

@@ -0,0 +1,5 @@
+<h1>Password reset</h1>
+
+<p>Please check your email.</p>
+
+<p><%= link_to 'Request a new email', new_password_reset_path %></p>

data/app/views/quo_vadis/password_resets/new.html.erb

@@ -0,0 +1,12 @@
+<h1>Reset password</h1>
+
+<%= form_with url: password_resets_path, method: :post do |f| %>
+  <p>
+    <%= f.label :email %>
+    <%= f.text_field :email, inputmode: 'email', autocomplete: 'email' %>
+  </p>
+
+  <p>
+    <%= f.submit %>
+  </p>
+<% end %>

data/app/views/quo_vadis/passwords/edit.html.erb

@@ -0,0 +1,22 @@
+<h1>Change password</h1>
+
+<%= form_with model: @password, url: password_path, method: :put do |f| %>
+  <p>
+    <%= f.label :password %>
+    <%= f.password_field :password, autocomplete: 'current-password' %>
+  </p>
+
+  <p>
+    <%= f.label :new_password %>
+    <%= f.password_field :new_password, autocomplete: 'new-password' %>
+  </p>
+
+  <p>
+    <%= f.label :new_password_confirmation %>
+    <%= f.password_field :new_password_confirmation, autocomplete: 'new-password' %>
+  </p>
+
+  <p>
+    <%= f.submit %>
+  </p>
+<% end %>

data/app/views/quo_vadis/recovery_codes/challenge.html.erb

@@ -0,0 +1,11 @@
+<h1>2FA: Recovery code</h1>
+
+<p>Enter one of your recovery codes:</p>
+
+<%= form_with url: authenticate_recovery_codes_path, method: :post do |f| %>
+  <%= f.text_field :code, inputmode: 'decimal', autofocus: true, maxlength: '11' %>
+
+  <%= f.submit 'Verify' %>
+<% end %>
+
+<p><%= link_to 'Never mind, I want to use my TOTP verification code!', quo_vadis.challenge_totps_path %></p>

data/app/views/quo_vadis/recovery_codes/index.html.erb

@@ -0,0 +1,25 @@
+<h1>2FA: Recovery codes</h1>
+
+<p>If you lose your authenticator app, you can use recovery codes instead while you set up a new authenticator app.</p>
+
+<p>Each code can only be used once.</p>
+
+<% if @codes.present? %>
+
+  <p>This is the only time these codes can be shown to you!  We recommend you print them out and store them somewhere safely – but not next to your 2FA details in your authenticator app.</p>
+
+  <ul>
+    <% @codes.each do |code| %>
+      <li><tt><%= code %></tt></li>
+    <% end %>
+  </ul>
+
+<% else %>
+
+  <p>You have <%= pluralize @recovery_code_count, 'recovery code' %> left.</p>
+
+<% end %>
+
+<p>You can generate a fresh set of recovery codes whenever you like.</p>
+
+<p><%= button_to 'Generate a fresh set of recovery codes', generate_recovery_codes_path %></p>

data/app/views/quo_vadis/sessions/index.html.erb

@@ -0,0 +1,26 @@
+<h1>Sessions</h1>
+
+<table>
+  <thead>
+    <tr>
+      <th>IP</th>
+      <th>User agent</th>
+      <th></th>
+    </tr>
+  </thead>
+  <tbody>
+    <% @qv_sessions.each do |sess| %>
+      <tr>
+        <td><%= sess.ip %></td>
+        <td><%= sess.user_agent %></td>
+        <td>
+          <% if sess.id == @qv_session.id %>
+            This session
+          <% else %>
+            <%= button_to 'Log out', quo_vadis.session_path(sess), method: :delete %>
+          <% end %>
+        </td>
+      </tr>
+    <% end %>
+  </tbody>
+</table>

data/app/views/quo_vadis/sessions/new.html.erb

@@ -0,0 +1,24 @@
+<h1>Login</h1>
+
+<%= form_with url: login_path, method: :post do |f| %>
+  <p>
+    <%= f.label :email %>
+    <%= f.text_field :email, inputmode: 'email', autocomplete: 'email' %>
+  </p>
+
+  <p>
+    <%= f.label :password %>
+    <%= f.password_field :password, autocomplete: 'current-password' %>
+  </p>
+
+  <p>
+    <%= f.label :remember %>
+    <%= f.check_box :remember %>
+  </p>
+
+  <p>
+    <%= f.submit %>
+  </p>
+<% end %>
+
+<%= link_to 'I forgot my password', new_password_reset_path %>