rotp 4.0.0 → 6.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 681041e122df89a1947016e02fd7c11e3102ffc3eed78c1dcdcb5056af116afd
-  data.tar.gz: 0333b10d91241c31b7fb2b3b5b7bd0d99f0e02b471ce0d10dc5961ae98cb89d7
+  metadata.gz: 4d6cedb1952a6df3b069bb85d94e169d4aeb7878e6e4dde0dcb3fe4a2915a747
+  data.tar.gz: 2ad3bb2a4ef2575af9b976da0c59eb22b7e4d8b9e0a44e477329222feb567e09
 SHA512:
-  metadata.gz: a7454a2072e7f6b4cabd84338b2c9b1d06363102230d2c93bd244f0a486004b6363e9cd50aece371c951ae68798a6cc109798948c11034f679030bfd7106e464
-  data.tar.gz: 18e79a2ca2a61d9b6a2dd902744e344fe1be9b7f4ac2c3d4674d6c83929f69b2395d794c9d9081115678fbfc81599f50a07cf8b287ce1c7f8ed05dcee4322e13
+  metadata.gz: 90ea9ec5403ad5e0953582e4a8c17369a0722c3f79d6b5a9d25e1f756a2cc024d01824a7e469a10dd98a7289aef6b34496dc6987565885fa01b3e8d0d6fb8e8c
+  data.tar.gz: aa7a667ef8de152cca8cd67df56d0f55a03ac7429f114d619bec1ac05178c015ba6c932f6fd651f27031c860927b81a3dc98bcd53ff7ef4080120a58404cd8f8

data/.devcontainer/Dockerfile

@@ -0,0 +1,19 @@
+# See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.238.1/containers/ruby/.devcontainer/base.Dockerfile
+
+# [Choice] Ruby version (use -bullseye variants on local arm64/Apple Silicon): 3, 3.1, 3.0, 2, 2.7, 3-bullseye, 3.1-bullseye, 3.0-bullseye, 2-bullseye, 2.7-bullseye, 3-buster, 3.1-buster, 3.0-buster, 2-buster, 2.7-buster
+ARG VARIANT="3.1-bullseye"
+FROM mcr.microsoft.com/vscode/devcontainers/ruby:0-${VARIANT}
+
+# [Choice] Node.js version: none, lts/*, 16, 14, 12, 10
+ARG NODE_VERSION="none"
+RUN if [ "${NODE_VERSION}" != "none" ]; then su vscode -c "umask 0002 && . /usr/local/share/nvm/nvm.sh && nvm install ${NODE_VERSION} 2>&1"; fi
+
+# [Optional] Uncomment this section to install additional OS packages.
+# RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
+#     && apt-get -y install --no-install-recommends <your-package-list-here>
+
+# [Optional] Uncomment this line to install additional gems.
+# RUN gem install <your-gem-names-here>
+
+# [Optional] Uncomment this line to install global node packages.
+# RUN su vscode -c "source /usr/local/share/nvm/nvm.sh && npm install -g <your-package-here>" 2>&1

data/.devcontainer/devcontainer.json

@@ -0,0 +1,41 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the README at:
+// https://github.com/microsoft/vscode-dev-containers/tree/v0.238.1/containers/ruby
+{
+	"name": "Ruby",
+	"build": {
+		"dockerfile": "Dockerfile",
+		"args": { 
+			// Update 'VARIANT' to pick a Ruby version: 3, 3.1, 3.0, 2, 2.7
+			// Append -bullseye or -buster to pin to an OS version.
+			// Use -bullseye variants on local on arm64/Apple Silicon.
+			"VARIANT": "3-bullseye",
+			// Options
+			"NODE_VERSION": "16"
+		}
+	},
+
+	// Configure tool-specific properties.
+	"customizations": {
+		// Configure properties specific to VS Code.
+		"vscode": {
+			// Add the IDs of extensions you want installed when the container is created.
+			"extensions": [
+				"rebornix.Ruby"
+			]
+		}
+	},
+	
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	// "forwardPorts": [],
+
+	// Use 'postCreateCommand' to run commands after the container is created.
+	// "postCreateCommand": "ruby --version",
+
+	// Comment out to connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
+	"remoteUser": "vscode",
+	"features": {
+		"ghcr.io/devcontainers-contrib/features/act:1": {},
+		"ghcr.io/devcontainers/features/docker-in-docker:2": {}
+	}
+
+}

data/.github/workflows/release.yaml

@@ -0,0 +1,36 @@
+name: Release
+
+on:
+  push:
+    branches:    
+      - 'main'
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: google-github-actions/release-please-action@v3
+        id: release
+        with:
+          release-type: ruby
+          package-name: rotp
+          version-file: "lib/rotp/version.rb"
+      # Checkout code if release was created
+      - uses: actions/checkout@v2
+        if: ${{ steps.release.outputs.release_created }}
+      # Setup ruby if a release was created
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.2
+          bundler-cache: true
+        if: ${{ steps.release.outputs.release_created }}
+      - name: Run tests
+        run: bundle exec rspec
+        if: ${{ steps.release.outputs.release_created }}
+      # build gem and add to release
+      - name: Upload Release Artifact
+        if: ${{ steps.release.outputs.release_created }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run:
+          gem build *.gemspec
+          gh release upload ${{ steps.release.outputs.tag_name }} *.gem

data/.github/workflows/test.yaml

@@ -0,0 +1,26 @@
+name: Tests
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    types: [opened, reopened, synchronize]
+
+jobs:
+  test:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        ruby-version: ['3.2', '3.0', '2.7', '2.3', truffleruby-head]
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Ruby ${{ matrix.ruby-version }}
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby-version }}
+          bundler-cache: true
+      - name: Run tests
+        run: bundle exec rspec

data/.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "6.3.0"
+}

data/CHANGELOG.md

@@ -1,100 +1,167 @@
-### Changelog
+# Changelog
 
-#### 4.0.0
+## [6.3.0](https://github.com/mdp/rotp/compare/v6.2.2...v6.3.0) (2023-08-30)
+
+
+### Features
+
+* Allow for non-standard provisioning URI params, eg. image/icon ([#91](https://github.com/mdp/rotp/issues/91)) ([45d8aac](https://github.com/mdp/rotp/commit/45d8aac8356424897faf3a0dbda59f88b22df775))
+
+## 6.2.2
+
+- Removed `rjust` from `generate_otp` in favor of more time constant version
+
+## 6.2.1
+
+- Removed old rdoc folder that was triggering a security warning due to an
+  old version of JQuery being included in the HTML docs. This has no impact
+  on the Ruby library.
+
+## 6.2.0
+
+- Update to expand compatibility with Ruby 3. This was only a change to the
+  gemspec, no code changes were necessary.
+
+## 6.1.0
+
+- Fixing URI encoding issues again, breaking out into it's own module
+  due to the complexity - closes #100 (@atcruice)
+- Add docker-compose.yml to help with easier testing
+
+## 6.0.0
+
+- Dropping support for Ruby <2.3 (Major version bump)
+- Fix issue when using --enable-frozen-string-literal Ruby option #95 (jeremyevans)
+- URI Encoding fix #94 (ksuh90)
+- Update gems (rake, addressable)
+- Update Travis tests to include Ruby 2.7
+
+## 5.1.0
+
+- Create `random_base32` to perform `random` to avoid breaking changes
+  - Still needed to bump to 5.x due to Base32 cleanup
+
+## 5.0.0
+
+- Clean up base32 implementation to match Google Autheticator
+- BREAKING `Base32.random_base32` renamed to random
+  - The argument is now byte length vs output string length for more precise bit strengths
+
+## 4.1.0
+
+- Add a digest option to the CLI #83
+- Fix provisioning URI is README #82
+- Improvements to docs
+
+## 4.0.2
+
+- Fix gemspec requirment for Addressable
+
+## 4.0.1
+
+- Rubocop for style fixes
+- Replace deprecated URI.encode with Addressable's version
+
+## 4.0.0
 
 - Simplify API
 - Remove support for Ruby < 2.0
+- BREAKING CHANGE: Removed optional second argument (`padding`) from:
+  - `HOTP#at`
+  - `OTP#generate_otp`
+  - `TOTP#at`
+  - `TOTP#now` (first argument)
 
-#### 3.3.1
+## 3.3.1
 
 - Add OpenSSL as a requirement for Ruby 2.5. Fixes #70 & #64
 - Allow Base32 with padding. #71
 - Prevent verify with drift being negative #69
 
-#### 3.3.0
+## 3.3.0
 
 - Add digest algorithm parameter for non SHA1 digests - #62 from @btalbot
 
-#### 3.2.0
+## 3.2.0
 
 - Add 'verify_with_drift_and_prior' to prevent prior token use - #58 from @jlfaber
 
-#### 3.1.0
+## 3.1.0
 
 - Add Add digits paramater to provisioning URI. #54 from @sbc100
 
-#### 3.0.1
+## 3.0.1
 
 - Use SecureRandom. See mdp/rotp/pull/52
 
-#### 3.0.0
+## 3.0.0
 
 - Provisioning URL includes issuer label per RFC 5234 See mdp/rotp/pull/51
 
-#### 2.1.2
+## 2.1.2
 
 - Remove string literals to prepare immutable strings in Ruby 3.0
 
-#### 2.1.1
+## 2.1.1
 
 - Reorder the params for Windows Phone Authenticator - #43
 
-#### 2.1.0
+## 2.1.0
 
 - Add a CLI for generating OTP's mdp/rotp/pull/35
 
-#### 2.0.0
+## 2.0.0
 
 - Move to only comparing string OTP's.
 
-#### 1.7.0
+## 1.7.0
 
 - Move to only comparing string OTP's. See mdp/rotp/issues/32 - Moved to 2.0.0 - yanked from RubyGems
 
-#### 1.6.1
+## 1.6.1
 
 - Remove deprecation warning in Ruby 2.1.0 (@ylansegal)
 - Add Ruby 2.0 and 2.1 to Travis
 
-#### 1.6.0
+## 1.6.0
 
 - Add verify_with_retries to HOTP
 - Fix 'cgi' require and global DEFAULT_INTERVAL
 
-#### 1.5.0
+## 1.5.0
 
 - Add support for "issuer" parameter on provisioning url
 - Add support for "period/interval" parameter on provisioning url
 
-#### 1.4.6
+## 1.4.6
 
 - Revert to previous Base32
 
-#### 1.4.5
+## 1.4.5
 
 - Fix and test correct implementation of Base32
 
-#### 1.4.4
+## 1.4.4
 
 - Fix issue with base32 decoding of strings in a length that's not a multiple of 8
 
-#### 1.4.3
+## 1.4.3
 
 - Bugfix on padding
 
-#### 1.4.2
+## 1.4.2
 
 - Better padding options (Pad the output with leading 0's)
 
-#### 1.4.1
+## 1.4.1
 
 - Clean up drift logic
 
-#### 1.4.0
+## 1.4.0
 
 - Added clock drift support via 'verify_with_drift' for TOTP
 
-####1.3.0
+## 1.3.0
 
 - Added support for Ruby 1.9.x
 - Removed dependency on Base32

data/Dockerfile-2.3

@@ -1,16 +1,10 @@
 FROM ruby:2.3
 
-# throw errors if Gemfile has been modified since Gemfile.lock
-RUN bundle config --global frozen 1
-
 RUN mkdir -p /usr/src/app
 WORKDIR /usr/src/app
 
 COPY Gemfile /usr/src/app/
-COPY Gemfile.lock /usr/src/app/
 COPY . /usr/src/app
 RUN bundle install
 
-
-CMD ["bundler", "exec", "rspec"]
-
+CMD ["bundle", "exec", "rspec"]

data/Dockerfile-2.7

@@ -0,0 +1,11 @@
+FROM ruby:2.7
+
+RUN mkdir -p /usr/src/app
+WORKDIR /usr/src/app
+
+COPY Gemfile /usr/src/app/
+COPY . /usr/src/app
+RUN bundle install
+
+CMD ["bundle", "exec", "rspec"]
+

data/Dockerfile-3.0

@@ -0,0 +1,12 @@
+FROM ruby:3.0
+
+RUN mkdir -p /usr/src/app
+WORKDIR /usr/src/app
+
+COPY Gemfile /usr/src/app/
+COPY . /usr/src/app
+RUN gem install bundler
+RUN bundle install
+
+CMD ["bundle", "exec", "rspec"]
+

data/Guardfile

@@ -1,5 +1,5 @@
 guard :rspec, cmd: 'bundle exec rspec --format progress' do
-  require "guard/rspec/dsl"
+  require 'guard/rspec/dsl'
   dsl = Guard::RSpec::Dsl.new(self)
 
   # RSpec files

data/README.md

@@ -1,10 +1,24 @@
+## Webauthn and the future of 2FA
+
+Although this library will continue to be maintained, if you're implementing a 2FA solution today, you should take a look at [Webauthn](https://webauthn.guide/). It doesn't involve shared secrets and it's supported by most modern browsers and operating systems.
+
+### Ruby resources for Webauthn
+
+- [Multi-Factor Authentication for Rails With WebAuthn and Devise](https://www.honeybadger.io/blog/multi-factor-2fa-authentication-rails-webauthn-devise/)
+- [Webauthn Ruby Gem](https://github.com/cedarcode/webauthn-ruby)
+- [Rails demo app with Webauthn](https://github.com/cedarcode/webauthn-rails-demo-app)
+
+----
+
 # The Ruby One Time Password Library
 
-[![Build Status](https://travis-ci.org/mdp/rotp.svg?branch=master)](https://travis-ci.org/mdp/rotp)
+[![Build Status](https://github.com/mdp/rotp/actions/workflows/test.yaml/badge.svg)](https://github.com/mdp/rotp/actions/workflows/test.yaml)
 [![Gem Version](https://badge.fury.io/rb/rotp.svg)](https://rubygems.org/gems/rotp)
+[![Documentation](http://img.shields.io/badge/docs-rdoc.info-blue.svg)](https://www.rubydoc.info/github/mdp/rotp/master)
 [![License](https://img.shields.io/badge/license-MIT-blue.svg?style=flat)](https://github.com/mdp/rotp/blob/master/LICENSE)
 
-A ruby library for generating and validating one time passwords (HOTP & TOTP) according to [RFC 4226](http://tools.ietf.org/html/rfc4226) and [RFC 6238](http://tools.ietf.org/html/rfc6238).
+
+A ruby library for generating and validating one time passwords (HOTP & TOTP) according to [RFC 4226](https://datatracker.ietf.org/doc/html/rfc4226) and [RFC 6238](https://datatracker.ietf.org/doc/html/rfc6238).
 
 ROTP is compatible with [Google Authenticator](https://github.com/google/google-authenticator) available for [Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2) and [iPhone](https://itunes.apple.com/en/app/google-authenticator/id388497605) and any other TOTP based implementations.
 
@@ -13,15 +27,28 @@ Many websites use this for [multi-factor authentication](https://www.youtube.com
 ## Dependencies
 
 * OpenSSL
-* Ruby 2.0 or higher
+* Ruby 2.3 or higher
 
-## Breaking changes in >= 4.0
+## Breaking changes
+
+### Breaking changes in >= 6.0
+
+- Dropping support for Ruby <2.3
+
+### Breaking changes in >= 5.0
+
+- `ROTP::Base32.random_base32` is now `ROTP::Base32.random` and the argument
+  has changed from secret string length to byte length to allow for more
+  precision. There is an alias to allow for `random_base32` for the time being.
+- Cleaned up the Base32 implementation to match Google Authenticator's version.
+
+### Breaking changes in >= 4.0
 
 - Simplified API
-  - `verify` now takes options for `drift` and `after`
+  - `verify` now takes options for `drift` and `after`,`padding` is no longer an option
   - `verify` returns a timestamp if true, nil if false
 - Dropping support for Ruby < 2.0
-- Docs for 3.x can be found [here](https://github.com/mdp/rotp/tree/v3.3.0)
+- Docs for 3.x can be found [here](https://github.com/mdp/rotp/tree/v3.x)
 
 ## Installation
 
@@ -56,8 +83,8 @@ hotp.at(1) # => "595254"
 hotp.at(1401) # => "259769"
 
 # OTP verified with a counter
-hotp.verify("316439", 1401) # => 1401
-hotp.verify("316439", 1402) # => nil
+hotp.verify("259769", 1401) # => 1401
+hotp.verify("259769", 1402) # => nil
 ```
 
 ### Preventing reuse of Time based OTP's
@@ -68,18 +95,21 @@ the interval window (default 30 seconds)
 The following is an example of this in action:
 
 ```ruby
-User.find(someUserID)
+user = User.find(someUserID)
 totp = ROTP::TOTP.new(user.otp_secret)
 totp.now # => "492039"
 
+# Let's take a look at the last time the user authenticated with an OTP
 user.last_otp_at # => 1432703530
 
 # Verify the OTP
 last_otp_at = totp.verify("492039", after: user.last_otp_at) #=> 1472145760
 # ROTP returns the timestamp(int) of the current period
+
 # Store this on the user's account
 user.update(last_otp_at: last_otp_at)
-# Someone attempts to reused the OTP inside the 30s window
+
+# Someone attempts to reuse the OTP inside the 30s window
 last_otp_at = totp.verify("492039", after: user.last_otp_at) #=> nil
 # It fails to verify because we are still in the same 30s interval window
 ```
@@ -104,7 +134,7 @@ totp.verify("250939", drift_behind: 15, at: now + 45) # => nil
 ### Generating a Base32 Secret key
 
 ```ruby
-ROTP::Base32.random_base32  # returns a 32 character base32 secret. Compatible with Google Authenticator
+ROTP::Base32.random  # returns a 160 bit (32 character) base32 secret. Compatible with Google Authenticator
 ```
 
 Note: The Base32 format conforms to [RFC 4648 Base32](http://en.wikipedia.org/wiki/Base32#RFC_4648_Base32_alphabet)
@@ -115,8 +145,11 @@ Provisioning URI's generated by ROTP are compatible with most One Time Password
 Google Authenticator.
 
 ```ruby
-totp.provisioning_uri("alice@google.com") # => 'otpauth://totp/issuer:alice@google.com?secret=JBSWY3DPEHPK3PXP'
-hotp.provisioning_uri("alice@google.com", 0) # => 'otpauth://hotp/issuer:alice@google.com?secret=JBSWY3DPEHPK3PXP&counter=0'
+totp = ROTP::TOTP.new("base32secret3232", issuer: "My Service")
+totp.provisioning_uri("alice@google.com") # => 'otpauth://totp/My%20Service:alice%40google.com?secret=base32secret3232&issuer=My%20Service'
+
+hotp = ROTP::HOTP.new("base32secret3232", issuer: "My Service")
+hotp.provisioning_uri("alice@google.com", 0) # => 'otpauth://hotp/My%20Service:alice%40google.com?secret=base32secret3232&issuer=My%20Service&counter=0'
 ```
 
 This can then be rendered as a QR Code which the user can scan using their mobile phone and the appropriate application.
@@ -143,9 +176,25 @@ bundle install
 bundle exec rspec
 ```
 
+### Testing with Docker
+
+In order to make it easier to test against different ruby version, ROTP comes
+with a set of Dockerfiles for each version that we test against in Travis
+
+```bash
+docker build -f Dockerfile-2.6 -t rotp_2.6 .
+docker run --rm -v $(pwd):/usr/src/app rotp_2.6
+```
+
+Alternately, you may use docker-compose to run all the tests:
+
+```
+docker-compose up
+```
+
 ## Executable Usage
 
-The rotp rubygem includes an executable for helping with testing and debugging
+The rotp rubygem includes CLI version to help with testing and debugging
 
 ```bash
 # Try this to get an overview of the commands
@@ -162,7 +211,7 @@ Have a look at the [contributors graph](https://github.com/mdp/rotp/graphs/contr
 
 ## License
 
-MIT Copyright (C) 2016 by Mark Percival, see [LICENSE](https://github.com/mdp/rotp/blob/master/LICENSE) for details.
+MIT Copyright (C) 2019 by Mark Percival, see [LICENSE](https://github.com/mdp/rotp/blob/master/LICENSE) for details.
 
 ## Other implementations
 

data/bin/rotp

@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby
 
-$: << File.expand_path('../../lib', __FILE__)
+$LOAD_PATH << File.expand_path('../lib', __dir__)
 require 'rotp'
 require 'rotp/cli'
 

data/docker-compose.yml

@@ -0,0 +1,37 @@
+version: "3.8"
+services:
+  ruby_2_3:
+    build:
+      context: .
+      dockerfile: Dockerfile-2.3
+    volumes:
+      - "./lib:/usr/src/app/lib"
+      - "./spec:/usr/src/app/spec"
+  ruby_2_5:
+    build:
+      context: .
+      dockerfile: Dockerfile-2.5
+    volumes:
+      - "./lib:/usr/src/app/lib"
+      - "./spec:/usr/src/app/spec"
+  ruby_2_6:
+    build:
+      context: .
+      dockerfile: Dockerfile-2.6
+    volumes:
+      - "./lib:/usr/src/app/lib"
+      - "./spec:/usr/src/app/spec"
+  ruby_2_7:
+    build:
+      context: .
+      dockerfile: Dockerfile-2.7
+    volumes:
+      - "./lib:/usr/src/app/lib"
+      - "./spec:/usr/src/app/spec"
+  ruby_3_0:
+    build:
+      context: .
+      dockerfile: Dockerfile-3.0
+    volumes:
+      - "./lib:/usr/src/app/lib"
+      - "./spec:/usr/src/app/spec"

data/lib/rotp/arguments.rb

@@ -3,7 +3,6 @@ require 'ostruct'
 
 module ROTP
   class Arguments
-
     def initialize(filename, arguments)
       @filename = filename
       @arguments = Array(arguments)
@@ -32,11 +31,11 @@ module ROTP
 
     def parse
       return options!.mode = :help if arguments.empty?
-      parser.parse arguments
 
+      parser.parse arguments
     rescue OptionParser::InvalidOption => exception
       options!.mode = :help
-      options!.warnings = red(exception.message +  '. Try --help for help.')
+      options!.warnings = red(exception.message + '. Try --help for help.')
     end
 
     def parser
@@ -69,6 +68,10 @@ module ROTP
         parser.on_tail('-h', '--help', 'Show this message') do
           options!.mode = :help
         end
+
+        parser.on('-d', '--digest [ALGORITHM]', 'Use algorithm for the digest (default sha1)') do |digest|
+          options!.digest = digest
+        end
       end
     end
 
@@ -83,7 +86,5 @@ module ROTP
     def red(string)
       "\033[31m#{string}\033[0m"
     end
-
   end
 end
-