rails_base 0.75.6 → 0.80.0

data/app/services/rails_base/authentication/decision_twofa_type.rb

@@ -8,30 +8,54 @@ module RailsBase::Authentication
 			# default return values
 			context.set_mfa_randomized_token = false
 			context.sign_in_user = false
+			unless user.email_validated
+				email_context = validate_email_context!
+				check_success!(result: email_context)
+				log(level: :info, msg: "User #{user.id}: redirect_url: #{context.redirect_url}, sign_in_user: #{context.sign_in_user}, flash: #{context.flash}")
+				log_exit
+				return
+			end
 
-			mfa_decision =
-				if user.email_validated
-					if RailsBase.config.mfa.enable? && user.mfa_enabled
-						mfa_enabled_context!
-					else
-						# user has signed up and validated email
-						# user does not have mfa enabled
-						sign_in_user_context!
-						context.flash = { notice: "Welcome. You have succesfully signed in. We suggest enabling 2fa authentication to secure your account" }
-						nil
-					end
-				else
-					validate_email_context!
-				end
+			unless RailsBase.config.mfa.enable?
+				log(level: :info, msg: "MFA on app is not enabled. Bypassing")
+				sign_in_user_context!
+				context.flash = { notice: "Welcome. You have succesfully signed in." }
+				log_exit
+				return
+			end
 
-			if mfa_decision && mfa_decision.failure?
-				log(level: :error, msg: "Service error bubbled up. Failing with: #{mfa_decision.message}")
-				context.fail!(message: mfa_decision.message)
+			mfa_decision = RailsBase::Mfa::Decision.(user: user)
+			check_success!(result: mfa_decision)
+			mfa_type_result = nil
+			case mfa_decision.mfa_type
+			when RailsBase::Mfa::SMS
+				mfa_type_result = sms_enabled_context!(decision: mfa_decision)
+			when RailsBase::Mfa::OTP
+				totp_enabled_context!(decision: mfa_decision)
+			when RailsBase::Mfa::NONE
+				# no MFA type enabled on account
+				sign_in_user_context!
+				context.flash = { notice: "Welcome. You have succesfully signed in." }
+				context.session = { add_mfa_button: true }
+			else
+				raise "Unknown MFA type provided"
 			end
+			check_success!(result: mfa_type_result)
+			log_exit
+		end
 
+		def log_exit
 			log(level: :info, msg: "User #{user.id}: redirect_url: #{context.redirect_url}, sign_in_user: #{context.sign_in_user}, flash: #{context.flash}")
 		end
 
+		def check_success!(result:)
+			return if result.nil?
+			return if result.success?
+
+			log(level: :error, msg: "Service error bubbled up. Failing with: #{result.message}")
+			context.fail!(message: result.message)
+		end
+
 		def validate_email_context!
 			# user has signed up but have not validated their email
 			context.redirect_url = Constants::URL_HELPER.auth_static_path
@@ -48,23 +72,30 @@ module RailsBase::Authentication
 			context.sign_in_user = true
 		end
 
-		def mfa_enabled_context!
-			if user.past_mfa_time_duration?
-				# user has signed up and validated email
-				# user has mfa enabled
-				log(level: :warn, msg: "User needs to go through mfa flow. #{user.last_mfa_login} < #{User.time_bound}")
-				context.redirect_url = Constants::URL_HELPER.mfa_code_path
-				context.set_mfa_randomized_token = true
-				context.mfa_purpose = nil # use default
-				context.flash = { notice: "Please check your mobile device. We sent an SMS for 2fa verification" }
-				result = SendLoginMfaToUser.call(user: user)
+		def totp_enabled_context!(decision:)
+			if decision.mfa_require
+				log(level: :warn, msg: "TOTP MFA required for user")
+				context.redirect_url = RailsBase.url_routes.mfa_with_event_path(mfa_event: :login)
+				context.flash = { notice: "Additional Verification requested" }
+				context.token_ttl = 2.minutes.from_now
+			else
+				sign_in_user_context!
+				context.flash = { notice: "Welcome. You have succesfully signed in via #{decision.mfa_type.to_s.upcase} MFA." }
+				nil
+			end
+		end
+
+		def sms_enabled_context!(decision:)
+			if decision.mfa_require
+				log(level: :warn, msg: "SMS MFA required for user")
+				context.redirect_url = RailsBase.url_routes.mfa_with_event_path(mfa_event: :login)
+				context.flash = { notice: "Please check your mobile device. We sent an SMS for MFA verification" }
+				result = RailsBase::Mfa::Sms::Send.call(user: user)
 				context.token_ttl = result.short_lived_data.death_time if result.success?
 				result
 			else
 				sign_in_user_context!
-				mfa_free_words = distance_of_time_in_words(user.last_mfa_login, User.time_bound)
-				context.flash = { notice: "Welcome. You have succesfully signed in. You will be mfa free for another #{mfa_free_words}" }
-				log(level: :info, msg: "User is mfa free for another #{mfa_free_words}")
+				context.flash = { notice: "Welcome. You have succesfully signed in via #{decision.mfa_type.to_s.upcase} MFA." }
 				nil
 			end
 		end

data/app/services/rails_base/authentication/send_forgot_password.rb

@@ -4,7 +4,6 @@ module RailsBase::Authentication
 
 		def call
 			user = User.find_for_authentication(email: email)
-
 			if user.nil?
 				log(level: :warn, msg: "Failed to find email assocaited to #{email}. Not sending email")
 				context.fail!(message: "Failed to send forget password to #{email}", redirect_url: '')

data/app/services/rails_base/authentication/single_sign_on_send.rb

@@ -32,7 +32,7 @@ module RailsBase::Authentication
         token_type: token_type,
         url_redirect: url_redirect
       }
-      datum = SingleSignOnCreate.call(**params)
+      datum = SingleSignOnCreate.(**params)
       context.fail!(message: 'Failed to create SSO token. Try again') if datum.failure?
 
       url = sso_url(data: datum.data.data)

data/app/services/rails_base/authentication/sso_verify_email.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module RailsBase::Authentication
 	class SsoVerifyEmail < RailsBase::ServiceBase
 		delegate :verification, to: :context
@@ -15,7 +17,7 @@ module RailsBase::Authentication
 				user: user,
 				purpose: Constants::SSOVE_PURPOSE
 			}
-			context.encrypted_val = MfaSetEncryptToken.call(params).encrypted_val
+			context.encrypted_val = RailsBase::Mfa::EncryptToken.(params).encrypted_val
 		end
 
 		def validate_datum?(datum)

data/app/services/rails_base/authentication/update_phone_send_verification.rb

@@ -14,7 +14,7 @@ module RailsBase::Authentication
 			# requires a bit of a restructure that I dont have time for
 			update_user_number!
 
-			twilio_sms = SendLoginMfaToUser.call(user: user.reload)
+			twilio_sms = RailsBase::Mfa::Sms::Send.call(user: user.reload)
 
 			if twilio_sms.failure?
 				log(level: :error, msg: "Failed with #{twilio_sms.message}")
@@ -22,7 +22,7 @@ module RailsBase::Authentication
 			end
 			context.expires_at = twilio_sms.short_lived_data.death_time
 			context.mfa_randomized_token =
-			  MfaSetEncryptToken.call(user: user, expires_at: context.expires_at, purpose: Constants::MSET_PURPOSE).encrypted_val
+			  RailsBase::Mfa::EncryptToken.(user: user, expires_at: context.expires_at, purpose: Constants::MSET_PURPOSE).encrypted_val
 		end
 
 		def update_user_number!

data/app/services/rails_base/authentication/verify_forgot_password.rb

@@ -3,22 +3,19 @@ module RailsBase::Authentication
 		delegate :data, to: :context
 
 		def call
-			mfa_flow = false
 			data_point = short_lived_data
 			validate_datum?(data_point)
 
 			log(level: :info, msg: "Validated user 2fa email #{data_point[:user].full_name}")
+
 			context.user = data_point[:user]
-			context.encrypted_val =
-				MfaSetEncryptToken.call(user: data_point[:user], expires_at: Time.zone.now + 10.minutes, purpose: Constants::VFP_PURPOSE).encrypted_val
-			return unless data_point[:user].mfa_enabled
-
-			result = SendLoginMfaToUser.call(user: data_point[:user], expires_at: Time.zone.now + 10.minutes)
-			if result.failure?
-				log(level: :warn, msg: "Attempted to send MFA to user from #{self.class.name}: Exiting with #{result.message}")
-				context.fail!(message: result.message, redirect_url: Constants::URL_HELPER.new_user_password_path, level: :warn)
+			mfa_decision = RailsBase::Mfa::Decision.(force_mfa: true, user: data_point[:user])
+
+			if context.mfa_flow = mfa_decision.mfa_require
+				log(level: :info, msg: "User has #{mfa_decision.mfa_options} mfa options enabled. MFA is required to reset password")
+			else
+				log(level: :info, msg: "User has no MFA options enabled. MFA is NOT required to reset password")
 			end
-			context.mfa_flow = true
 		end
 
 		def validate_datum?(datum)
@@ -32,7 +29,7 @@ module RailsBase::Authentication
 
 			log(level: :warn, msg: "Could not find MFA code. Incorrect MFA code. User is doing something fishy.")
 
-			context.fail!(message: Constants::MV_FISHY, redirect_url: Constants::URL_HELPER.authenticated_root_path, level: :warn)
+			context.fail!(message: Constants::MV_FISHY, redirect_url: Constants::URL_HELPER.unauthenticated_root_path, level: :warn)
 		end
 
 		def short_lived_data

data/app/services/rails_base/mfa/decision.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+module RailsBase::Mfa
+  class Decision < RailsBase::ServiceBase
+    delegate :user, to: :context
+
+    def call
+      unless RailsBase.config.mfa.enable?
+        execute_nil("Application")
+        return
+      end
+
+      if user.mfa_otp_enabled
+        execute_otp
+      elsif user.mfa_sms_enabled
+        execute_sms
+      else
+        execute_nil("User")
+      end
+
+      available_mfa_options!
+    end
+
+    def available_mfa_options!
+      mfa_options = []
+      mfa_options << OTP if user.mfa_otp_enabled
+      mfa_options << SMS if user.mfa_sms_enabled
+
+      context.mfa_options = mfa_options
+    end
+
+    def execute_otp
+      log(level: :info, msg: "MFA type OTP is enabled on user. Executing OTP workflow")
+      result = reauth_strategy_class.(user: user, force: force_mfa, mfa_type: OTP, mfa_last_used: user.last_mfa_otp_login)
+      require_mfa = result.request_mfa
+
+      context_clues(type: OTP, require_mfa: require_mfa)
+    end
+
+    def execute_sms
+      log(level: :info, msg: "MFA type SMS is enabled on user. Executing OTP workflow")
+      result = reauth_strategy_class.(user: user, force: force_mfa, mfa_type: SMS, mfa_last_used: user.last_mfa_sms_login)
+      require_mfa = result.request_mfa
+
+      context_clues(type: SMS, require_mfa: require_mfa)
+    end
+
+    def execute_nil(classify)
+      log(level: :info, msg: "#{classify} does not have any MFA type enabled. Skipping")
+      context_clues(type: NONE, require_mfa: false)
+    end
+
+    def context_clues(type:, require_mfa:)
+      context.mfa_type = type
+      context.mfa_require = require_mfa
+    end
+
+    def force_mfa
+      context.force_mfa.nil? ? false : context.force_mfa
+    end
+
+    def reauth_strategy_class
+      RailsBase.config.mfa.reauth_strategy
+    end
+
+    def validate!
+      raise "Expected user to be a User. Received #{user.class}" unless user.is_a? User
+    end
+  end
+end

data/app/services/rails_base/mfa/encrypt_token.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module RailsBase::Mfa
+  class EncryptToken < RailsBase::ServiceBase
+    delegate :user, to: :context
+    delegate :expires_at, to: :context
+    delegate :purpose, to: :context
+
+    def call
+      params = {
+        value: value,
+        purpose: purpose || RailsBase::Authentication::Constants::MSET_PURPOSE,
+        expires_at: expires_at
+      }
+
+      context.encrypted_val = RailsBase::Encryption.encode(**params)
+    end
+
+    def value
+      # user_id with the same expires_at will return the same Encryption token
+      # to overcome this, do 2 things
+      # 1: Rotate the secret on every boot (ensures tplem changes on semi regular basis)
+      # 2: Add rand strings to the hash -- Ensures the token is different every time
+      { user_id: user.id, rand: rand.to_s, expires_at: expires_at }.to_json
+    end
+
+    def validate!
+      raise "Expected user to be a User. Received #{user.class}" unless user.is_a? User
+
+      time_class = ActiveSupport::TimeWithZone
+      raise "Expected expires_at to be a Received #{time_class}. Received #{expires_at.class}" unless expires_at.is_a? time_class
+    end
+  end
+end

data/app/services/rails_base/mfa/sms/remove.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module RailsBase::Mfa::Sms
+  class Remove < RailsBase::ServiceBase
+    delegate :password, to: :context
+    delegate :session_mfa_user_id, to: :context
+    delegate :current_user, to: :context
+    delegate :sms_code, to: :context
+    delegate :mfa_event, to: :context
+
+    def call
+      password_result = RailsBase::Authentication::AuthenticateUser.(email: current_user.email, current_user: current_user, password: password)
+      if password_result.failure?
+        log(level: :debug, msg: "Password validation failed. Unable to continue")
+        context.fail!(message: password_result.message)
+      end
+
+      validate_code = Validate.(mfa_event:,sms_code:, session_mfa_user_id:, current_user:)
+
+      if validate_code.failure?
+        log(level: :warn, msg: "Unable to confirm SMS OTP code. Will not remove")
+        context.fail!(message: "Incorrect One Time Password Code")
+      end
+
+      current_user.update!(mfa_sms_enabled: false, last_mfa_sms_login: nil)
+    end
+
+    def validate!
+      raise 'Expected the current_user passed' if current_user.nil?
+      raise 'Expected the sms_code passed' if sms_code.nil?
+      raise 'session_mfa_user_id is not present' if session_mfa_user_id.nil?
+      raise 'password is not present' if password.nil?
+    end
+  end
+end

data/app/services/rails_base/{authentication/send_login_mfa_to_user.rb → mfa/sms/send.rb}

@@ -1,8 +1,10 @@
-require 'twilio_helper'
+# frozen_string_literal: true
+
 require 'velocity_limiter'
+require 'twilio_helper'
 
-module RailsBase::Authentication
-  class SendLoginMfaToUser < RailsBase::ServiceBase
+module RailsBase::Mfa::Sms
+  class Send < RailsBase::ServiceBase
     include ActionView::Helpers::DateHelper
     include VelocityLimiter
 
@@ -24,14 +26,18 @@ module RailsBase::Authentication
     end
 
     def send_twilio!(code)
-      TwilioJob.perform_later(message: message(code), to: user.phone_number)
-      log(level: :info, msg: "Sent twilio message to #{user.phone_number}")
+      TwilioJob.perform_later(message: message(code), to: phone_number)
+      log(level: :info, msg: "Sent twilio message to #{phone_number}")
     rescue StandardError => e
       log(level: :error, msg: "Error caught #{e.class.name}")
-      log(level: :error, msg: "Failed to send sms to #{user.phone_number}")
+      log(level: :error, msg: "Failed to send sms to #{phone_number}")
       context.fail!(message: "Failed to send sms. Please retry logging in.")
     end
 
+    def phone_number
+      context.phone_number || user.phone_number
+    end
+
     def message(code)
       "Hello #{user.full_name}. Here is your verification code #{code}."
     end
@@ -40,25 +46,25 @@ module RailsBase::Authentication
       params = {
         user: user,
         max_use: MAX_USE_COUNT,
-        reason: Constants::MFA_REASON,
+        reason: RailsBase::Authentication::Constants::MFA_REASON,
         data_use: DATA_USE,
-        ttl: Constants::SLMTU_TTL,
+        ttl: RailsBase::Authentication::Constants::SLMTU_TTL,
         expires_at: expires_at,
-        length: Constants::MFA_LENGTH,
+        length: RailsBase::Authentication::Constants::MFA_LENGTH,
       }
       ShortLivedData.create_data_key(**params)
     end
 
     def velocity_max_in_frame
-      RailsBase.config.mfa.twilio_velocity_max_in_frame
+      RailsBase.config.twilio.twilio_velocity_max_in_frame
     end
 
     def velocity_max
-      RailsBase.config.mfa.twilio_velocity_max
+      RailsBase.config.twilio.twilio_velocity_max
     end
 
     def velocity_frame
-      RailsBase.config.mfa.twilio_velocity_frame
+      RailsBase.config.twilio.twilio_velocity_frame
     end
 
     def cache_key
@@ -71,7 +77,7 @@ module RailsBase::Authentication
         raise "Expected expires_at to be a ActiveSupport::TimeWithZone. Given #{expires_at.class}"
       end
 
-      raise NoPhoneNumber, "No phone for user [#{user.id}] [#{user.phone_number}]" if user.phone_number.nil?
+      raise NoPhoneNumber, "No phone for user [#{user.id}] [#{phone_number}]" if phone_number.nil?
     end
   end
 end

data/app/services/rails_base/mfa/sms/validate.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+module RailsBase::Mfa::Sms
+  class Validate < RailsBase::ServiceBase
+    delegate :params, to: :context
+    delegate :session_mfa_user_id, to: :context
+    delegate :current_user, to: :context
+    delegate :input_reason, to: :context
+    delegate :sms_code, to: :context
+    delegate :mfa_event, to: :context
+
+    def call
+      if sms_code.present?
+        log(level: :info, msg: "Raw sms code was passed in")
+        mfa_code = sms_code
+      else
+        log(level: :info, msg: "Code Array was passed in. Manipulating Data first")
+        array = convert_to_array
+        if array.length != RailsBase::Authentication::Constants::MFA_LENGTH
+          log(level: :warn, msg: "Not enough params for MFA code. Given #{array}. Expected of length #{RailsBase::Authentication::Constants::MFA_LENGTH}")
+          context.fail!(message: RailsBase::Authentication::Constants::MV_FISHY, redirect_url: RailsBase.url_routes.new_user_session_path, level: :alert)
+        end
+
+        mfa_code = array.join
+      end
+
+
+      log(level: :info, msg: "mfa code received: #{mfa_code}")
+      datum = get_short_lived_datum(mfa_code)
+      log(level: :info, msg: "Datum returned with: #{datum}")
+
+      validate_datum?(datum)
+      validate_user_consistency?(datum)
+      validate_current_user?(datum) if current_user
+
+      context.user = datum[:user]
+    end
+
+    def validate_current_user?(datum)
+      return true if current_user.id == datum[:user].id
+
+      # User MFA for a different user matched the session token
+      # However, those did not match the current user signed in
+      # Something is very 🐟
+      log(level: :error, msg: "Someone is a teapot. Current logged in user does not equal mfa code.")
+      context.fail!(message: 'You are a teapot', redirect_url: RailsBase.url_routes.signout_path, level: :warn)
+    end
+
+    def validate_datum?(datum)
+      return true if datum[:valid]
+
+      if datum[:found]
+        # MFA is either expired or the incorrect reason. Either way it does not match
+        msg = "Errors with MFA: #{datum[:invalid_reason].join(", ")}. Please login again"
+        log(level: :warn, msg: msg)
+        context.fail!(message: msg, redirect_url: RailsBase.url_routes.new_user_session_path, level: :warn)
+      end
+
+      # MFA does not exist for any reason type
+      log(level: :warn, msg: "Could not find MFA code. Incorrect MFA code")
+
+      context.fail!(message: "Incorrect SMS code.", redirect_url: RailsBase.url_routes.mfa_with_event_path(mfa_event: mfa_event.event, type: RailsBase::Mfa::SMS), level: :warn)
+    end
+
+    def validate_user_consistency?(datum)
+      return true if datum[:user].id == session_mfa_user_id.to_i
+      log(level: :warn, msg: "Datum user does not match session user. [#{datum[:user].id}, #{session_mfa_user_id.to_i}]")
+
+      # MFA session token user does not match the datum user
+      # Something is very 🐟
+      context.fail!(message: RailsBase::Authentication::Constants::MV_FISHY, redirect_url: RailsBase.url_routes.new_user_session_path, level: :alert)
+    end
+
+    def get_short_lived_datum(mfa_code)
+      log(level: :debug, msg: "Looking for #{mfa_code} with reason #{reason}")
+      ShortLivedData.find_datum(data: mfa_code, reason: reason)
+    end
+
+    def convert_to_array
+      array = []
+      return array unless params.dig(:mfa).respond_to? :keys
+
+      RailsBase::Authentication::Constants::MFA_LENGTH.times do |index|
+        var_name = "#{RailsBase::Authentication::Constants::MV_BASE_NAME}#{index}".to_sym
+        array << params[:mfa][var_name]
+      end
+
+      array.compact
+    end
+
+    def reason
+      input_reason || RailsBase::Authentication::Constants::MFA_REASON
+    end
+
+    def validate!
+      if sms_code.nil?
+        raise 'params is not present' if params.nil?
+      end
+
+      raise 'mfa_event is expected to be a RailsBase::MfaEvent' unless RailsBase::MfaEvent === mfa_event
+
+      raise 'session_mfa_user_id is not present' if session_mfa_user_id.nil?
+    end
+  end
+end

data/app/services/rails_base/mfa/strategy/base.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module RailsBase::Mfa::Strategy
+  class Base < RailsBase::ServiceBase
+    delegate :user, to: :context
+    delegate :force, to: :context
+    delegate :mfa_type, to: :context
+    delegate :mfa_last_used, to: :context
+
+    def call
+      log(level: :info, msg: "#{user_prepend} : MFA strategy against #{mfa_type}")
+
+      if require_mfa?(user: user, mfa_type: mfa_type, mfa_last_used: mfa_last_used)
+        mfa_required
+      else
+        if force
+          log(level: :info, msg: "#{user_prepend} : MFA strategy was not required at this time. However -- Force option was passed in")
+          mfa_required
+        else
+          mfa_not_required
+        end
+      end
+    end
+
+    def mfa_required
+      log(level: :info, msg: "#{user_prepend} : MFA strategy is required at this time based on the strategy")
+      context.request_mfa = true
+    end
+
+    def mfa_not_required
+      log(level: :info, msg: "#{user_prepend} : MFA strategy is NOT required at this time")
+      context.request_mfa = false
+    end
+
+    def user_prepend
+      "[#{user.full_name} (#{user.id})]"
+    end
+
+    def validate!
+      raise "Expected user to be a User. Received #{user.class}" unless User === user
+      raise "Expected mfa_type to be a present" if mfa_type.nil?
+    end
+  end
+end

data/app/services/rails_base/mfa/strategy/every_request.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module RailsBase::Mfa::Strategy
+  class EveryRequest < Base
+    def self.description
+      "MFA is always requried"
+    end
+
+    def require_mfa?(...)
+      log(level: :info, msg: "#{user_prepend} : Strategy dictates user must re-auth via MFA")
+      true
+    end
+  end
+end

data/app/services/rails_base/mfa/strategy/skip_every_request.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module RailsBase::Mfa::Strategy
+  class SkipEveryRequest < Base
+    def self.description
+      "MFA is never requried"
+    end
+
+    def require_mfa?(...)
+      log(level: :info, msg: "#{user_prepend} : Strategy dictates user will never re-auth via MFA")
+      false
+    end
+  end
+end

data/app/services/rails_base/mfa/strategy/time_based.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module RailsBase::Mfa::Strategy
+  class TimeBased < Base
+    def self.description
+      "MFA is required every #{RailsBase.config.mfa.reauth_duration}"
+    end
+
+    def require_mfa?(mfa_last_used:, **)
+      if mfa_last_used.nil?
+        log(level: :info, msg: "#{user_prepend} : User has not succesfully logged into mfa")
+        return true
+      end
+
+      log(level: :info, msg: "#{user_prepend} : User last used mfa #{mfa_last_used.utc} (vs #{Time.now.utc})")
+      required_line = mfa_last_used.utc + RailsBase.config.mfa.reauth_duration
+      log(level: :info, msg: "#{user_prepend} : User required to reauth after #{required_line}")
+      status = required_line < Time.now.utc
+      log(level: :info, msg: "#{user_prepend} : User required to reauth? #{status}")
+
+      status
+    end
+  end
+end

data/app/services/rails_base/mfa/totp/helper.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module RailsBase::Mfa::Totp
+  module Helper
+    def secret
+      context.otp_secret || user.reload.otp_secret
+    end
+
+    def otp
+      @otp ||= ROTP::TOTP.new(secret)
+    end
+
+    def current_code
+      otp.at(Time.now)
+    end
+
+    def lgp
+      @lgp ||= "[#{user.full_name}:(#{user.id})] :"
+    end
+  end
+end

data/app/services/rails_base/mfa/totp/otp_metadata.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module RailsBase::Mfa::Totp
+  class OtpMetadata < RailsBase::ServiceBase
+    delegate :user, to: :context
+
+    def call
+      context.metadata = user.otp_metadata(safe: true)
+    rescue => e
+      log(level: :error, msg: "Failed to retreive OTP data: #{e.message}")
+      log(level: :error, msg: e.backtrace)
+      context.fail!(message: "Failed to retrieve Metadata for Code")
+    end
+
+    def validate!
+      raise "Expected user to be a User. " unless User === user
+    end
+  end
+end