quo_vadis 2.1.11 → 2.2.0

data/app/models/quo_vadis/account.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'rotp'
+
 module QuoVadis
   class Account < ActiveRecord::Base
 
@@ -18,6 +20,26 @@ module QuoVadis
     after_update :log_identifier_change, if: :saved_change_to_identifier?
     after_update :notify_identifier_change, if: :saved_change_to_identifier?
 
+    scope :unconfirmed, -> { where confirmed_at: nil }
+
+    def otp_for_confirmation(counter)
+      hotp_for_confirmation.at(counter)
+    end
+
+    # If the `otp` is valid for the `counter`, confirms the account and returns truthy.
+    # Otherwise returns falsey.
+    def confirm(otp, counter)
+      hotp_for_confirmation.verify(otp, counter) && confirmed!
+    end
+
+    def otp_for_password_reset(counter)
+      hotp_for_password_reset.at(counter)
+    end
+
+    def verify_password_reset(otp, counter)
+      hotp_for_password_reset.verify(otp, counter)
+    end
+
     def confirmed?
       confirmed_at.present?
     end
@@ -51,6 +73,16 @@ module QuoVadis
 
     private
 
+    def hotp_for_confirmation
+      key = ROTP::Base32.encode("#{id}-#{Rails.application.secret_key_base}")
+      ROTP::HOTP.new(key)
+    end
+
+    def hotp_for_password_reset
+      key = ROTP::Base32.encode("#{id}-#{password.password_digest}")
+      ROTP::HOTP.new(key)
+    end
+
     def log_identifier_change
       from, to = saved_change_to_identifier
       Log.create(

data/app/models/quo_vadis/password.rb

@@ -46,7 +46,12 @@ module QuoVadis
 
       self.password = new_plaintext
       self.password_confirmation = new_plaintext_confirmation
-      save
+      if save
+        # Logout account's sessions because password has changed.
+        # Assumes model is not logged in.
+        account.sessions.destroy_all
+        true
+      end
     end
 
     private

data/app/views/quo_vadis/confirmations/new.html.erb

@@ -1,16 +1,28 @@
-<h1>Resend confirmation instructions</h1>
+<h1>Account confirmation</h1>
 
-<%# Note that in this example the User identifier is :email. %>
+<p>We have sent a confirmation code to <%= @account.model.email %>.</p>
 
-<p>If you didn't receive the confirmation email, please enter your email address and we'll send you another one.</p>
+<!-- flash could go here -->
 
-<%= form_with url: confirmations_path, method: :post do |f| %>
+<%= form_with url: confirm_path, method: :post do %>
   <p>
-    <%= f.label :email %>
-    <%= f.text_field :email, inputmode: 'email', autocomplete: 'email' %>
+    <label for="otp">Your confirmation code:</label>
+    <input
+        name="otp"
+        id="otp"
+        type="text"
+        inputmode="numeric"
+        pattern="\d*"
+        autofocus="true"
+        autocomplete="one-time-password"
+        maxlength="6">
   </p>
 
   <p>
-    <%= f.submit %>
+    <button type="submit">Confirm me!</button>
   </p>
 <% end %>
+
+<p>
+  <%= button_to "Send me a new confirmation code", send_confirmation_path %>
+</p>

data/app/views/quo_vadis/mailer/account_confirmation.text.erb

@@ -1,4 +1,3 @@
-You can confirm your account here:
-
-<%= @url %>
+This is your confirmation code:
 
+<%= @otp %>

data/app/views/quo_vadis/mailer/reset_password.text.erb

@@ -1,4 +1,4 @@
-You can reset your password here:
+Here is your code so you can reset your password:
 
-<%= @url %>
+<%= @otp %>
 

data/app/views/quo_vadis/password_resets/edit.html.erb

@@ -1,6 +1,18 @@
 <h1>Reset password</h1>
 
-<%= form_with model: @password, url: password_reset_path(params[:token]), method: :put do |f| %>
+<%= form_with model: @password, url: password_reset_path, method: :put do |f| %>
+  <p>
+    <%= f.label :otp, 'Your password reset code' %>
+    <%= f.text_field :otp,
+      value: params.dig(:password, :otp),
+      inputmode: 'numeric',
+      pattern: '\d*',
+      autofocus: true,
+      autocomplete: 'one-time-password',
+      maxlength: 6 %>
+  </p>
+
+
   <p>
     <%= f.label :password %>
     <%= f.password_field :password, autocomplete: 'new-password' %>

data/app/views/quo_vadis/password_resets/new.html.erb

@@ -1,6 +1,6 @@
 <h1>Reset password</h1>
 
-<%= form_with url: password_resets_path, method: :post do |f| %>
+<%= form_with url: password_reset_path, method: :post do |f| %>
   <p>
     <%= f.label :email %>
     <%= f.text_field :email, inputmode: 'email', autocomplete: 'email' %>

data/config/locales/quo_vadis.en.yml

@@ -11,15 +11,17 @@ en:
       password:
         update: Your password has been changed.
       password_reset:
-        create: A link to change your password has been emailed to you.
-        unknown: Either the link has expired or you have already reset your password.
+        create: Please check your email for your reset code.
+        unknown: Please check your email for your reset code.
+        expired: Your reset code has expired.  Please request another one.
+        invalid: Sorry, the code was incorrect.  Please try again.
         reset: Your password has been changed and you are logged in.
       confirmation:
-        create: A link to confirm your account has been emailed to you.
-        required: Please confirm your account first.
-        identifier: Sorry, your account could not be found.  Please try again.
-        unknown: Either the link has expired or your account has already been confirmed.
-        confirmed: Thanks for confirming your account.  You are now logged in.
+        unknown: You have already confirmed your account.
+        sent: Please check your email for your confirmation code.
+        expired: Your confirmation code has expired.  Please request another one.
+        invalid: Sorry, the code was incorrect.  Please try again.
+        confirmed: Thanks for confirming your account.
       totp:
         unverified: Sorry, the code was incorrect. Please check your system clock is correct and try again.
         setup: Please set up two factor authentication.

data/config/routes.rb

@@ -11,19 +11,11 @@ QuoVadis::Engine.routes.draw do
 
   resource  :password, only: [:edit, :update]
 
-  resources :password_resets, only: [:new, :create, :index]
-  get '/pwd-reset/:token', to: 'password_resets#edit', as: 'password_reset'
-  put '/pwd-reset/:token', to: 'password_resets#update'
+  resource :password_reset, only: [:new, :create, :edit, :update]
 
-  resources :confirmations, only: [:new, :create, :index] do
-    collection do
-      get :edit_email
-      put :update_email
-      post :resend
-    end
-  end
-  get '/confirm/:token', to: 'confirmations#edit', as: 'confirmation'
-  put '/confirm/:token', to: 'confirmations#update'
+  get  '/confirm', to: 'confirmations#new'
+  post '/confirm', to: 'confirmations#create'
+  post '/confirm/send', to: 'confirmations#resend', as: 'send_confirmation'
 
   resources :totps, only: [:new, :create] do
     collection do

data/lib/quo_vadis/controller.rb

@@ -16,7 +16,13 @@ module QuoVadis
 
 
     def require_password_authentication
-      return if logged_in?
+      if logged_in?
+        if QuoVadis.accounts_require_confirmation && !authenticated_model.qv_account.confirmed?
+          qv.request_confirmation authenticated_model
+          redirect_to quo_vadis.confirm_path
+        end
+        return
+      end
       session[:qv_bookmark] = request.original_fullpath
       redirect_to quo_vadis.login_path, notice: QuoVadis.translate('flash.require_authentication')
     end
@@ -85,15 +91,6 @@ module QuoVadis
     end
 
 
-    def request_confirmation(model)
-      token = QuoVadis::AccountConfirmationToken.generate model.qv_account
-      QuoVadis.deliver :account_confirmation, {email: model.email, url: quo_vadis.confirmation_url(token)}
-      session[:account_pending_confirmation] = model.qv_account.id
-
-      flash[:notice] = QuoVadis.translate 'flash.confirmation.create'
-    end
-
-
     def qv
       @qv_wrapper ||= QuoVadisWrapper.new self
     end
@@ -143,6 +140,19 @@ module QuoVadis
         old_session.each { |k,v| rails_session[k] = v }
       end
 
+      def request_confirmation(model)
+        rails_session[:account_pending_confirmation] = model.qv_account.id
+
+        expiration = QuoVadis.account_confirmation_otp_lifetime.from_now.to_i
+        rails_session[:account_confirmation_expires_at] = expiration
+
+        otp = model.qv_account.otp_for_confirmation(expiration)
+
+        QuoVadis.deliver :account_confirmation, {email: model.email, otp: otp}
+
+        controller.flash[:notice] = QuoVadis.translate 'flash.confirmation.sent'
+      end
+
       # Assumes user is logged in.
       def second_factor_required?
         QuoVadis.two_factor_authentication_mandatory || authenticated_model.qv_account.has_two_factors?

data/lib/quo_vadis/defaults.rb

@@ -7,9 +7,9 @@ QuoVadis.configure do
   session_lifetime                      :session
   session_lifetime_extend_to_end_of_day false
   session_idle_timeout                  :lifetime
-  password_reset_token_lifetime         10.minutes
+  password_reset_otp_lifetime           10.minutes
   accounts_require_confirmation         false
-  account_confirmation_token_lifetime   10.minutes
+  account_confirmation_otp_lifetime     10.minutes
   mailer_superclass                     'ApplicationMailer'
   mail_headers                          ({ from: 'Example App <support@example.com>' })
   enqueue_transactional_emails          true

data/lib/quo_vadis/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module QuoVadis
-  VERSION = '2.1.11'
+  VERSION = '2.2.0'
 end

data/lib/quo_vadis.rb

@@ -24,11 +24,11 @@ module QuoVadis
     :session_lifetime,                     # :session | ActiveSupport::Duration | [integer] seconds
     :session_lifetime_extend_to_end_of_day,# true | false
     :session_idle_timeout,                 # :lifetime | ActiveSupport::Duration | [integer] seconds
-    :password_reset_token_lifetime,        # ActiveSupport::Duration | [integer] seconds
+    :password_reset_otp_lifetime,          # ActiveSupport::Duration | [integer] seconds
     :mailer_superclass,                    # string
     :mail_headers,                         # hash
     :accounts_require_confirmation,        # true | false
-    :account_confirmation_token_lifetime,  # ActiveSupport::Duration | [integer] seconds
+    :account_confirmation_otp_lifetime,    # ActiveSupport::Duration | [integer] seconds
     :enqueue_transactional_emails,         # true | false
     :app_name,                             # string
     :two_factor_authentication_mandatory,  # true | false

data/test/dummy/app/controllers/sign_ups_controller.rb

@@ -1,8 +1,6 @@
 # To test sign-ups with confirmation (activation / verification)
 class SignUpsController < ApplicationController
 
-  around_action :toggle_confirmation
-
   def new
     @user = User.new
   end
@@ -11,9 +9,9 @@ class SignUpsController < ApplicationController
   def create
     @user = User.new user_params
     if @user.save
+      login @user
       if QuoVadis.accounts_require_confirmation
-        request_confirmation @user
-        redirect_to quo_vadis.confirmations_path
+        redirect_to secret_articles_path
       else
         redirect_to articles_path
       end
@@ -37,11 +35,4 @@ class SignUpsController < ApplicationController
     params.require(:user).permit(:name, :email, :password, :password_confirmation)
   end
 
-  def toggle_confirmation
-    QuoVadis.accounts_require_confirmation true
-    yield
-  ensure
-    QuoVadis.accounts_require_confirmation false
-  end
-
 end

data/test/fixtures/quo_vadis/mailer/account_confirmation.text

@@ -1,4 +1,3 @@
-You can confirm your account here:
-
-http://example.com/confirm/123abc
+This is your confirmation code:
 
+271828

data/test/fixtures/quo_vadis/mailer/reset_password.text

@@ -1,4 +1,4 @@
-You can reset your password here:
+Here is your code so you can reset your password:
 
-http://example.com/pwd-reset/123abc
+314159
 

data/test/integration/account_confirmation_test.rb

@@ -14,136 +14,92 @@ class AccountConfirmationTest < IntegrationTest
   test 'new signup requiring confirmation' do
     assert_emails 1 do
       post sign_ups_path(user: {name: 'Bob', email: 'bob@example.com', password: '123456789abc'})
+      refute QuoVadis::Account.last.confirmed?
+      assert controller.logged_in?
+
+      # verify response
+      assert_redirected_to '/articles/secret'
+      follow_redirect!
+      assert_redirected_to '/confirm'
+      follow_redirect!
+      assert_equal 'Please check your email for your confirmation code.', flash[:notice]
     end
-    refute QuoVadis::Account.last.confirmed?
-
-    # verify response
-    assert_response :redirect
-    follow_redirect!
-    assert_equal 'A link to confirm your account has been emailed to you.', flash[:notice]
 
-    # click link in email
-    url = extract_url_from_email
-    get url
-    assert_response :success
-    action_path = extract_path_from_email
-    assert_select "form[action='#{action_path}']"
-
-    # click button on confirmation page
-    put action_path
+    # type in confirmation code from email
+    code = extract_code_from_email
+    post quo_vadis.confirm_path(otp: code)
 
     # verify logged in
     assert_redirected_to '/sign_ups/confirmed'
     follow_redirect!
     assert_redirected_to '/articles/secret'
-    assert_equal 'Thanks for confirming your account.  You are now logged in.', flash[:notice]
-    assert controller.logged_in?
+    assert_equal 'Thanks for confirming your account.', flash[:notice]
     assert QuoVadis::Account.last.confirmed?
   end
 
 
-  test 'new signup updates email' do
-    assert_emails 1 do
-      post sign_ups_path(user: {name: 'Bob', email: 'bob@example.com', password: '123456789abc'})
-    end
-
-    get quo_vadis.edit_email_confirmations_path
-    assert_response :success
-
-    # First email: changed-email notifier sent to original address
-    # Second email: confirmation email sent to new address
-    assert_emails 2 do
-      put quo_vadis.update_email_confirmations_path(email: 'bobby@example.com')
-    end
-    assert_equal ['bobby@example.com'], ActionMailer::Base.deliveries.last.to
-    assert_redirected_to quo_vadis.confirmations_path
-  end
-
-
-  test 'resend confirmation email in same session' do
+  test 'resend confirmation email' do
     assert_emails 1 do
       post sign_ups_path(user: {name: 'Bob', email: 'bob@example.com', password: '123456789abc'})
+      assert_redirected_to '/articles/secret'
+      follow_redirect!
     end
 
     assert_emails 1 do
-      post quo_vadis.resend_confirmations_path
+      post quo_vadis.send_confirmation_path
     end
   end
 
 
-  test 'resend confirmation email: valid identifier' do
-    User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
-
-    get quo_vadis.new_confirmation_path
-    assert_response :success
-
-    assert_emails 1 do
-      post quo_vadis.confirmations_path(email: 'bob@example.com')
-    end
-
-    assert_redirected_to  '/confirmations'
-    assert_equal 'A link to confirm your account has been emailed to you.', flash[:notice]
-  end
-
-
-  test 'resend confirmation email: unknown identifier' do
-    assert_no_emails do
-      post quo_vadis.confirmations_path(email: 'bob@example.com')
-    end
-
-    assert_redirected_to quo_vadis.new_confirmation_path
-    assert_equal 'Sorry, your account could not be found.  Please try again.', flash[:alert]
-  end
-
-
-  test 'reusing a token' do
+  test 'cannot reuse a confirmation code' do
     assert_emails 1 do
       post sign_ups_path(user: {name: 'Bob', email: 'bob@example.com', password: '123456789abc'})
+      follow_redirect!
     end
 
-    put extract_path_from_email
+    code = extract_code_from_email
+    post quo_vadis.confirm_path(otp: code)
+    assert QuoVadis::Account.last.confirmed?
+    assert_equal 'Thanks for confirming your account.', flash[:notice]
 
+    post quo_vadis.confirm_path(otp: code)
+    assert_equal 'You have already confirmed your account.', flash[:alert]
     assert_redirected_to '/sign_ups/confirmed'
-    follow_redirect!
-    assert_redirected_to '/articles/secret'
-    assert_equal 'Thanks for confirming your account.  You are now logged in.', flash[:notice]
-
-    put extract_path_from_email
-    assert_redirected_to quo_vadis.new_confirmation_path
-    assert_equal 'Either the link has expired or your account has already been confirmed.', flash[:alert]
   end
 
 
-  test 'token expired' do
+  test 'confirmation code expired' do
     assert_emails 1 do
       post sign_ups_path(user: {name: 'Bob', email: 'bob@example.com', password: '123456789abc'})
+      follow_redirect!
     end
 
-    travel QuoVadis.account_confirmation_token_lifetime + 1.minute
-    get extract_url_from_email
+    travel QuoVadis.account_confirmation_otp_lifetime + 1.minute
 
-    assert_redirected_to quo_vadis.new_confirmation_path
-    assert_equal 'Either the link has expired or your account has already been confirmed.', flash[:alert]
+    code = extract_code_from_email
+    post quo_vadis.confirm_path(otp: code)
+    refute QuoVadis::Account.last.confirmed?
+    assert_equal 'Your confirmation code has expired.  Please request another one.', flash[:alert]
+    assert_redirected_to quo_vadis.confirm_path
   end
 
 
-  test 'accounts requiring confirmation cannot log in' do
+  test 'accounts requiring confirmation can log in but have to confirm' do
     User.create! name: 'bob', email: 'bob@example.com', password: '123456789abc'
     post quo_vadis.login_path(email: 'bob@example.com', password: '123456789abc')
-    assert_redirected_to quo_vadis.new_confirmation_path
-    assert_equal 'Please confirm your account first.', flash[:notice]
-    refute controller.logged_in?
+    assert_redirected_to '/articles/secret'
+    follow_redirect!
+    assert_redirected_to quo_vadis.confirm_path
+    follow_redirect!
+    assert controller.logged_in?
+    assert_equal 'Please check your email for your confirmation code.', flash[:notice]
   end
 
 
   private
 
-  def extract_url_from_email
-    ActionMailer::Base.deliveries.last.decoded[%r{^http://.*$}, 0]
-  end
-
-  def extract_path_from_email
-    extract_url_from_email.sub 'http://www.example.com', ''
+  def extract_code_from_email
+    ActionMailer::Base.deliveries.last.decoded[%r{\d{6}}, 0]
   end
 
 end

data/test/integration/controller_test.rb

@@ -206,14 +206,14 @@ class ControllerTest < IntegrationTest
   end
 
 
-  test 'request_confirmation' do
-    get articles_path
-
-    assert_emails 1 do
-      controller.request_confirmation User.last
-    end
-    assert_equal 'A link to confirm your account has been emailed to you.', flash[:notice]
-  end
+  # test 'request_confirmation' do
+  #   get articles_path
+
+  #   assert_emails 1 do
+  #     controller.request_confirmation User.last
+  #   end
+  #   assert_equal 'A link to confirm your account has been emailed to you.', flash[:notice]
+  # end
 
 
   test 'session lifetime exceeded' do

data/test/integration/logging_test.rb

@@ -163,22 +163,42 @@ class LoggingTest < IntegrationTest
 
 
   test 'password.reset' do
+    assert_emails 1 do
+      post quo_vadis.password_reset_path(email: 'bob@example.com')
+      follow_redirect!
+    end
+
     assert_difference 'QuoVadis::Log.count', 2 do
-      token = QuoVadis::PasswordResetToken.generate @account
-      put quo_vadis.password_reset_path(token, password: {password: 'xxxxxxxxxxxx', password_confirmation: 'xxxxxxxxxxxx'})
+      put quo_vadis.password_reset_path(password: {
+        otp: extract_code_from_email,
+        password: 'secretsecret',
+        password_confirmation: 'secretsecret',
+      })
     end
+
     assert_equal QuoVadis::Log::PASSWORD_RESET, QuoVadis::Log.first.action
     assert_equal QuoVadis::Log::LOGIN_SUCCESS, log.action
   end
 
 
   test 'account.confirmation' do
-    assert_difference 'QuoVadis::Log.count', 2 do
-      token = QuoVadis::AccountConfirmationToken.generate @account
-      put quo_vadis.confirmation_path(token)
+    QuoVadis.accounts_require_confirmation true
+
+    assert_emails 1 do
+      login
+      assert_redirected_to '/articles/secret'
+      follow_redirect!
+      assert_redirected_to '/confirm'
+      follow_redirect!
     end
-    assert_equal QuoVadis::Log::ACCOUNT_CONFIRMATION, QuoVadis::Log.first.action
-    assert_equal QuoVadis::Log::LOGIN_SUCCESS, log.action
+
+    assert_difference 'QuoVadis::Log.count' do
+      post quo_vadis.confirm_path(otp: extract_code_from_email)
+    end
+
+    assert_equal QuoVadis::Log::ACCOUNT_CONFIRMATION, log.action
+  ensure
+    QuoVadis.accounts_require_confirmation false
   end
 
 
@@ -241,4 +261,8 @@ class LoggingTest < IntegrationTest
     end
   end
 
+  def extract_code_from_email
+    ActionMailer::Base.deliveries.last.decoded[%r{\d{6}}, 0]
+  end
+
 end

data/test/integration/password_login_test.rb

@@ -105,7 +105,7 @@ class PasswordLoginTest < IntegrationTest
     travel 5.days
 
     get articles_path
-    assert controller.logged_in?  # flakey
+    assert controller.logged_in?
 
     travel 3.days