trusty-cms 7.0.28 → 7.0.29

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 16753e005b09f59c333c5e9fd2af4bca3bd0e20f8d2da054500b3d262d1eecfa
-  data.tar.gz: c4159171a6a9f932b685cd3855bd0f931392053d4d797025e73aae1a5aa443fc
+  metadata.gz: 520f342b36983dbca58c14ba3b104f212ed80c271797d63081212d8945ca7ade
+  data.tar.gz: 8f0204809ddbd49f9d2db4dde486f92a05bd1da1f410b73764a6d79edab26b73
 SHA512:
-  metadata.gz: 3f91892e8c3e8b0aa0e3899b7796833a4e2a0e5074eacf92f5e47b7e216559b5c4d32f487f03fb725775d960d20f0cd15cea678a0a14ef42aa65c9d07cb531c2
-  data.tar.gz: f5735dc96aa6cf0c3c80686f36d48cd7d49f5b8865ffd4c2d02ab708170764b5bff91a7fb525acbff932e67c76b9adcd104f35e145ee71ce61c4c897e42c597f
+  metadata.gz: 31fd3cb0dcbf88a788b127ac94404e9b813f6af5e09a2533eceab1b7974c821f9eae10884704df8ba59ad3c4a3ee7b5885a8b65024dcda1cfe0f1d6374b8db8e
+  data.tar.gz: 5ba2f9d8b2bcbd0875d058a35e7035058beed413c835ae5ac3e66a579ecc9b14aad4a86714f8c12eaf16e877e4c5c88291260b4f243523193e8d7bfa0a9089e4

data/Gemfile

@@ -15,6 +15,7 @@ group :development, :test do
   gem 'activestorage-validator'
   gem 'acts_as_list'
   gem 'database_cleaner'
+  gem 'devise-two-factor'
   gem 'factory_bot_rails', '6.4.4'
   gem 'file_validators'
   gem 'launchy', '~> 3.0.1'

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    trusty-cms (7.0.28)
+    trusty-cms (7.0.29)
       RedCloth (= 4.3.3)
       activestorage-validator
       acts_as_list (>= 0.9.5, < 1.3.0)
@@ -11,6 +11,7 @@ PATH
       ckeditor (>= 4.2.2, < 4.4.0)
       delocalize (>= 0.2, < 2.0)
       devise
+      devise-two-factor
       drb
       execjs (~> 2.7)
       haml (>= 5.0, < 6.0)
@@ -32,6 +33,7 @@ PATH
       ransack (~> 4.2.1)
       rdoc (>= 5.1, < 7.0)
       roadie-rails
+      rqrcode
       sass-rails
       stringex (>= 2.7.1, < 2.9.0)
       tzinfo (>= 1.2.3, < 2.1.0)
@@ -133,6 +135,7 @@ GEM
       xpath (~> 3.2)
     childprocess (5.1.0)
       logger (~> 1.5)
+    chunky_png (1.4.0)
     ckeditor (4.3.0)
       orm_adapter (~> 0.5.0)
       terrapin
@@ -159,6 +162,11 @@ GEM
       railties (>= 4.1.0)
       responders
       warden (~> 1.2.3)
+    devise-two-factor (6.1.0)
+      activesupport (>= 7.0, < 8.1)
+      devise (~> 4.0)
+      railties (>= 7.0, < 8.1)
+      rotp (~> 6.0)
     diff-lcs (1.5.1)
     docile (1.4.1)
     drb (2.2.1)
@@ -346,6 +354,11 @@ GEM
     roadie-rails (3.3.0)
       railties (>= 5.1, < 8.1)
       roadie (~> 5.0)
+    rotp (6.3.0)
+    rqrcode (3.1.0)
+      chunky_png (~> 1.0)
+      rqrcode_core (~> 2.0)
+    rqrcode_core (2.0.0)
     rspec-core (3.13.2)
       rspec-support (~> 3.13.0)
     rspec-expectations (3.13.3)
@@ -430,6 +443,7 @@ DEPENDENCIES
   activestorage-validator
   acts_as_list
   database_cleaner
+  devise-two-factor
   factory_bot_rails (= 6.4.4)
   file_validators
   launchy (~> 3.0.1)

data/INSTALL.md

@@ -6,8 +6,9 @@ From within the directory containing your TrustyCMS instance:
 
 2. Add the following gems to your Gemfile:
 
-- gem 'trusty-cms'
-- gem 'rails-observers'
+    - gem 'trusty-cms'
+    - gem 'rails-observers'
+    - gem 'devise-two-factor'
 
 3. Run `bundle install`
 
@@ -20,5 +21,22 @@ From within the directory containing your TrustyCMS instance:
 
 7. Add utf8 encoding to your db.yml
 
-8. Run `bundle exec rake db:setup`, `bundle exec rake trusty_cms:install:migrations`, then
+8. Set up encryption keys required for Rails’ native encryption (used by features like two-factor authentication):
+
+    - Run the encryption initializer command:
+
+    ```bash
+    ./bin/rails db:encryption:init
+    ```
+
+    - This will output three secrets. Copy the values and set them as environment variables in your preferred environment file (e.g., `.env`, `.env.development`, or via system environment settings):
+
+    ```env
+    ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
+    ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
+    ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
+    ```
+    - **Important**: Use different keys for each environment (development, test, production) unless two environments (e.g., development and staging) share a database — in that case, they **must** use the same keys.
+
+9. Run `bundle exec rake db:setup`, `bundle exec rake trusty_cms:install:migrations`, then
    `bundle exec rake db:bootstrap`.

data/app/assets/stylesheets/admin/modules/_buttons.scss

@@ -18,7 +18,6 @@
   text-decoration: none;
 }
 
-
 .cancel-button {
   @include button;
   background-color: $light-red;
@@ -30,3 +29,7 @@
     color: $white;
   }
 }
+
+.button-margin-top {
+  margin-top: 0.5em;
+}

data/app/assets/stylesheets/admin/partials/_forms.scss

@@ -111,3 +111,7 @@ textarea {
 #search-input {
   max-width: 25em;
 }
+
+.form-margin-top {
+  margin-top: 0.5em;
+}

data/app/controllers/admin/security_controller.rb

@@ -0,0 +1,74 @@
+require 'rqrcode'
+
+class Admin::SecurityController < ApplicationController
+  before_action :authenticate_user!
+  before_action :initialize_variables
+  before_action :initialize_two_factor_variables, only: %i[show edit update]
+
+  def show
+    set_standard_body_style
+    ensure_user_has_otp_secret
+    render :edit
+  end
+
+  def edit
+    render
+  end
+
+  def update
+    if @user.update(security_params)
+      sign_out(@user)
+      redirect_to new_user_session_path, notice: t('security_controller.password_updated')
+    else
+      flash[:error] = t('security_controller.error_updating_password')
+      render :edit
+    end
+  end
+
+  def verify_two_factor
+    if current_user.validate_and_consume_otp!(params[:otp_attempt])
+      current_user.update!(otp_required_for_login: true)
+      redirect_to admin_security_path, notice: t('security_controller.two_factor_enabled')
+    else
+      flash[:error] = t('security_controller.two_factor_invalid_code')
+      redirect_to admin_security_path
+    end
+  end
+
+  def disable_two_factor
+    if current_user.update!(otp_required_for_login: false)
+      redirect_to admin_security_path, notice: t('security_controller.two_factor_disabled')
+    else
+      flash[:error] = t('security_controller.two_factor_disabled_error')
+      redirect_to admin_security_path
+    end
+  end
+
+  private
+
+  def initialize_variables
+    @user            = current_user
+    @controller_name = 'user'
+    @template_name   = 'security'
+  end
+
+  def ensure_user_has_otp_secret
+    return if current_user.otp_secret.present?
+
+    current_user.update!(otp_secret: User.generate_otp_secret)
+  end
+
+  def initialize_two_factor_variables
+    @two_factor_enabled = current_user.otp_required_for_login
+
+    unless @two_factor_enabled
+      otp_uri = current_user.otp_provisioning_uri(current_user.email, issuer: 'TrustyCMS')
+      qr = RQRCode::QRCode.new(otp_uri)
+      @qr_png_data = qr.as_png(size: 200).to_data_url
+    end
+  end
+
+  def security_params
+    params.require(:user).permit(:password, :password_confirmation)
+  end
+end

data/app/controllers/admin/sessions_controller.rb

@@ -0,0 +1,43 @@
+class Admin::SessionsController < Devise::SessionsController
+  def create
+    user = find_user
+
+    if authenticated?(user)
+      handle_successful_authentication(user)
+    else
+      handle_failed_authentication
+    end
+  end
+
+  private
+
+  def find_user
+    User.find_by(email: params[:user][:email])
+  end
+
+  def authenticated?(user)
+    user&.valid_password?(params[:user][:password])
+  end
+
+  def handle_successful_authentication(user)
+    if user.otp_required_for_login
+      start_two_factor_session(user)
+      redirect_to admin_two_factor_path
+    else
+      sign_in(:user, user)
+      redirect_to after_sign_in_path_for(user)
+    end
+  end
+
+  def handle_failed_authentication
+    self.resource = resource_class.new(sign_in_params)
+    clean_up_passwords(resource)
+    flash.now[:alert] = t('invalid_email_or_password')
+    render :new
+  end
+
+  def start_two_factor_session(user)
+    session[:pre_2fa_user_id] = user.id
+    session[:pre_2fa_started_at] = Time.current.to_i
+  end
+end

data/app/controllers/admin/two_factor_controller.rb

@@ -0,0 +1,42 @@
+class Admin::TwoFactorController < ApplicationController
+  skip_before_action :authenticate_user!
+  before_action :load_pre_2fa_user
+
+  MAX_2FA_SESSION_DURATION = 5.minutes.freeze
+
+  def show; end
+
+  def create
+    if @user.validate_and_consume_otp!(params[:otp_attempt])
+      session.delete(:pre_2fa_user_id)
+      session.delete(:pre_2fa_started_at)
+      sign_in(:user, @user)
+      redirect_to after_sign_in_path_for(@user)
+    else
+      reset_session
+      redirect_to new_user_session_path, alert: t('two_factor_controller.invalid_code')
+    end
+  end
+
+  private
+
+  def load_pre_2fa_user
+    if current_user
+      redirect_to after_sign_in_path_for(current_user) and return
+    end
+
+    @user = User.find_by(id: session[:pre_2fa_user_id])
+
+    if !@user&.otp_required_for_login || session_expired?
+      reset_session
+      redirect_to new_user_session_path, alert: t('two_factor_controller.session_expired')
+    end
+  end
+
+  def session_expired?
+    started_at = session[:pre_2fa_started_at]
+    return true unless started_at
+
+    Time.current.to_i - started_at > MAX_2FA_SESSION_DURATION
+  end
+end

data/app/controllers/application_controller.rb

@@ -6,6 +6,7 @@ class ApplicationController < ActionController::Base
 
   protect_from_forgery with: :exception
   before_action :authenticate_user!
+  before_action :configure_permitted_parameters, if: :devise_controller?
   before_action :set_timezone
   before_action :set_user_locale
   before_action :set_javascripts_and_stylesheets
@@ -44,6 +45,12 @@ class ApplicationController < ActionController::Base
     end
   end
 
+  protected
+
+  def configure_permitted_parameters
+    devise_parameter_sanitizer.permit(:sign_in, keys: [:otp_attempt])
+  end
+
   private
 
   def set_mailer

data/app/models/trusty_cms/config.rb

@@ -145,10 +145,6 @@ module TrustyCms
         @default_settings ||= %w{defaults.locale defaults.page.filter defaults.page.parts defaults.page.fields defaults.page.status}
       end
 
-      def user_settings
-        @user_settings ||= ['user.allow_password_reset?']
-      end
-
       # A convenient drying method for specifying a prefix and options common to several settings.
       #
       #   TrustyCms.config do |config|

data/app/models/user.rb

@@ -3,7 +3,7 @@ class User < ActiveRecord::Base
   self.table_name = 'admins'
 
   # :confirmable, :lockable, :timeoutable and :omniauthable
-  devise :database_authenticatable, :registerable,
+  devise :two_factor_authenticatable, :registerable,
          :recoverable, :rememberable, :trackable, :validatable
 
   alias_attribute :created_by_id, :id

data/app/views/admin/configuration/edit.html.haml

@@ -23,13 +23,6 @@
               %p
                 = edit_config default_setting
 
-        - form.edit_users do
-          %fieldset
-            %h4 Passwords
-            - TrustyCms.config.user_settings.each do |user_setting|
-              %p
-                = edit_config user_setting
-
       - render_region :form_bottom do |form_bottom|
         - form_bottom.edit_buttons do
           .buttons

data/app/views/admin/configuration/show.html.haml

@@ -1,4 +1,4 @@
-#preferences.box
+%fieldset
   - render_region :user do |user|
     - user.preferences do
       %h3
@@ -13,10 +13,6 @@
           = t('email_address')
         %span.uri
           = current_user.email
-      %p.ruled
-        %label
-          = t('password')
-        %big •••••
       %p.ruled
         %label
           = t('language')
@@ -25,7 +21,25 @@
       .actions
         = button_to t("edit_preferences"), edit_admin_user_path(current_user), :method => :get
 
-#config.box
+%fieldset
+  - render_region :user do |user|
+    - user.preferences do
+      %h3
+        = t('security')
+      %p.ruled
+        %label
+          = t('password')
+        %span.value
+          ••••••••••••••••••
+      %p.ruled
+        %label
+          = t('two_factor_authentication')
+        %span
+          = current_user.otp_required_for_login ? t('enabled') : t('disabled')
+      .actions
+        = button_to t('edit_security_settings'), admin_security_path, :method => :get
+
+%fieldset
   - render_region :trusty_config do |config|
     - config.site do
       %h3
@@ -40,11 +54,6 @@
         %p.ruled
           = show_config default_setting
 
-    - config.users do
-      %h4 Passwords
-      - TrustyCms.config.user_settings.each do |user_setting|
-        %p.ruled
-          = show_config user_setting
   - if current_user.admin?
     .actions
-      = button_to t("edit_configuration"), edit_admin_configuration_path, :method => :get
+      = button_to t("edit_configuration"), edit_admin_configuration_path, :method => :get

data/app/views/admin/preferences/edit.html.haml

@@ -27,12 +27,9 @@
               = f.label :email,  t("email_address"), :class => 'optional'
               = f.text_field 'email', :class => 'textbox', :maxlength => 255
 
-          - form.edit_password do
-            = render 'admin/users/password_fields', :f => f
-
         - render_region :form_bottom, :locals => {:f => f} do |form_bottom|
           - form_bottom.edit_buttons do
             .buttons
               = save_model_button @user
               = t('or')
-              = link_to t('cancel'), admin_pages_url, class: 'alt'
+              = link_to t('cancel'), admin_configuration_path, class: 'alt'

data/app/views/admin/security/edit.html.haml

@@ -0,0 +1,57 @@
+- @page_title = @user.name + ' - Security'
+- body_classes << 'edit_security'
+
+- render_region :main do |main|
+  - main.edit_header do
+    %h1
+      = t('security')
+
+  - main.edit_form do
+    %fieldset
+      %h3
+        = t('change_password')
+      = form_for @user, :url => admin_security_path, :html => { :method => :put, 'data-onsubmit_status' => "#{t('saving_changes')}&#8230;" } do |f|
+        - render_region :form, :locals => {:f => f} do |form|
+          - form.edit_password do
+            %fieldset#change-password
+              %p
+                = f.label :password, t('new_password')
+                = f.password_field 'password', :value => '', :maxlength => 40, :autocomplete => 'new-password'
+              %p
+                = f.label :password_confirmation, t('password_confirmation')
+                = f.password_field 'password_confirmation', :value => '', :maxlength => 40, :autocomplete => 'new-password'
+
+        - render_region :form_bottom, :locals => {:f => f} do |form_bottom|
+          - form_bottom.edit_buttons do
+            .buttons
+              = save_model_button @user
+
+  - main.two_factor do
+    %fieldset
+      %h3
+        = t('two_factor_authentication')
+
+      - if @two_factor_enabled
+        %fieldset
+          %p
+            = t('security_controller.two_factor_is_enabled')
+          = button_to t('disable'),
+            disable_two_factor_admin_security_path,
+            method: :post,
+            data: { confirm: t('security_controller.two_factor_disable_confirm') },
+            class: "button button-margin-top"
+      - else
+        %fieldset
+          %p
+            = t('security_controller.scan_qr_instructions')
+          = image_tag @qr_png_data, alt: t('security_controller.qr_alt')
+          %p
+            = t('security_controller.manual_key_instructions')
+          %strong= current_user.otp_secret
+
+          .form-margin-top
+            = form_with url: verify_two_factor_admin_security_path, method: :post do |form|
+              %div
+                = form.label :otp_attempt, t('security_controller.enter_qr_code')
+                = form.text_field :otp_attempt, autofocus: true, size: 6, maxlength: 6
+              = form.submit t('security_controller.verify_and_enable')

data/app/views/{devise → admin}/sessions/new.html.haml

@@ -1,10 +1,10 @@
 - body_classes << 'login_form'
 .login-form-content
   .visual
-    = image_tag('/assets/admin/default_safe_login.svg', alt: 'web browser with padlock on top')
+    = image_tag('/assets/admin/default_safe_login.svg', alt: 'Web browser with padlock on top')
   .login
-    %h1 Log in
-    = form_for(resource, as: resource_name, url: authenticate_path) do |f|
+    %h1 Log In
+    = form_for(resource, as: resource_name, url: user_session_path) do |f|
       .field
         = f.label :email
         = f.email_field :email, autofocus: true, autocomplete: 'email'
@@ -18,8 +18,8 @@
             Remember Me
       %br
       .actions
-        = f.submit 'Log in'
+        = f.submit 'Log In'
         - if devise_mapping.recoverable? && controller_name != 'passwords' && controller_name != 'registrations'
           = link_to 'Forgot your password?', new_password_path(resource_name)
       - if flash.alert
-        .error= flash.alert
+        .error= flash.alert

data/app/views/admin/two_factor/show.html.haml

@@ -0,0 +1,14 @@
+- body_classes << 'login_form'
+.login-form-content
+  .visual
+    = image_tag('/assets/admin/default_safe_login.svg', alt: 'Web browser with padlock on top')
+  .login
+    %h1
+      = t('two_factor_authentication')
+    = form_with url: admin_two_factor_path, method: :post, local: true do |form|
+      .field
+        = form.label :otp_attempt, t('security_controller.enter_qr_code')
+        = form.text_field :otp_attempt, autofocus: true, maxlength: 6, size: 6
+      %br
+      .actions
+        = form.submit t('security_controller.verify_code')

data/app/views/admin/users/_form.html.haml

@@ -15,9 +15,6 @@
       = f.label :email, t('email_address') , :class => 'optional'
       = f.text_field 'email', :class => 'textbox', :maxlength => 255
 
-    - form.edit_password do
-      = render 'password_fields', :f => f
-
     - form.edit_roles do
       - if current_user.admin?
         %fieldset.multi_option

data/app/views/devise/passwords/edit.html.haml

@@ -8,16 +8,14 @@
       = f.hidden_field :reset_password_token
       .field
         = f.label :password, 'New password'
-        %br/
         - if @minimum_password_length
           %em
             (#{@minimum_password_length} characters minimum)
-          %br/
+
         = f.password_field :password, autofocus: true, autocomplete: 'new-password'
+      %br/
       .field
         = f.label :password_confirmation, 'Confirm new password'
-        %br/
         = f.password_field :password_confirmation, autocomplete: 'new-password'
       .actions
         = f.submit 'Change my password'
-    = render 'devise/shared/links'

data/config/initializers/active_record_encryption.rb

@@ -0,0 +1,5 @@
+ActiveRecord::Encryption.configure(
+  primary_key: ENV["ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"],
+  deterministic_key: ENV["ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"],
+  key_derivation_salt: ENV["ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"]
+)

data/config/initializers/devise.rb

@@ -11,6 +11,10 @@ require 'devise'
 # Use this hook to configure devise mailer, warden hooks and so forth.
 # Many of these configuration options can be set straight in your model.
 Devise.setup do |config|
+  config.warden do |manager|
+    manager.default_strategies(:scope => :user).unshift :two_factor_authenticatable
+  end
+
   # The secret key used by Devise. Devise uses this key to generate
   # random tokens. Changing this key will render invalid all existing
   # confirmation, reset password and unlock tokens in the database.

data/config/initializers/trusty_cms_config.rb

@@ -12,7 +12,6 @@ Rails.application.reloader.to_prepare do
     config.define 'admin.pagination.per_page', type: :integer, default: 50
     config.define 'site.title', default: 'Your site title', allow_blank: false
     config.define 'site.host', default: 'www.example.com', allow_blank: false
-    config.define 'user.allow_password_reset?', default: true
     config.define 'session_timeout', default: 2.weeks
     require 'multi_site/scoped_validation'
   end

data/config/locales/en.yml

@@ -55,6 +55,7 @@ en:
     save_changes: 'Save Changes'
   cancel: 'Cancel'
   change: 'Change'
+  change_password: 'Change Password'
   clipped_extension:
     actions: Actions
     all: 'All'
@@ -155,8 +156,6 @@ en:
     site:
       title: "site title"
       host: "site domain"
-    user:
-      allow_password_reset?: "allow password reset"
   content: 'Content'
   content_type: 'Content‑Type'
   content_editor: 'Content Editor'
@@ -182,6 +181,8 @@ en:
   description: 'Description'
   design: 'Design'
   designer: 'Designer'
+  disable: 'Disable'
+  disabled: 'Disabled'
   draft: 'Draft'
   edit: 'Edit'
   editor: 'Editor'
@@ -189,14 +190,17 @@ en:
   edit_layout: 'Edit Layout'
   edit_page: 'Edit Page'
   edit_preferences: 'Edit Preferences'
+  edit_security_settings: 'Edit Security Settings'
   edit_settings: 'Edit Settings'
   edit_user: 'Edit User'
   email_address: 'E-mail Address'
+  enabled: 'Enabled'
   extension: 'Extension'
   extensions: 'Extensions'
   filter: 'Filter'
   hidden: 'Hidden'
   hide: 'Hide'
+  invalid_email_or_password: 'Invalid e-mail address or password.'
   keywords: 'Keywords'
   language: 'Language'
   layout: 'Layout'
@@ -267,11 +271,27 @@ en:
     validation_errors: "Validation errors occurred while processing this form. Please take a moment to  review the form and correct any input errors before continuing."
   reviewed: 'Reviewed'
   roles: 'Roles'
-  saving_changes: Saving Changes
-  saving_preferences: Saving preferences
-  scheduled: "Scheduled"
+  saving_changes: 'Saving Changes'
+  saving_preferences: 'Saving Preferences'
+  scheduled: 'Scheduled'
   search: 'Search'
   search_tags: 'Search Tags:'
+  security: 'Security'
+  security_controller:
+    enter_qr_code: 'Enter 6-Digit Verification Code'
+    error_updating_password: 'There was an error updating your password.'
+    manual_key_instructions: 'Or manually enter this secret key:'
+    password_updated: 'Password updated. Please log in again.'
+    scan_qr_instructions: 'Scan this QR code in your Authenticator app:'
+    two_factor_enabled: 'Two-Factor Authentication Enabled'
+    two_factor_is_enabled: 'Two-Factor Authentication is currently enabled.'
+    two_factor_disable_confirm: 'Are you sure you want to disable Two-Factor Authentication?'
+    two_factor_disabled: 'Two-Factor Authentication Disabled'
+    two_factor_disabled_error: 'Error Disabling Two-Factor Authentication'
+    two_factor_invalid_code: 'Invalid 2FA Code'
+    qr_alt: 'Scan this with Google Authenticator or Authy'
+    verify_code: 'Verify Code'
+    verify_and_enable: 'Verify and Enable 2FA'
   select:
     default: '<default>'
     inherit: '<inherit>'
@@ -312,6 +332,10 @@ en:
     at: 'at'
     by: 'by'
     last_updated: 'Last Updated'
+  two_factor_authentication: 'Two-Factor Authentication'
+  two_factor_controller:
+    invalid_code: 'Invalid two-factor authentication code.'
+    session_expired: 'Your session has expired. Please log in again.'
   type: 'Type'
   units:
     KB: "KB"

data/config/routes.rb

@@ -1,9 +1,8 @@
 TrustyCms::Application.routes.draw do
   root to: 'site#show_page'
-  devise_for :users, module: :devise, skip: :registration
-  as :user do
-    post 'authenticate', to: 'devise/sessions#create', as: :authenticate
-  end
+  devise_for :users,
+    controllers: { sessions: 'admin/sessions' },
+    skip: :registration
   post '/page-status/refresh' => 'page_status#refresh'
   get '/rad_social/mail' => 'social_mailer#social_mail_form', as: :rad_social_mail_form
   post '/rad_social/mail' => 'social_mailer#create_social_mail', as: :rad_create_social_mail
@@ -46,6 +45,11 @@ TrustyCms::Application.routes.draw do
 
   namespace :admin do
     resource :preferences
+    resource :two_factor, only: [:show, :create], controller: 'two_factor', path: 'two-factor'
+    resource :security, controller: 'security' do
+      post :verify_two_factor, on: :collection
+      post :disable_two_factor, on: :collection
+    end
     resource :configuration, controller: 'configuration'
     resources :extensions, only: :index
     resources :page_parts

data/db/migrate/20250502162215_add_devise_two_factor_to_admins.rb

@@ -0,0 +1,7 @@
+class AddDeviseTwoFactorToAdmins < ActiveRecord::Migration[7.0]
+  def change
+    add_column :admins, :otp_secret, :string
+    add_column :admins, :consumed_timestep, :integer
+    add_column :admins, :otp_required_for_login, :boolean
+  end
+end

data/lib/trusty_cms/admin_ui.rb

@@ -150,6 +150,7 @@ module TrustyCms
       settings = nav_tab('Settings')
       settings << nav_item('General', '/admin/configuration')
       settings << nav_item('Personal', '/admin/preferences')
+      settings << nav_item('Security', '/admin/security')
       settings << nav_item('Users', '/admin/users')
       settings << nav_item('Extensions', '/admin/extensions')
       nav << settings
@@ -190,13 +191,17 @@ module TrustyCms
       OpenStruct.new.tap do |user|
         user.preferences = RegionSet.new do |preferences|
           preferences.main.concat %w{edit_header edit_form}
-          preferences.form.concat %w{edit_first_name edit_last_name edit_email edit_password}
+          preferences.form.concat %w{edit_first_name edit_last_name edit_email}
           preferences.form_bottom.concat %w{edit_buttons}
         end
+        user.security = RegionSet.new do |security|
+          security.main.concat %w{edit_header edit_form two_factor}
+          security.form.concat %w{edit_password}
+          security.form_bottom.concat %w{edit_buttons}
+        end
         user.edit = RegionSet.new do |edit|
           edit.main.concat %w{edit_header edit_form}
-          edit.form.concat %w{edit_first_name edit_last_name edit_email edit_password
-                              edit_roles edit_notes}
+          edit.form.concat %w{edit_first_name edit_last_name edit_email edit_roles edit_notes}
           edit.form_bottom.concat %w{edit_buttons edit_timestamp}
         end
         user.index = RegionSet.new do |index|
@@ -231,11 +236,11 @@ module TrustyCms
       OpenStruct.new.tap do |configuration|
         configuration.show = RegionSet.new do |show|
           show.user.concat %w{preferences}
-          show.trusty_config.concat %w{site defaults users}
+          show.trusty_config.concat %w{site defaults}
         end
         configuration.edit = RegionSet.new do |edit|
           edit.main.concat %w{edit_header edit_form}
-          edit.form.concat %w{edit_site edit_defaults edit_users}
+          edit.form.concat %w{edit_site edit_defaults}
           edit.form_bottom.concat %w{edit_buttons}
         end
       end

data/lib/trusty_cms/version.rb

@@ -1,3 +1,3 @@
 module TrustyCms
-  VERSION = '7.0.28'.freeze
+  VERSION = '7.0.29'.freeze
 end

data/package.json

@@ -13,7 +13,7 @@
     "jquery-treetable": "^3.2.0-1",
     "jquery-ui": "^1.13.2",
     "jquery-ujs": "^1.2.2",
-    "jquery-validation": "^1.19.5",
+    "jquery-validation": "^1.20.0",
     "js-cookie": "^3.0.1",
     "tablesaw": "^3.1.2"
   },

data/spec/dummy/config/initializers/trusty_cms_config.rb

@@ -13,7 +13,6 @@ Rails.application.reloader.to_prepare do
     config.define 'admin.pagination.per_page', :type => :integer, :default => 50
     config.define 'site.title', :default => "Your site title", :allow_blank => false
     config.define 'site.host', :default => "www.example.com", :allow_blank => false
-    config.define 'user.allow_password_reset?', :default => true
   end
 
   TrustyCms::Application.config do |config|

data/trusty_cms.gemspec

@@ -33,6 +33,7 @@ a general purpose content management system--not merely a blogging engine.'
   s.add_dependency 'ckeditor', '>= 4.2.2', '< 4.4.0'
   s.add_dependency 'delocalize', '>= 0.2', '< 2.0'
   s.add_dependency 'devise'
+  s.add_dependency 'devise-two-factor'
   s.add_dependency 'drb'
   s.add_dependency 'execjs', '~> 2.7'
   s.add_dependency 'haml', '>= 5.0', '< 6.0'
@@ -55,6 +56,7 @@ a general purpose content management system--not merely a blogging engine.'
   s.add_dependency 'rdoc', '>= 5.1', '< 7.0'
   s.add_dependency 'RedCloth', '4.3.3'
   s.add_dependency 'roadie-rails'
+  s.add_dependency 'rqrcode'
   s.add_dependency 'sass-rails'
   s.add_dependency 'stringex', '>= 2.7.1', '< 2.9.0'
   s.add_dependency 'tzinfo', '>= 1.2.3', '< 2.1.0'

data/yarn.lock

@@ -1029,10 +1029,10 @@ jquery-ujs@^1.2.2:
   dependencies:
     jquery ">=1.8.0"
 
-jquery-validation@^1.19.5:
-  version "1.19.5"
-  resolved "https://registry.yarnpkg.com/jquery-validation/-/jquery-validation-1.19.5.tgz#557495b7cad79716897057c4447ad3cd76fda811"
-  integrity sha512-X2SmnPq1mRiDecVYL8edWx+yTBZDyC8ohWXFhXdtqFHgU9Wd4KHkvcbCoIZ0JaSaumzS8s2gXSkP8F7ivg/8ZQ==
+jquery-validation@^1.20.0:
+  version "1.20.0"
+  resolved "https://registry.yarnpkg.com/jquery-validation/-/jquery-validation-1.20.0.tgz#dbff6d8fe61b07d4b6f844bf2f5405146556b991"
+  integrity sha512-c8tg4ltIIP6L7l0bZ79sRzOJYquyjS48kQZ6iv8MJ2r0OYztxtkWYKTReZyU2/zVFYiINB29i0Z/IRNNuJQN1g==
 
 jquery@>=1.6:
   version "3.6.0"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: trusty-cms
 version: !ruby/object:Gem::Version
-  version: 7.0.28
+  version: 7.0.29
 platform: ruby
 authors:
 - TrustyCms CMS dev team
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-04-11 00:00:00.000000000 Z
+date: 2025-05-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activestorage-validator
@@ -140,6 +140,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: devise-two-factor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: drb
   requirement: !ruby/object:Gem::Requirement
@@ -472,6 +486,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rqrcode
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: sass-rails
   requirement: !ruby/object:Gem::Requirement
@@ -762,8 +790,11 @@ files:
 - app/controllers/admin/preferences_controller.rb
 - app/controllers/admin/references_controller.rb
 - app/controllers/admin/resource_controller.rb
+- app/controllers/admin/security_controller.rb
+- app/controllers/admin/sessions_controller.rb
 - app/controllers/admin/sites_controller.rb
 - app/controllers/admin/snippets_controller.rb
+- app/controllers/admin/two_factor_controller.rb
 - app/controllers/admin/users_controller.rb
 - app/controllers/application_controller.rb
 - app/controllers/page_status_controller.rb
@@ -871,6 +902,8 @@ files:
 - app/views/admin/removed/_show_bucket_link.html.haml
 - app/views/admin/removed/_upload_to_page.html.haml
 - app/views/admin/removed/bucket/_iframe.html.haml
+- app/views/admin/security/edit.html.haml
+- app/views/admin/sessions/new.html.haml
 - app/views/admin/sites/_form.haml
 - app/views/admin/sites/edit.haml
 - app/views/admin/sites/index.haml
@@ -882,9 +915,9 @@ files:
 - app/views/admin/snippets/index.html.haml
 - app/views/admin/snippets/new.html.haml
 - app/views/admin/snippets/remove.html.haml
+- app/views/admin/two_factor/show.html.haml
 - app/views/admin/users/_choose_site.html.haml
 - app/views/admin/users/_form.html.haml
-- app/views/admin/users/_password_fields.html.haml
 - app/views/admin/users/edit.html.haml
 - app/views/admin/users/index.html.haml
 - app/views/admin/users/new.html.haml
@@ -892,7 +925,6 @@ files:
 - app/views/admin/welcome/login.html.haml
 - app/views/devise/passwords/edit.html.haml
 - app/views/devise/passwords/new.html.haml
-- app/views/devise/sessions/new.html.haml
 - app/views/devise/shared/_links.html.haml
 - app/views/devise_mailer/reset_password_instructions.html.haml
 - app/views/layouts/application.html.haml
@@ -915,6 +947,7 @@ files:
 - config/environments/development.rb
 - config/environments/production.rb
 - config/environments/test.rb
+- config/initializers/active_record_encryption.rb
 - config/initializers/active_record_extensions.rb
 - config/initializers/assets.rb
 - config/initializers/devise.rb
@@ -981,6 +1014,7 @@ files:
 - db/migrate/20250102212417_create_versions.rb
 - db/migrate/20250103191133_create_version_associations.rb
 - db/migrate/20250103191134_add_transaction_id_column_to_versions.rb
+- db/migrate/20250502162215_add_devise_two_factor_to_admins.rb
 - db/schema.rb
 - lib/active_record_extensions/active_record_extensions.rb
 - lib/annotatable.rb

data/app/views/admin/users/_password_fields.html.haml

@@ -1,18 +0,0 @@
-%fieldset#display_password{:style=> (@user.new_record? or !@user.valid?) ? 'display: none' : nil}
-  %label= t('password')
-  %span.value
-    •••••
-  %a.button{:href=>'#', :onclick=>"$('#display_password').hide(); $('#change_password').show()"}= t('change')
-%fieldset#change_password{:style=> (!@user.new_record? && @user.valid?) ? 'display: none' : nil}
-  %p
-    = f.label :password, t('new_password')
-    = f.password_field 'password', :value => '', :maxlength => 40, :autocomplete => 'new-password'
-  %p
-    = f.label :password_confirmation, t('password_confirmation')
-    = f.password_field 'password_confirmation', :value => '', :maxlength => 40, :autocomplete => 'new-password'
-    - unless @user.new_record?
-      %span
-        = t('or')
-        %a{:href=>'#', :class=>'cancel-button', :onclick=>" $('#display_password').show(); $('#change_password').hide()"}= t('cancel', class: 'alt')
-
-