rails_base 0.75.6 → 0.81.0

data/app/views/rails_base/shared/totp/_remove_authenticator_modal.html.erb

@@ -0,0 +1,50 @@
+<div class="modal fade" id="totpDisableModal" tabindex="-1" role="dialog" aria-labelledby="exampleModalLabel" aria-hidden="true">
+  <div class="modal-dialog modal-lg" role="document">
+    <div class="modal-content">
+      <div class="modal-header">
+        <h3 class="modal-title" id="exampleModalLabel">Remove TOTP as Multi Factor Authenticator</h3>
+        <button type="button" class="close" data-dismiss="modal" aria-label="Close">
+          <span aria-hidden="true">&times;</span>
+        </button>
+      </div>
+      <div class="modal-body">
+        <div class="text-center">
+          Time based One time Password is one of the the most Secure MFA option that <%= RailsBase.app_name %> provides. If you would like to remove this MFA option, please enter your credentials below and confirm. Upon Successful request, TOTP is no longer active on your account
+        </div>
+        <hr>
+        <%= form_with(url: RailsBase.url_routes.totp_register_delete_path, method: :delete) do |form| %>
+          <div id="confirmTotpAuthenticationCode">
+            <div class="totpInput">
+              <div class="input-group input-group-lg">
+                <div class="input-group-prepend">
+                  <span class="input-group-text" id="totpInput-Prepend">Password</span>
+                </div>
+                <%= form.password_field :password, id: "totpRemoval-password", class:"form-control" %>
+              </div>
+            </div>
+            <br>
+            <div class="totpInput">
+              <div class="input-group input-group-lg">
+                <div class="input-group-prepend">
+                  <span class="input-group-text" id="totpInput-Prepend">TOTP</span>
+                </div>
+                <%= form.telephone_field :totp_code, id: "totpRemoval-code", class:"form-control", placeholder: "One Time Password Value" %>
+              </div>
+            </div>
+            <br>
+            <div class="totpSubmit">
+              <div class="row">
+                <div class="col-md-6 offset-md-3">
+                  <%= form.submit "Confirm TOTP Removal", class: " btn btn_danger btn-block" %>
+                </div>
+              </div>
+            </div>
+          </div>
+        <% end %>
+      </div>
+      <div class="modal-footer">
+        <button type="button" class="mr-auto btn btn_secondary" data-dismiss="modal">Close</button>
+      </div>
+    </div>
+  </div>
+</div>

data/app/views/rails_base/user_settings/index.html.erb

@@ -1,3 +1,6 @@
+<%
+  function_name = "advancedSecurityCollapse"
+%>
 <div class="row">
   <div class="col-md-10 offset-md-1">
     <div class="row">
@@ -16,13 +19,24 @@
           </tr>
           <tr>
             <th scope="col" class='text-right' style="width: 40%">
-             MFA enabled?
+             SMS MFA enabled?
             </th>
             <td style="width: 40%">
-              <%= current_user.mfa_enabled %>
+              <%= current_user.mfa_sms_enabled %>
             </td>
             <td style="width: 20%">
-              <button class="btn btn_primary btn-block show-create-modal" type="button">Modify</button>
+              <button onclick="advancedSecurityCollapse_collapse_open()" class="btn btn_primary btn-block" type="button">Modify</button>
+            </td>
+          </tr>
+          <tr>
+            <th scope="col" class='text-right' style="width: 40%">
+             TOTP MFA enabled?
+            </th>
+            <td style="width: 40%">
+              <%= current_user.mfa_otp_enabled %>
+            </td>
+            <td style="width: 20%">
+              <button onclick="advancedSecurityCollapse_collapse_open()" class="btn btn_primary btn-block" type="button">Modify</button>
             </td>
           </tr>
           <tr>
@@ -39,6 +53,86 @@
         </tbody>
       </table>
     </div>
+    <div class='row'>
+      <div class='col'>
+        <div id="advancedSecurity">
+          <div class="row">
+            <div class="col-12">
+              <button id="advancedSecurity-title" class="text-center btn btn-warning btn-block" type="button" id="dropdownMenuButton" aria-haspopup="true" aria-expanded="false">
+                MFA Options
+              </button>
+            </div>
+          </div>
+          <div class="row">
+            <div class="col-12">
+              <div id="advancedSecurity-body" class="collapseable-body">
+                <br>
+                <div class="row">
+                  <div class="col-10 offset-1">
+                    <% if RailsBase.config.mfa.enable? %>
+                      <% if current_user.mfa_sms_enabled %>
+                        <button type="button" class="btn btn-block btn_info close-me" data-toggle="modal" data-target="#modifyMfamodal">
+                            Modify 2fa Auth
+                        </button>
+                        <%= render partial: 'rails_base/shared/modify_mfa_auth_modal'%>
+                      <% else %>
+                        <button type="button" class="btn btn-block btn_info close-me" data-toggle="modal" data-target="#enableMfamodal">
+                          Enable 2fa Auth
+                        </button>
+                        <%= render partial: 'rails_base/shared/enable_mfa_auth_modal'%>
+                      <% end %>
+                    <% end %>
+                  </div>
+                </div>
+                <div class="row"><div class="col-6 offset-3">
+                  <hr>
+                </div></div>
+
+                <div class="row">
+                  <div class="col-10 offset-1">
+                    <% if RailsBase.config.totp.enable? %>
+                      <% if current_user.mfa_otp_enabled %>
+                        <div class="row">
+                          <div class="col-12">
+                            <button type="button" class="btn btn-block btn_info close-me" data-toggle="modal" data-target="#totpDisableModal">
+                                Disable One Time Password Auth
+                            </button>
+                          </div>
+                        </div>
+                        <%= render partial: 'rails_base/shared/totp/remove_authenticator_modal', locals: { type: @type, endpoint: @endpoint } %>
+                        <br>
+                        <div class="row">
+                          <div class="col-12">
+                            <button type="button" class="btn btn-block btn_info close-me" data-toggle="modal" data-target="#totpEnableModal" style="display: none;">
+                              <!--
+                              This is currently disabled.
+                              Steps to re-enabld
+                              - Enforce TOTP code is entered before showing totp secret
+                              -->
+                              Add One Time Password Auth
+                            </button>
+                          </div>
+                        </div>
+                      <% else %>
+                        <button type="button" class="btn btn-block btn_info close-me" data-toggle="modal" data-target="#totpEnableModal">
+                            Enable One Time Password Auth
+                        </button>
+                        <%= render partial: 'rails_base/shared/totp/add_authenticator_modal', locals: { type: @type, endpoint: @endpoint } %>
+                      <% end %>
+                    <% end %>
+                  </div>
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
+
+        <%= render partial: 'rails_base/shared/standardized_collapse', locals: { options: { id: "advancedSecurity", title_id: "advancedSecurity-title", body_id: "advancedSecurity-body", default_closed: true, function_name: function_name } } %>
+
+      </div>
+    </div>
+    </br>
+    <hr>
     <div class="row" style="margin-top: 50px">
       <button type="button" class="btn btn_danger btn-block" data-toggle="modal" data-target="#destroyUserModal">
         Destroy account
@@ -52,3 +146,8 @@
 <%= render 'modify_password' %>
 <%= render 'destroy_user' %>
 
+<script type="text/javascript">
+  $(document).ready(function(){
+    _railsBase_goToStandardizedCollapse("openmfa", `#advancedSecurity-body`, `<%= function_name %>`)
+  })
+</script>

data/config/initializers/admin_action_helper.rb

@@ -59,21 +59,57 @@ params = {
 }
 RailsBase::Admin::ActionHelper.new(**params).add!
 
+proc = Proc.new do |req, params, admin_user, user, title, struct|
+  actions_mapping = {
+    sms_registration: 'MFA Attempt to Register new SMS number',
+    sms_confirmation: 'MFA Confirm new SMS number',
+    sms_removal: 'MFA SMS removed',
+  }
 
+  if actions_mapping.keys.include?(params[:action].to_sym)
+    {
+      admin_user: admin_user,
+      user: user,
+      action: actions_mapping[params[:action].to_sym] ,
+      original_attribute: struct&.original_attribute,
+      new_attribute: struct&.new_attribute
+    }
+  else
+    nil
+  end
+end
+# All SMS register actions
 params = {
-  proc: nil,
-  title: 'Removed Phone from account',
-  controller: RailsBase::SecondaryAuthenticationController,
-  action: 'remove_phone_mfa',
+  proc: proc,
+  controller: RailsBase::Mfa::Register::SmsController,
   default: true
 }
 RailsBase::Admin::ActionHelper.new(**params).add!
 
+
+proc = Proc.new do |req, params, admin_user, user, title, struct|
+  actions_mapping = {
+    totp_remove: 'MFA TOTP remove',
+    totp_secret: 'MFA TOTP Attempt to add new Authenticator',
+    totp_validate: 'MFA TOTP Authenticator added',
+  }
+
+  if actions_mapping.keys.include?(params[:action].to_sym)
+    {
+      admin_user: admin_user,
+      user: user,
+      action: actions_mapping[params[:action].to_sym] ,
+      original_attribute: struct&.original_attribute,
+      new_attribute: struct&.new_attribute
+    }
+  else
+    nil
+  end
+end
+# All TOTP register actions
 params = {
-  proc: nil,
-  title: 'Setting Phone on account',
-  controller: RailsBase::SecondaryAuthenticationController,
-  action: 'phone_registration',
+  proc: proc,
+  controller: RailsBase::Mfa::Register::TotpController,
   default: true
 }
 RailsBase::Admin::ActionHelper.new(**params).add!

data/config/routes.rb

@@ -64,18 +64,53 @@ Rails.application.routes.draw do
   get 'auth/login', to: 'rails_base/secondary_authentication#after_email_login_session_new', as: :login_after_email
   post 'auth/login', to: 'rails_base/secondary_authentication#after_email_login_session_create', as: :login_after_email_session_create
   post 'auth/resend_email', to: 'rails_base/secondary_authentication#resend_email', as: :resend_email_verification
-  delete 'auth/phone/mfa', to: 'rails_base/secondary_authentication#remove_phone_mfa', as: :remove_phone_registration_mfa
   get 'auth/password/forgot/:data', to: 'rails_base/secondary_authentication#forgot_password', as: :forgot_password_auth
-  post 'auth/password/forgot/:data', to: 'rails_base/secondary_authentication#forgot_password_with_mfa', as: :forgot_password_with_mfa_auth
+  get 'auth/password/reset/:data', to: 'rails_base/secondary_authentication#reset_password_input', as: :reset_password_input
   post 'auth/password/reset/:data', to: 'rails_base/secondary_authentication#reset_password', as: :reset_password_auth
 
   constraints(->(_req) { RailsBase.config.mfa.enable? }) do
-    get 'mfa_verify', to: 'rails_base/mfa_auth#mfa_code', as: :mfa_code
-    post 'mfa_verify', to: 'rails_base/mfa_auth#mfa_code_verify', as: :mfa_code_verify
-    post 'resend_mfa', to: 'rails_base/mfa_auth#resend_mfa', as: :resend_mfa
+    scope "mfa/register" do
+      mfa_base_register = "rails_base/mfa/register"
+      constraints(->(_req) { RailsBase.config.totp.enable? }) do
+        scope :totp do
+          delete "/", to: "#{mfa_base_register}/totp#totp_remove", as: :totp_register_delete
+          post "/", to: "#{mfa_base_register}/totp#totp_secret", as: :totp_register_secret
+          post "validate", to: "#{mfa_base_register}/totp#totp_validate", as: :totp_register_validate
+        end
+      end
+
+      constraints(->(_req) { RailsBase.config.twilio.enable? }) do
+        scope :sms do
+          delete "/", to: "#{mfa_base_register}/sms#sms_removal", as: :remove_phone_registration_mfa
+          post "/", to: "#{mfa_base_register}/sms#sms_registration", as: :phone_registration
+          post "validate", to: "#{mfa_base_register}/sms#sms_confirmation", as: :phone_registration_mfa_code
+        end
+      end
+    end
+
+    scope "mfa/validate" do
+      mfa_base_validate = "rails_base/mfa/validate"
+      constraints(->(_req) { RailsBase.config.totp.enable? }) do
+        scope :totp do
+          get ":mfa_event", to: "#{mfa_base_validate}/totp#totp_event_input", as: :totp_validate_event_input
+          post ":mfa_event", to: "#{mfa_base_validate}/totp#totp_event", as: :totp_validate_event
+        end
+      end
+
+      constraints(->(_req) { RailsBase.config.twilio.enable? }) do
+        scope :sms do
+          post ":mfa_event/send", to: "#{mfa_base_validate}/sms#sms_event_send", as: :sms_validate_send_event
+          post ":mfa_event", to: "#{mfa_base_validate}/sms#sms_event", as: :sms_validate_event
+          get ":mfa_event", to: "#{mfa_base_validate}/sms#sms_event_input", as: :sms_validate_event_input
+        end
+      end
+    end
+  end
 
-    post 'auth/phone', to: 'rails_base/secondary_authentication#phone_registration', as: :phone_registration
-    post 'auth/phone/mfa', to: 'rails_base/secondary_authentication#confirm_phone_registration', as: :phone_registration_mfa_code
+  # These routes need to be outside of the scope so that they can be called independently
+  # The code itself will evaluate if it should run or not
+  scope "mfa/evaluation" do
+    get ':mfa_event', to: 'rails_base/mfa/evaluation#mfa_with_event', as: :mfa_with_event
   end
 
   ################################

data/db/migrate/20240808013706_add_totp_to_users.rb

@@ -0,0 +1,9 @@
+class AddTotpToUsers < ActiveRecord::Migration[6.1]
+  def change
+    add_column :users, :otp_secret, :string
+    add_column :users, :temp_otp_secret, :string
+    add_column :users, :consumed_timestep, :integer
+    add_column :users, :mfa_otp_enabled, :boolean, default: false
+    add_column :users, :otp_backup_codes, :text
+  end
+end

data/db/migrate/20240825012724_reconfigure_mfa_variable_names.rb

@@ -0,0 +1,10 @@
+class ReconfigureMfaVariableNames < ActiveRecord::Migration[6.1]
+  def change
+    ## Rename original MFA columns to SMS specific columns
+    rename_column :users, :mfa_enabled, :mfa_sms_enabled
+    rename_column :users, :last_mfa_login, :last_mfa_sms_login
+
+    # Add new Column for Last time logged in via OTP generated code
+    add_column :users, :last_mfa_otp_login, :datetime
+  end
+end

data/lib/rails_base/admin/action_helper.rb

@@ -85,7 +85,6 @@ module RailsBase::Admin
     end
 
     def call(req:, params:, admin_user:, user:, struct: nil)
-      # byebug
       if proc
         action_params = proc.call(req, params, admin_user, user, title, struct)
         return if action_params.nil?

data/lib/rails_base/admin/default_index_tile.rb

@@ -86,11 +86,11 @@ RailsBase::Admin::IndexTile.add(instance)
 # Mfa Enabled Validated Tile
 params = {
   type: :toggle,
-  value: ->(user) { user.mfa_enabled },
+  value: ->(user) { user.mfa_sms_enabled },
   on: 'Enabled',
   off: 'Disabled',
-  name: 'mfa_enabled', # name to be amended to html id
-  col_name: 'MFA Enabled?', # Expected to be the column header name
+  name: 'mfa_sms_enabled', # name to be amended to html id
+  col_name: 'MFA SMS Enabled?', # Expected to be the column header name
   disabled: -> (user, admin_user) { !RailsBase.config.admin.mfa_tile_users.call(admin_user) },
   disabled_msg: -> (user, admin_user) { 'Your admin user does not have permissions' },
   min_width: 220,

data/lib/rails_base/config.rb

@@ -1,36 +1,40 @@
-require 'singleton'
-require 'rails_base/configuration/active_job'
-require 'rails_base/configuration/admin'
-require 'rails_base/configuration/app'
-require 'rails_base/configuration/appearance'
-require 'rails_base/configuration/authentication'
-require 'rails_base/configuration/exceptions_app'
-require 'rails_base/configuration/login_behavior'
-require 'rails_base/configuration/mailer'
-require 'rails_base/configuration/mfa'
-require 'rails_base/configuration/owner'
-require 'rails_base/configuration/redis'
-require 'rails_base/configuration/templates'
-require 'rails_base/configuration/user'
+require "singleton"
+require "rails_base/configuration/active_job"
+require "rails_base/configuration/admin"
+require "rails_base/configuration/app"
+require "rails_base/configuration/appearance"
+require "rails_base/configuration/authentication"
+require "rails_base/configuration/exceptions_app"
+require "rails_base/configuration/login_behavior"
+require "rails_base/configuration/mailer"
+require "rails_base/configuration/mfa"
+require "rails_base/configuration/owner"
+require "rails_base/configuration/redis"
+require "rails_base/configuration/templates"
+require "rails_base/configuration/totp"
+require "rails_base/configuration/twilio"
+require "rails_base/configuration/user"
 
 module RailsBase
   class Config
     include Singleton
 
     VARIABLES = {
+      active_job: nil,
       admin: nil,
-      mfa: nil,
-      auth: :authentication,
-      redis: nil,
-      owner: nil,
-      mailer: nil,
-      exceptions_app: nil,
       app: nil,
       appearance: nil,
-      user: nil,
-      active_job: nil,
+      auth: :authentication,
+      exceptions_app: nil,
       login_behavior: nil,
+      mailer: nil,
+      mfa: nil,
+      owner: nil,
+      redis: nil,
       templates: nil,
+      totp: nil,
+      twilio: nil,
+      user: nil,
     }
     attr_reader *VARIABLES.keys
 

data/lib/rails_base/configuration/admin.rb

@@ -44,13 +44,13 @@ module RailsBase
         proc: ->(user, admin_user) { user.email_validated? }
       }
 
-      DEFAULT_MFA_ENABLED = {
-        filter: 'MFA Enabled',
-        id: 'mfa_enabled',
-        proc: ->(user, admin_user) { user.mfa_enabled? }
+      DEFAULT_MFA_SMS_ENABLED = {
+        filter: 'MFA SMS Enabled',
+        id: 'mfa_sms_enabled',
+        proc: ->(user, admin_user) { user.mfa_sms_enabled? }
       }
 
-      DEFAULT_PAGE_FILTER = [DEFAULT_ADMIN_TYPE, DEFAULT_ADMIN_SELF, DEFAULT_ADMIN_ACTIVE, DEFAULT_EMAIL_VALIDATED, DEFAULT_MFA_ENABLED].flatten
+      DEFAULT_PAGE_FILTER = [DEFAULT_ADMIN_TYPE, DEFAULT_ADMIN_SELF, DEFAULT_ADMIN_ACTIVE, DEFAULT_EMAIL_VALIDATED, DEFAULT_MFA_SMS_ENABLED].flatten
       DEFAULT_VALUES = {
         enable: {
           type: :boolean,

data/lib/rails_base/configuration/base.rb

@@ -22,6 +22,7 @@ module RailsBase
         duration: -> (val) { [ActiveSupport::Duration].include?(val.class) },
         hash: -> (val) { [Hash].include?(val.class) },
         integer: -> (val) { [Integer].include?(val.class) },
+        integer_nil: -> (val) { [Integer, NilClass].include?(val.class) },
         klass: -> (_val) { true },
         path: -> (val) { [Pathname].include?(val.class) },
         proc: -> (val) { [Proc].include?(val.class) },

data/lib/rails_base/configuration/mfa.rb

@@ -3,82 +3,49 @@ require 'rails_base/configuration/base'
 module RailsBase
   module Configuration
     class Mfa < Base
-      MFA_MIN_LENGTH = 4
-      MFA_MAX_LENGTH = 8
+      MFA_TYPE_OPTIONS = [ DEFAULT_TYPE = :totp, :twilio ]
       DEFAULT_VALUES = {
         enable: {
           type: :boolean,
           default: ENV.fetch('MFA_ENABLE', 'true')=='true',
-          description: 'Enable MFA and SMS verification. When not enabled, there are some interesting consequences',
+          description: 'Enable MFA with SMS or TOTP verification. When not enabled, there are some interesting consequences',
         },
-        mfa_length: {
-          type: :integer,
-          default: 5,
-          custom: ->(val) { val > MFA_MIN_LENGTH && val < MFA_MAX_LENGTH },
-          msg: "Must be an integer greater than #{MFA_MIN_LENGTH} and less than #{MFA_MAX_LENGTH}",
-          description: 'Length of MFA verification',
-        },
-        twilio_sid: {
-          type: :string,
-          default: ENV.fetch('TWILIO_ACCOUNT_SID',''),
-          secret: true,
-          description: 'Twilio SID',
+        enable_twilio: {
+          type: :boolean,
+          default: true,
+          description: 'Add Twilio as an MFA option.',
         },
-        twilio_auth_token: {
-          type: :string,
-          default: ENV.fetch('TWILIO_AUTH_TOKEN', ''),
-          secret: true,
-          description: 'Twilio Auth Token',
+        enable_totp: {
+          type: :boolean,
+          default: true,
+          description: 'Add TOTP as an MFA option.',
         },
-        twilio_from_number: {
-          type: :string,
-          default: ENV.fetch('TWILIO_FROM_NUMBER', ''),
-          description: 'Number that we send MFA\'s From',
+        max_attempts_before_password_expire: {
+          type: :integer,
+          default: 5,
+          description: 'Max MFA attempts before password expires and password must get re-entered',
         },
-        twilio_velocity_max: {
+        max_password_expires_before_account_locked: {
           type: :integer,
-          default: ENV.fetch('TWILIO_VELOCITY_MAX', 5).to_i,
-          description: 'Max number of SMS we send to a user in a sliding window',
-
+          default: 5,
+          description: 'Max number of password expires before account is locked',
         },
-        twilio_velocity_max_in_frame: {
-          type: :duration,
-          default: ENV.fetch('TWILIO_VELOCITY_MAX_IN_FRAME', 1).to_i.hours,
-          description: 'Sliding window for twilio_velocity_max',
+        reauth_strategy: {
+          type: :klass,
+          default: -> (_val) { RailsBase::Mfa::Strategy::EveryRequest },
+          custom: ->(val) { (Proc === val ? val.call(nil) : val).ancestors.include?(RailsBase::Mfa::Strategy::Base) },
+          msg: "Invalid ReAuth Strategy. Provided class must be descendent of RailsBase::Mfa::Strategy::Base",
+          description: "Value is expected to be a descendent of RailsBase::Mfa::Strategy::Base. It can be lazily loaded via a proc",
+          on_assignment: ->(val, instance) { instance.reauth_strategy = (Proc === val ? val.call(nil) : val) },
         },
-        twilio_velocity_frame: {
+        reauth_duration: {
           type: :duration,
-          default: ENV.fetch('TWILIO_VELOCITY_FRAME', 5).to_i.hours,
-          description: 'Debug purposes. How long to keep admin_velocity_max attempts',
-        },
-        active_job_queue: {
-          type: :string,
-          default: 'twilio_sms',
-          description: 'The active job queue to send twilio messages from. Ensure that adapter is bound to the queue',
+          default: 2.days,
+          description: "When `reauth_strategy` is `time_based`, this value is the max time before MFA is required",
         }
       }
 
       attr_accessor *DEFAULT_VALUES.keys
-
-      private
-
-      def custom_validations
-        enforce_twilio!
-      end
-
-      def enforce_twilio!
-        return unless enable == true
-
-        return if twilio_sid.present? &&
-          twilio_auth_token.present? &&
-          twilio_from_number.present?
-
-        raise InvalidConfiguration, "twilio_sid twilio_auth_token twilio_from_number need to be present when `mfa.enabled`"
-      end
-
-      def default_values
-        DEFAULT_VALUES
-      end
     end
   end
 end

data/lib/rails_base/configuration/totp.rb

@@ -0,0 +1,82 @@
+require 'rails_base/configuration/base'
+
+module RailsBase
+  module Configuration
+    class Totp < Base
+
+      DEFAULT_VALUES = {
+        enable: {
+          type: :boolean,
+          default: true,
+          description: "TOTP must be explicitly enabled per application"
+        },
+        secret_code_length: {
+          type: :integer,
+          default: 32,
+          description: "The length of the secret to generate an OTP"
+        },
+        backup_code_length: {
+          type: :integer,
+          default: 64,
+          description: "The length of each backup code provided"
+        },
+        backup_code_count: {
+          type: :integer,
+          default: 10,
+          description: "The number of Backup codes generated if TOTP is cannot be solved.",
+        },
+        allowed_drift: {
+          type: :integer,
+          default: 30,
+          description: "The allowed drift around the current timestamp.",
+        },
+        allowed_drift_behind:{
+          type: :integer_nil,
+          default: nil,
+          description: "Allowed drift behind current timestamp. Takes precendence over allowed_drift",
+        },
+        allowed_drift_ahead:{
+          type: :integer_nil,
+          default: nil,
+          description: "Allowed drift ahead current timestamp. Takes precendence over allowed_drift",
+        },
+        velocity_max: {
+          type: :integer,
+          default: 3,
+          description: 'Max number of TOTP we allow a user to attempt in a sliding window',
+        },
+        velocity_max_in_frame: {
+          type: :duration,
+          default: 60.seconds,
+          description: 'Sliding window for velocity_max',
+        },
+        velocity_frame: {
+          type: :duration,
+          default: 300.seconds,
+          description: 'Debug purposes. How long to keep velocity_max attempts',
+        },
+      }
+      attr_accessor *DEFAULT_VALUES.keys
+
+      private
+
+      def custom_validations
+        if velocity_max_in_frame < max_behind || velocity_max_in_frame < max_ahead
+          raise ArgumentError, "totp.velocity_max_in_frame must be greater than the allowed_drift"
+        end
+
+        if velocity_frame < velocity_max_in_frame
+          raise ArgumentError, "totp.velocity_frame must be greater than totp.velocity_max_in_frame"
+        end
+      end
+
+      def max_behind
+        allowed_drift_ahead || allowed_drift
+      end
+
+      def max_ahead
+        allowed_drift_behind || allowed_drift
+      end
+    end
+  end
+end