rotp 2.1.1 → 6.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 2725d64c9f5c1dd2c64165cced04357972e269c2
-  data.tar.gz: 4396a34a9e33102c800cfcc7815db87fcf1c612a
+SHA256:
+  metadata.gz: 4ce425976dcf66314bf7217e6c5901c8e4cfd54d78919c058052ec2fc1d8c336
+  data.tar.gz: 6d0c496074dbe1d6d625e26b0408e33585c9783661077f322e7aa4c3585442c8
 SHA512:
-  metadata.gz: fb6e0c9f09dc0bb9a48d53dd883ad53be3ea63b1fe0abddf8370537ccd859d5826c6a95570dc4a647c4f8592ae9520e3bf5bd2f073beb3f82cc07274cc93de27
-  data.tar.gz: 7af5f0b49b5b1de78dad69d89b4b52a4369f79304b8d48f47a9f760f46839705c6359d1af5475476d0d31b85614488f34a63ad0213134ba74f95998a8cb1f441
+  metadata.gz: f4d739d3cc3fed5ec4cdcd04b6c73b8fa30cfdc513d92f4e8c1130f45682b2aa37cd2029f66522c0648a8a8d3a905556e1ac1b42715f6ef6f2e95716dd010422
+  data.tar.gz: ada9184523ddc259caabedb7429704d7a952b19faf067dbdc6a65d29dbdb57f3ad4a0e4a9e9b07268518f6f239190882b0f9cfc60b39264f7b79b381566c436c

data/.devcontainer/Dockerfile

@@ -0,0 +1,19 @@
+# See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.238.1/containers/ruby/.devcontainer/base.Dockerfile
+
+# [Choice] Ruby version (use -bullseye variants on local arm64/Apple Silicon): 3, 3.1, 3.0, 2, 2.7, 3-bullseye, 3.1-bullseye, 3.0-bullseye, 2-bullseye, 2.7-bullseye, 3-buster, 3.1-buster, 3.0-buster, 2-buster, 2.7-buster
+ARG VARIANT="3.1-bullseye"
+FROM mcr.microsoft.com/vscode/devcontainers/ruby:0-${VARIANT}
+
+# [Choice] Node.js version: none, lts/*, 16, 14, 12, 10
+ARG NODE_VERSION="none"
+RUN if [ "${NODE_VERSION}" != "none" ]; then su vscode -c "umask 0002 && . /usr/local/share/nvm/nvm.sh && nvm install ${NODE_VERSION} 2>&1"; fi
+
+# [Optional] Uncomment this section to install additional OS packages.
+# RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
+#     && apt-get -y install --no-install-recommends <your-package-list-here>
+
+# [Optional] Uncomment this line to install additional gems.
+# RUN gem install <your-gem-names-here>
+
+# [Optional] Uncomment this line to install global node packages.
+# RUN su vscode -c "source /usr/local/share/nvm/nvm.sh && npm install -g <your-package-here>" 2>&1

data/.devcontainer/devcontainer.json

@@ -0,0 +1,37 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the README at:
+// https://github.com/microsoft/vscode-dev-containers/tree/v0.238.1/containers/ruby
+{
+	"name": "Ruby",
+	"build": {
+		"dockerfile": "Dockerfile",
+		"args": { 
+			// Update 'VARIANT' to pick a Ruby version: 3, 3.1, 3.0, 2, 2.7
+			// Append -bullseye or -buster to pin to an OS version.
+			// Use -bullseye variants on local on arm64/Apple Silicon.
+			"VARIANT": "3-bullseye",
+			// Options
+			"NODE_VERSION": "16"
+		}
+	},
+
+	// Configure tool-specific properties.
+	"customizations": {
+		// Configure properties specific to VS Code.
+		"vscode": {
+			// Add the IDs of extensions you want installed when the container is created.
+			"extensions": [
+				"rebornix.Ruby"
+			]
+		}
+	},
+	
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	// "forwardPorts": [],
+
+	// Use 'postCreateCommand' to run commands after the container is created.
+	// "postCreateCommand": "ruby --version",
+
+	// Comment out to connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
+	"remoteUser": "vscode"
+
+}

data/.dockerignore

@@ -0,0 +1 @@
+Dockerfile*

data/.github/workflows/test.yaml

@@ -0,0 +1,27 @@
+name: Tests
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  test:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        ruby-version: ['3.1', '3.0', '2.7', '2.3']
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Ruby ${{ matrix.ruby-version }}
+        uses: ruby/setup-ruby@359bebbc29cbe6c87da6bc9ea3bc930432750108
+        with:
+          ruby-version: ${{ matrix.ruby-version }}
+      - name: Install dependencies
+        run: bundle install
+      - name: Run tests
+        run: bundle exec rspec

data/.gitignore

@@ -2,3 +2,5 @@
 .bundle
 .yardoc
 pkg/*
+coverage
+Gemfile.lock

data/CHANGELOG.md

@@ -1,5 +1,100 @@
 ### Changelog
 
+### 6.2.2
+
+- Removed `rjust` from `generate_otp` in favor of more time constant version
+
+### 6.2.1
+
+- Removed old rdoc folder that was triggering a security warning due to an
+  old version of JQuery being included in the HTML docs. This has no impact
+  on the Ruby library.
+
+### 6.2.0
+
+- Update to expand compatibility with Ruby 3. This was only a change to the
+  gemspec, no code changes were necessary.
+
+### 6.1.0
+
+- Fixing URI encoding issues again, breaking out into it's own module
+  due to the complexity - closes #100 (@atcruice)
+- Add docker-compose.yml to help with easier testing
+
+### 6.0.0
+
+- Dropping support for Ruby <2.3 (Major version bump)
+- Fix issue when using --enable-frozen-string-literal Ruby option #95 (jeremyevans)
+- URI Encoding fix #94 (ksuh90)
+- Update gems (rake, addressable)
+- Update Travis tests to include Ruby 2.7
+
+### 5.1.0
+
+- Create `random_base32` to perform `random` to avoid breaking changes
+  - Still needed to bump to 5.x due to Base32 cleanup
+
+### 5.0.0
+
+- Clean up base32 implementation to match Google Autheticator
+- BREAKING `Base32.random_base32` renamed to random
+  - The argument is now byte length vs output string length for more precise bit strengths
+
+### 4.1.0
+
+- Add a digest option to the CLI #83
+- Fix provisioning URI is README #82
+- Improvements to docs
+
+### 4.0.2
+
+- Fix gemspec requirment for Addressable
+
+### 4.0.1
+
+- Rubocop for style fixes
+- Replace deprecated URI.encode with Addressable's version
+
+#### 4.0.0
+
+- Simplify API
+- Remove support for Ruby < 2.0
+- BREAKING CHANGE: Removed optional second argument (`padding`) from:
+  - `HOTP#at`
+  - `OTP#generate_otp`
+  - `TOTP#at`
+  - `TOTP#now` (first argument)
+
+#### 3.3.1
+
+- Add OpenSSL as a requirement for Ruby 2.5. Fixes #70 & #64
+- Allow Base32 with padding. #71
+- Prevent verify with drift being negative #69
+
+#### 3.3.0
+
+- Add digest algorithm parameter for non SHA1 digests - #62 from @btalbot
+
+#### 3.2.0
+
+- Add 'verify_with_drift_and_prior' to prevent prior token use - #58 from @jlfaber
+
+#### 3.1.0
+
+- Add Add digits paramater to provisioning URI. #54 from @sbc100
+
+#### 3.0.1
+
+- Use SecureRandom. See mdp/rotp/pull/52
+
+#### 3.0.0
+
+- Provisioning URL includes issuer label per RFC 5234 See mdp/rotp/pull/51
+
+#### 2.1.2
+
+- Remove string literals to prepare immutable strings in Ruby 3.0
+
 #### 2.1.1
 
 - Reorder the params for Windows Phone Authenticator - #43

data/Dockerfile-2.3

@@ -0,0 +1,10 @@
+FROM ruby:2.3
+
+RUN mkdir -p /usr/src/app
+WORKDIR /usr/src/app
+
+COPY Gemfile /usr/src/app/
+COPY . /usr/src/app
+RUN bundle install
+
+CMD ["bundle", "exec", "rspec"]

data/Dockerfile-2.7

@@ -0,0 +1,11 @@
+FROM ruby:2.7
+
+RUN mkdir -p /usr/src/app
+WORKDIR /usr/src/app
+
+COPY Gemfile /usr/src/app/
+COPY . /usr/src/app
+RUN bundle install
+
+CMD ["bundle", "exec", "rspec"]
+

data/Dockerfile-3.0-rc

@@ -0,0 +1,12 @@
+FROM ruby:3.0-rc
+
+RUN mkdir -p /usr/src/app
+WORKDIR /usr/src/app
+
+COPY Gemfile /usr/src/app/
+COPY . /usr/src/app
+RUN gem install bundler
+RUN bundle install
+
+CMD ["bundle", "exec", "rspec"]
+

data/Guardfile

@@ -1,5 +1,5 @@
 guard :rspec, cmd: 'bundle exec rspec --format progress' do
-  require "guard/rspec/dsl"
+  require 'guard/rspec/dsl'
   dsl = Guard::RSpec::Dsl.new(self)
 
   # RSpec files

data/README.md

@@ -1,19 +1,54 @@
+## Webauthn and the future of 2FA
+
+Although this library will continue to be maintained, if you're implementing a 2FA solution today, you should take a look at [Webauthn](https://webauthn.guide/). It doesn't involve shared secrets and it's supported by most modern browsers and operating systems.
+
+### Ruby resources for Webauthn
+
+- [Multi-Factor Authentication for Rails With WebAuthn and Devise](https://www.honeybadger.io/blog/multi-factor-2fa-authentication-rails-webauthn-devise/)
+- [Webauthn Ruby Gem](https://github.com/cedarcode/webauthn-ruby)
+- [Rails demo app with Webauthn](https://github.com/cedarcode/webauthn-rails-demo-app)
+
+----
+
 # The Ruby One Time Password Library
 
-[![Build Status](https://secure.travis-ci.org/mdp/rotp.png)](https://travis-ci.org/mdp/rotp)
+[![Build Status](https://github.com/mdp/rotp/actions/workflows/test.yaml/badge.svg)](https://github.com/mdp/rotp/actions/workflows/test.yaml)
 [![Gem Version](https://badge.fury.io/rb/rotp.svg)](https://rubygems.org/gems/rotp)
+[![Documentation](http://img.shields.io/badge/docs-rdoc.info-blue.svg)](https://www.rubydoc.info/github/mdp/rotp/master)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg?style=flat)](https://github.com/mdp/rotp/blob/master/LICENSE)
 
-A ruby library for generating one time passwords (HOTP & TOTP) according to [RFC 4226](http://tools.ietf.org/html/rfc4226) and [RFC 6238](http://tools.ietf.org/html/rfc6238).
 
-ROTP is compatible with the [Google Authenticator](https://github.com/google/google-authenticator) available for [Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2) and [iPhone](https://itunes.apple.com/en/app/google-authenticator/id388497605).
+A ruby library for generating and validating one time passwords (HOTP & TOTP) according to [RFC 4226](https://datatracker.ietf.org/doc/html/rfc4226) and [RFC 6238](https://datatracker.ietf.org/doc/html/rfc6238).
+
+ROTP is compatible with [Google Authenticator](https://github.com/google/google-authenticator) available for [Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2) and [iPhone](https://itunes.apple.com/en/app/google-authenticator/id388497605) and any other TOTP based implementations.
 
-Many websites use this for [multi-factor authentication](https://www.youtube.com/watch?v=17rykTIX_HY), such as GMail, Facebook, Amazon EC2, WordPress, and Salesforce. You can find the whole [list here](https://en.wikipedia.org/wiki/Google_Authenticator#Usage).
+Many websites use this for [multi-factor authentication](https://www.youtube.com/watch?v=17rykTIX_HY), such as GMail, Facebook, Amazon EC2, WordPress, and Salesforce. You can find a more complete [list here](https://en.wikipedia.org/wiki/Google_Authenticator#Usage).
 
 ## Dependencies
 
 * OpenSSL
-* Ruby 1.9.3 or higher
+* Ruby 2.3 or higher
+
+## Breaking changes
+
+### Breaking changes in >= 6.0
+
+- Dropping support for Ruby <2.3
+
+### Breaking changes in >= 5.0
+
+- `ROTP::Base32.random_base32` is now `ROTP::Base32.random` and the argument
+  has changed from secret string length to byte length to allow for more
+  precision. There is an alias to allow for `random_base32` for the time being.
+- Cleaned up the Base32 implementation to match Google Authenticator's version.
+
+### Breaking changes in >= 4.0
+
+- Simplified API
+  - `verify` now takes options for `drift` and `after`,`padding` is no longer an option
+  - `verify` returns a timestamp if true, nil if false
+- Dropping support for Ruby < 2.0
+- Docs for 3.x can be found [here](https://github.com/mdp/rotp/tree/v3.x)
 
 ## Installation
 
@@ -26,60 +61,104 @@ gem install rotp
 ### Time based OTP's
 
 ```ruby
-totp = ROTP::TOTP.new("base32secret3232")
+totp = ROTP::TOTP.new("base32secret3232", issuer: "My Service")
 totp.now # => "492039"
 
-# OTP verified for current time
-totp.verify("492039") # => true
-sleep 30
-totp.verify("492039") # => false
-```
+# OTP verified for current time - returns timestamp of the current interval
+# period.
+totp.verify("492039") # => 1474590700
 
-Optionally, you can provide an issuer which will be used as a title in Google Authenticator.
+sleep 30
 
-```ruby
-totp = ROTP::TOTP.new("base32secret3232", issuer: "My Service")
+# OTP fails to verify - returns nil
+totp.verify("492039") # => nil
 ```
 
 ### Counter based OTP's
 
 ```ruby
 hotp = ROTP::HOTP.new("base32secretkey3232")
-hotp.at(0) # => "260182"
-hotp.at(1) # => "055283"
-hotp.at(1401) # => "316439"
+hotp.at(0) # => "786922"
+hotp.at(1) # => "595254"
+hotp.at(1401) # => "259769"
 
 # OTP verified with a counter
-hotp.verify("316439", 1401) # => true
-hotp.verify("316439", 1402) # => false
+hotp.verify("259769", 1401) # => 1401
+hotp.verify("259769", 1402) # => nil
+```
+
+### Preventing reuse of Time based OTP's
+
+By keeping track of the last time a user's OTP was verified, we can prevent token reuse during
+the interval window (default 30 seconds)
+
+The following is an example of this in action:
+
+```ruby
+user = User.find(someUserID)
+totp = ROTP::TOTP.new(user.otp_secret)
+totp.now # => "492039"
+
+# Let's take a look at the last time the user authenticated with an OTP
+user.last_otp_at # => 1432703530
+
+# Verify the OTP
+last_otp_at = totp.verify("492039", after: user.last_otp_at) #=> 1472145760
+# ROTP returns the timestamp(int) of the current period
+
+# Store this on the user's account
+user.update(last_otp_at: last_otp_at)
+
+# Someone attempts to reuse the OTP inside the 30s window
+last_otp_at = totp.verify("492039", after: user.last_otp_at) #=> nil
+# It fails to verify because we are still in the same 30s interval window
+```
+
+### Verifying a Time based OTP with drift
+
+Some users may enter a code just after it has expired. By adding 'drift' you can allow
+for a recently expired token to remain valid.
+
+```ruby
+totp = ROTP::TOTP.new("base32secret3232")
+now = Time.at(1474590600) #2016-09-23 00:30:00 UTC
+totp.at(now) # => "250939"
+
+# OTP verified for current time along with 15 seconds earlier
+# ie. User enters a code just after it expired
+totp.verify("250939", drift_behind: 15, at: now + 35) # => 1474590600
+# User waits too long. Fails to validate previous OTP
+totp.verify("250939", drift_behind: 15, at: now + 45) # => nil
 ```
 
 ### Generating a Base32 Secret key
 
 ```ruby
-ROTP::Base32.random_base32  # returns a 16 character base32 secret. Compatible with Google Authenticator
+ROTP::Base32.random  # returns a 160 bit (32 character) base32 secret. Compatible with Google Authenticator
 ```
 
 Note: The Base32 format conforms to [RFC 4648 Base32](http://en.wikipedia.org/wiki/Base32#RFC_4648_Base32_alphabet)
 
-### Google Authenticator Compatible URI's
+### Generating QR Codes for provisioning mobile apps
 
-Provisioning URI's generated by ROTP are compatible with the Google Authenticator App
-to be scanned with the in-built QR Code scanner.
+Provisioning URI's generated by ROTP are compatible with most One Time Password applications, including
+Google Authenticator.
 
 ```ruby
-totp.provisioning_uri("alice@google.com") # => 'otpauth://totp/alice@google.com?secret=JBSWY3DPEHPK3PXP'
-hotp.provisioning_uri("alice@google.com", 0) # => 'otpauth://hotp/alice@google.com?secret=JBSWY3DPEHPK3PXP&counter=0'
+totp = ROTP::TOTP.new("base32secret3232", issuer: "My Service")
+totp.provisioning_uri("alice@google.com") # => 'otpauth://totp/My%20Service:alice%40google.com?secret=base32secret3232&issuer=My%20Service'
+
+hotp = ROTP::HOTP.new("base32secret3232", issuer: "My Service")
+hotp.provisioning_uri("alice@google.com", 0) # => 'otpauth://hotp/alice%40google.com?secret=base32secret3232&counter=0'
 ```
 
-This can then be rendered as a QR Code which can then be scanned and added to the users
-list of OTP credentials.
+This can then be rendered as a QR Code which the user can scan using their mobile phone and the appropriate application.
 
 #### Working example
 
 Scan the following barcode with your phone, using Google Authenticator
 
-![QR Code for OTP](http://chart.apis.google.com/chart?cht=qr&chs=250x250&chl=otpauth%3A%2F%2Ftotp%2Falice%40google.com%3Fsecret%3DJBSWY3DPEHPK3PXP)
+![QR Code for OTP](https://cloud.githubusercontent.com/assets/2868/18771262/54f109dc-80f2-11e6-863f-d2be62ee587a.png)
 
 Now run the following and compare the output
 
@@ -97,10 +176,25 @@ bundle install
 bundle exec rspec
 ```
 
+### Testing with Docker
+
+In order to make it easier to test against different ruby version, ROTP comes
+with a set of Dockerfiles for each version that we test against in Travis
+
+```bash
+docker build -f Dockerfile-2.6 -t rotp_2.6 .
+docker run --rm -v $(pwd):/usr/src/app rotp_2.6
+```
+
+Alternately, you may use docker-compose to run all the tests:
+
+```
+docker-compose up
+```
+
 ## Executable Usage
 
-Once the rotp rubygem is installed on your system, you should be able to run the `rotp` executable
-(if not, you might find trouble-shooting help [at this stackoverflow question](http://stackoverflow.com/a/909980)).
+The rotp rubygem includes CLI version to help with testing and debugging
 
 ```bash
 # Try this to get an overview of the commands
@@ -117,7 +211,7 @@ Have a look at the [contributors graph](https://github.com/mdp/rotp/graphs/contr
 
 ## License
 
-MIT Copyright (C) 2011 by Mark Percival, see [LICENSE](https://github.com/mdp/rotp/blob/master/LICENSE) for details.
+MIT Copyright (C) 2019 by Mark Percival, see [LICENSE](https://github.com/mdp/rotp/blob/master/LICENSE) for details.
 
 ## Other implementations
 

data/bin/rotp

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 
-$: << File.expand_path('../../lib', __FILE__)
+$LOAD_PATH << File.expand_path('../lib', __dir__)
 require 'rotp'
 require 'rotp/cli'
 

data/docker-compose.yml

@@ -0,0 +1,37 @@
+version: "3.8"
+services:
+  ruby_2_3:
+    build:
+      context: .
+      dockerfile: Dockerfile-2.3
+    volumes:
+      - "./lib:/usr/src/app/lib"
+      - "./spec:/usr/src/app/spec"
+  ruby_2_5:
+    build:
+      context: .
+      dockerfile: Dockerfile-2.5
+    volumes:
+      - "./lib:/usr/src/app/lib"
+      - "./spec:/usr/src/app/spec"
+  ruby_2_6:
+    build:
+      context: .
+      dockerfile: Dockerfile-2.6
+    volumes:
+      - "./lib:/usr/src/app/lib"
+      - "./spec:/usr/src/app/spec"
+  ruby_2_7:
+    build:
+      context: .
+      dockerfile: Dockerfile-2.7
+    volumes:
+      - "./lib:/usr/src/app/lib"
+      - "./spec:/usr/src/app/spec"
+  ruby_3_0_rc:
+    build:
+      context: .
+      dockerfile: Dockerfile-3.0-rc
+    volumes:
+      - "./lib:/usr/src/app/lib"
+      - "./spec:/usr/src/app/spec"

data/lib/rotp/arguments.rb

@@ -3,7 +3,6 @@ require 'ostruct'
 
 module ROTP
   class Arguments
-
     def initialize(filename, arguments)
       @filename = filename
       @arguments = Array(arguments)
@@ -32,11 +31,11 @@ module ROTP
 
     def parse
       return options!.mode = :help if arguments.empty?
-      parser.parse arguments
 
+      parser.parse arguments
     rescue OptionParser::InvalidOption => exception
       options!.mode = :help
-      options!.warnings = red(exception.message +  '. Try --help for help.')
+      options!.warnings = red(exception.message + '. Try --help for help.')
     end
 
     def parser
@@ -69,6 +68,10 @@ module ROTP
         parser.on_tail('-h', '--help', 'Show this message') do
           options!.mode = :help
         end
+
+        parser.on('-d', '--digest [ALGORITHM]', 'Use algorithm for the digest (default sha1)') do |digest|
+          options!.digest = digest
+        end
       end
     end
 
@@ -83,7 +86,5 @@ module ROTP
     def red(string)
       "\033[31m#{string}\033[0m"
     end
-
   end
 end
-