two_factor_auth 0.1.1

data/app/views/two_factor_auth/authentications/new.html.erb

@@ -0,0 +1,30 @@
+Touch your two factor authentication device to complete authentication.
+
+<script src="chrome-extension://pfboblefjcgdjicmnffhdgionmgcdmne/u2f-api.js"></script>
+<script>
+  //console.log("starting", <%= raw authentication_request.serialized %>);
+  u2f.sign([<%= raw authentication_request.serialized %>], function (result) {
+    //console.log(result);
+    // if keyHandle is wrong, it fails with:
+    // {errorCode: 1, errorMessage: "device status code: 2"}
+    if (result.errorCode) {
+      var errors = document.getElementsByClassName('twofactorauth-status')[0];
+      if (result.errorCode == 4) {
+        errors.innerHTML = "Unable to authenticate. You registered with a different device. Error code: " + result.errorCode;
+      } else {
+        errors.innerHTML = "Unable to authenticate. Error code: " + result.errorCode;
+      }
+      return;
+    }
+    var form = document.getElementById('two-factor-auth-authentication');
+    form.elements.keyHandle.value = result.keyHandle;
+    form.elements.signatureData.value = result.signatureData;
+    form.elements.clientData.value = result.clientData;
+    form.submit();
+  });
+</script>
+<%= form_tag(two_factor_auth_authentication_path, method: :post, id: 'two-factor-auth-authentication') do %>
+  <%= hidden_field_tag :keyHandle %>
+  <%= hidden_field_tag :signatureData %>
+  <%= hidden_field_tag :clientData %>
+<% end %>

data/app/views/two_factor_auth/registrations/new.html.erb

@@ -0,0 +1,26 @@
+<p>
+  Touch your two factor authentication device to complete registration.
+</p>
+
+<script src="chrome-extension://pfboblefjcgdjicmnffhdgionmgcdmne/u2f-api.js"></script>
+<script>
+  console.log("starting", <%= raw registration_request.serialized %>);
+  u2f.register([<%= raw registration_request.serialized %>], [], function (result) {
+    //console.log("callback", result);
+    if (result.errorCode) {
+      document.getElementsByClassName('twofactorauth-status')[0]
+              .innerHTML = "Failed. Error code: " + result.errorCode;
+      return;
+    }
+    var form = document.getElementById('two-factor-auth-registration');
+    form.elements.clientData.value = result.clientData;
+    form.elements.registrationData.value = result.registrationData;
+    form.elements.challenge.value = result.challenge;
+    form.submit();
+  });
+</script>
+<%= form_tag(two_factor_auth_registrations_path, method: :post, id: 'two-factor-auth-registration') do %>
+  <%= hidden_field_tag :clientData %>
+  <%= hidden_field_tag :registrationData %>
+  <%= hidden_field_tag :challenge %>
+<% end %>

data/config/routes.rb

@@ -0,0 +1,3 @@
+TwoFactorAuth::Engine.routes.draw do
+  two_factor_auth_for :users
+end

data/lib/generators/templates/README

@@ -0,0 +1,6 @@
+==============================================================================
+TwoFactorAuth gem installed. To integrate with your site, follow the steps in
+the README on GitHub or by running:
+
+rake two_factor_auth:readme
+==============================================================================

data/lib/generators/templates/initializer.rb

@@ -0,0 +1,38 @@
+# Set facet_domain to the domain name your users see in the URL bar
+if Rails.env.production?
+  TwoFactorAuth.facet_domain = "https://www.example.com"
+
+  # Optional: If you have in-depth knowledge of the U2F spec and wnat to
+  # generate your own Trusted Facet List, delete the production facet_domain
+  # setting above and customize this: (you can still use facet_domain in dev)
+  # TwoFactorAuth.trusted_facet_list_url = 'https://www.example.com/ExampleAppId'
+elsif Rails.env.staging?
+  TwoFactorAuth.facet_domain = "https://staging.example.com"
+else
+  # The standard prohibits "localhost" or "local.dev", add an alias to /etc/hosts and use that
+  TwoFactorAuth.facet_domain = "http://local2fa.example.com:3000"
+end
+
+# Optional: if you want your users to be able to authenticate against multiple
+# domains names or apps, they will *all* have to be served via https and
+# listed here. Yes, 'www.example.com' and 'example.com' count as different.
+TwoFactorAuth.facets = [
+  # 'https://example.com',
+  # 'https://www.example.com',
+  # 'https://www.example.net',
+  # 'https://blog.example.com',
+  # 'https://admin.example.com',
+  # 'https://staging.example.com',
+  # 'https://account.example.com',
+
+  # Use this format for iOS apps:
+  # 'ios:bundle-id:example-ios-bundle-id',
+
+  # Use this format for Android apps, inserting the sha1 (see below):
+  # 'android:apk-key-hash:example-sha1-hash-of-apk-signing-cert',
+  # To get the sha1, edit this command to include your keystore path and run
+  # it in Linux, BSD, or OS X to export the signing certificate in DER format,
+  # hash, base64 encode and trim trailing '=':
+  # keytool -exportcert -alias androiddebugkey -keystore <your-path-to-apk-signing-keystore> &>2 /dev/null | openssl sha1 -binary | openssl base64 | sed 's/=//g'
+]
+

data/lib/generators/templates/migration.rb

@@ -0,0 +1,15 @@
+class CreateTwoFactorAuthRegistrations < ActiveRecord::Migration
+  def change
+    create_table :two_factor_auth_registrations do |t|
+      t.references :login, polymorphic: true, null: false, index: true
+      t.binary :key_handle,  null: false, limit: 65 # Defined in FIDO spec
+      t.binary :public_key,  null: false, limit: 10.kilobytes
+      t.binary :certificate, null: false, limit: 1.megabyte, default: ""
+      t.integer :counter,    null: false, limit: 5, default: 0 # limit in bytes; no easy way to get a 32b *unsigned*
+      t.timestamp :last_authenticated_at, null: false
+      t.timestamps
+    end
+    add_index :two_factor_auth_registrations, :key_handle
+    add_index :two_factor_auth_registrations, :last_authenticated_at
+  end
+end

data/lib/generators/two_factor_auth/install_generator.rb

@@ -0,0 +1,32 @@
+require 'rails/generators/base'
+require 'securerandom'
+
+module TwoFactorAuth
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+      source_root File.expand_path("../../templates", __FILE__)
+
+      desc "Creates a TwoFactorAuth migration"
+
+      # Rails implies Migration is mixed into Base (false), and there's no
+      # explanation for why I must define this method. Clearly I'm missing
+      # something stupid because there are no docs for this in Rails 4.
+      include Rails::Generators::Migration
+      def self.next_migration_number(path)
+        Time.now.utc.strftime("%Y%m%d%H%M%S")
+      end
+
+      def copy_migration
+        migration_template "migration.rb", "db/migrate/create_two_factor_auth_registrations.rb"
+      end
+
+      def copy_initializer
+        copy_file "initializer.rb", "config/initializers/two_factor_auth.rb"
+      end
+
+      def show_readme
+        readme "README" if behavior == :invoke
+      end
+    end
+  end
+end

data/lib/tasks/two_factor_auth_tasks.rake

@@ -0,0 +1,13 @@
+namespace :two_factor_auth do
+  desc "View the TwoFactorAuth readme"
+  task :readme do
+    begin
+      pager = ENV['PAGER']
+      pager = 'less' if pager.blank?
+      readme = File.expand_path("../../../README.md", __FILE__)
+      exec "#{pager} #{readme}"
+    rescue Errno::ENOENT
+      puts "Sorry, couldn't automatically print it... here's the readme:", readme
+    end
+  end
+end

data/lib/two_factor_auth/authentication_hook.rb

@@ -0,0 +1,18 @@
+module TwoFactorAuth
+  module AuthenticationHook
+    include TwoFactorAuth::ApplicationHelper
+
+    before_action :two_factor_auth_authentication
+
+    private
+
+    def two_factor_auth_authentication
+      if user_signed_in? and !user_two_factor_auth_authenticated?
+        redirect_to new_two_factor_auth_authentication_path
+        return false
+      end
+      true
+    end
+  end
+end
+

data/lib/two_factor_auth/engine.rb

@@ -0,0 +1,5 @@
+module TwoFactorAuth
+  class Engine < ::Rails::Engine
+    isolate_namespace TwoFactorAuth
+  end
+end

data/lib/two_factor_auth/registration_hook.rb

@@ -0,0 +1,17 @@
+module TwoFactorAuth
+  module RegistrationHook
+    include TwoFactorAuth::ApplicationHelper
+
+    before_action :two_factor_auth_registration
+
+    private
+
+    def two_factor_auth_registration
+      if user_signed_in? and !user_two_factor_auth_registered?
+        redirect_to new_two_factor_auth_registrations_path
+        return false
+      end
+      true
+    end
+  end
+end

data/lib/two_factor_auth/version.rb

@@ -0,0 +1,3 @@
+module TwoFactorAuth
+  VERSION = "0.1.1"
+end

data/lib/two_factor_auth.rb

@@ -0,0 +1,155 @@
+require "two_factor_auth/engine"
+
+require 'base64'
+require 'json'
+require 'openssl'
+require 'active_model'
+require 'active_model/validator'
+
+module TwoFactorAuth
+  U2F_VERSION = 'U2F_V2'
+
+  class TwoFactorAuthError < RuntimeError ; end
+    class CantGenerateRandomNumbers < TwoFactorAuthError ; end
+    class InvalidPublicKey < TwoFactorAuthError ; end
+    class InvalidFacetDomain < TwoFactorAuthError ; end
+
+
+  def self.facet_domain= facet_domain
+    if facet_domain =~ /localhost(:\d+)?\/?$/
+      raise InvalidFacetDomain, "Facet domain can't be localhost, edit /etc/hosts to make a custom hostname"
+    end
+    if facet_domain =~ /\.dev(:\d+)?\/?$/
+      raise InvalidFacetDomain, "Facet domain needs a real TLD, not .dev. Edit /etc/hosts to make a custom hostname"
+    end
+    if facet_domain == "https://www.example.com"
+      raise InvalidFacetDomain, "You need to cusomize the facet_domain in config/initializers/two_factor_auth.rb"
+    end
+
+    @facet_domain = facet_domain.sub(/\/$/, '')
+  end
+
+  def self.facet_domain
+    @facet_domain
+  end
+
+  def self.trusted_facet_list_url= url
+    @trusted_facet_list_url = url
+  end
+
+  def self.trusted_facet_list_url
+    @trusted_facet_list_url or "#{facet_domain}/two_factor_auth/trusted_facets"
+  end
+
+  def self.facets= facets
+    @facets = facets
+  end
+
+  def self.facets
+    if @facets.nil? or @facets.empty?
+      [facet_domain]
+    else
+      @facets
+    end
+  end
+
+  def self.websafe_base64_encode str
+    # PHP code removes trailing =s, don't know why
+    Base64.urlsafe_encode64(str).sub(/=+$/,'')
+  end
+
+  def self.websafe_base64_decode encoded
+    # pad back out to decode
+    padded = encoded.ljust((encoded.length/4.0).ceil * 4, '=')
+    Base64.urlsafe_decode64(padded)
+  end
+
+  def self.random_encoded_challenge
+    random = OpenSSL::Random.pseudo_bytes(32)
+    TwoFactorAuth::websafe_base64_encode(random)
+  rescue OpenSSL::Random::RandomError
+    raise CantGenerateRandomNumbers, "Not enough entropy to generate secure challenges"
+  end
+
+  def self.decode_pubkey raw
+    bn = OpenSSL::BN.new(raw, 2)
+    group = OpenSSL::PKey::EC::Group.new('prime256v1')
+    point = OpenSSL::PKey::EC::Point.new(group, bn)
+  rescue OpenSSL::PKey::EC::Point::Error => e
+    raise InvalidPublicKey, "Invalid public key: #{e.message}"
+  end
+
+  def self.pubkey_valid? raw
+    pk = decode_pubkey raw
+    pk.on_curve?
+  rescue InvalidPublicKey
+    false
+  end
+end
+
+module ActiveModel
+  module Validations
+    class AssociatedValidator < ActiveModel::EachValidator #:nodoc:
+      def validate_each(record, attribute, value)
+        if Array.wrap(value).reject {|r| r.valid?}.any?
+          record.errors.add(attribute, value.errors.full_messages.join("; "), options.merge(:value => value))
+        end
+      end
+    end
+
+    module ClassMethods
+      # Validates whether the associated object or objects are all valid.
+      # Works with any kind of association.
+      #
+      #   class Book < ActiveRecord::Base
+      #     has_many :pages
+      #     belongs_to :library
+      #
+      #     validates_associated :pages, :library
+      #   end
+      #
+      # WARNING: This validation must not be used on both ends of an association.
+      # Doing so will lead to a circular dependency and cause infinite recursion.
+      #
+      # NOTE: This validation will not fail if the association hasn't been
+      # assigned. If you want to ensure that the association is both present and
+      # guaranteed to be valid, you also need to use +validates_presence_of+.
+      #
+      # Configuration options:
+      #
+      # * <tt>:message</tt> - A custom error message (default is: "is invalid").
+      # * <tt>:on</tt> - Specifies when this validation is active. Runs in all
+      #   validation contexts by default (+nil+), other options are <tt>:create</tt>
+      #   and <tt>:update</tt>.
+      # * <tt>:if</tt> - Specifies a method, proc or string to call to determine
+      #   if the validation should occur (e.g. <tt>if: :allow_validation</tt>,
+      #   or <tt>if: Proc.new { |user| user.signup_step > 2 }</tt>). The method,
+      #   proc or string should return or evaluate to a +true+ or +false+ value.
+      # * <tt>:unless</tt> - Specifies a method, proc or string to call to
+      #   determine if the validation should not occur (e.g. <tt>unless: :skip_validation</tt>,
+      #   or <tt>unless: Proc.new { |user| user.signup_step <= 2 }</tt>). The
+      #   method, proc or string should return or evaluate to a +true+ or +false+
+      #   value.
+      def validates_associated(*attr_names)
+        validates_with AssociatedValidator, _merge_attributes(attr_names)
+      end
+    end
+  end
+end
+
+module ActionDispatch::Routing
+  class Mapper
+    def two_factor_auth_for resource
+      begin
+        klass = resource.to_s.classify.constantize
+      rescue NameError
+        warn "You included two_factor_auth_for #{resource.inspect} in your routes but there is no model defined in your system"
+      end
+      namespace :two_factor_auth do
+        resources(:registrations,   only: [:new, :create])
+        resource(:authentication,   only: [:new, :create])
+        resources(:trusted_facets,  only: [:index])
+      end
+    end
+  end
+end

data/test/controllers/two_factor_auth/authentications_controller_test.rb

@@ -0,0 +1,70 @@
+require "test_helper"
+
+module TwoFactorAuth
+  describe AuthenticationsController do
+    let(:current_user) { User.create!(email: 'user@example.com', password: 'password') }
+    let(:registration) { Registration.create!({
+      login: current_user,
+      key_handle:  TwoFactorAuth.websafe_base64_decode("fNKqlc0cHr7CcAScmiwJF3qL5WP5YY9vSZR5i474rPWmg8qjTHIckZA_v2Xioj6RB6BNJqzxUVUwG6wfksKXtA"),
+      public_key:  TwoFactorAuth.websafe_base64_decode("BDnGR0Pm03VuO2HSBBubLHZr69y1MQgUFgeSjaGpMtdaF7NE331Q2pxn6_03aClOxPLxEBuKx4iaTRdW6r5YFKs"),
+      certificate: TwoFactorAuth.websafe_base64_decode("MIICHDCCAQagAwIBAgIEJNurQDALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMCsxKTAnBgNVBAMMIFl1YmljbyBVMkYgRUUgU2VyaWFsIDEzNTAzMjc3ODg4MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEArCUvjR9R3lBxHeOvsXKTe0qR5-qHm_sOa_r3gwgcMtb1L1pyWp447-HUf61eRuN-srClAF1HLFXuXwJ5DkaNqMSMBAwDgYKKwYBBAGCxAoBAQQAMAsGCSqGSIb3DQEBCwOCAQEAo2OuDpg68wu68SyLLfNaWb8cu0obD8toxIRVhJD2hzRYZbjbAmnDRuVTiEwsVgevDqJ7kKyM8e9DH3KsGJ2yHIJJFL8XiKVRGjPQe0yONGR86fYeFRapqbNukApAIGH2mqRuEsUyuZP5Qj76qkz5o7ZUtN3e8pJKVI_VmZVRDdT39Nmk1SGThzxxybh-hoU-ni2nXo8MbSgwU3TU791eFJb4wzkGEHvWi9Y1DarSw3gR7KPKQ7yTC3NAl972nWiNlFUMTPsYqeJLhqLl2I9JmJmgm85bgQxTbK85Dci93pYN8zDKyrwFIaGDI5V__rylnKkLILENCbUjHFjCfrpngw"),
+      counter: 3,
+      last_authenticated_at: Time.now,
+    }) }
+    let(:challenge) { "430x3zbNg7tdHBds3_aXoSjp81xWe_2eZoEgR856tv8" }
+    let(:clientData) { "eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiwiY2hhbGxlbmdlIjoiNDMweDN6Yk5nN3RkSEJkczNfYVhvU2pwODF4V2VfMmVab0VnUjg1NnR2OCIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbC5maWRvbG9naW4uY29tOjMwMDAiLCJjaWRfcHVia2V5IjoiIn0" }
+    let(:signatureData) { "AQAAABAwRgIhAPueB6u8s63myrtQBT7KNOR3c4CVoNPVAiEkSOB8WGzqAiEA5zYbDQopgsVUl3d3pC947pKFSSIJs00ouC3xn3m7Pxo" }
+
+    before do
+      TwoFactorAuth.trusted_facet_list_url = "http://local.fidologin.com:3000"
+      register_as current_user, registration
+    end
+
+    describe "#new" do
+      it "has a form linking to create" do
+        get :new
+        assert_response :success
+        assert_select "form[action='/two_factor_auth/authentication']"
+      end
+
+      it "does not prompt for re-authentication if you already have" do
+        authenticate_as current_user, registration
+        get :new
+        assert_response :redirect
+      end
+    end
+
+    describe "#create" do
+      it "clears the pending challenge" do
+        controller.stub(:user_session, { 'pending_authentication_request_challenge' => challenge }) do
+          post :create, keyHandle: TwoFactorAuth.websafe_base64_encode(registration.key_handle), clientData: clientData, signatureData: signatureData
+          controller.user_session.wont_include 'pending_authentication_request_challenge'
+        end
+      end
+
+      describe "success" do
+
+        it "creates a Registration when the challenge is verified" do
+          controller.stub(:user_session, { 'pending_authentication_request_challenge' => challenge }) do
+            post :create, keyHandle: TwoFactorAuth.websafe_base64_encode(registration.key_handle), clientData: clientData, signatureData: signatureData
+            assert_response :redirect
+            assert_redirected_to '/'
+            controller.send(:user_two_factor_auth_authenticated?).must_equal true
+          end
+        end
+
+      end
+
+      describe "failure" do
+        it "renders an error when challenge is not verified" do
+          controller.stub(:user_session, { 'pending_authentication_request_challenge' => 'not matched' }) do
+            post :create, keyHandle: TwoFactorAuth.websafe_base64_encode(registration.key_handle), clientData: clientData, signatureData: signatureData
+            controller.send(:user_two_factor_auth_authenticated?).must_equal false
+            response.status.must_equal 406
+            response.body.must_include 'Unable to authenticate'
+          end
+        end
+      end
+    end
+  end
+end

data/test/controllers/two_factor_auth/registrations_controller_test.rb

@@ -0,0 +1,57 @@
+require "test_helper"
+
+module TwoFactorAuth
+  describe RegistrationsController do
+    let(:current_user) { User.create!(email: 'user@example.com', password: 'password') }
+    let(:clientData) { "eyJ0eXAiOiJuYXZpZ2F0b3IuaWQuZmluaXNoRW5yb2xsbWVudCIsImNoYWxsZW5nZSI6IjVmeGF6cWFuUkh0ZDdBdEVIQkd4eERwU2o2bWRCRjI2WEY0eGRBOW03SnciLCJvcmlnaW4iOiJodHRwOi8vbG9jYWwuZmlkb2xvZ2luLmNvbTozMDAwIiwiY2lkX3B1YmtleSI6IiJ9" }
+    let(:registrationData) { "BQQqdFC3zhANYW9DmErAjFQYZjBExK22PLx-ViMOch04-wZ990aqOcF2gxS5gzSUDKzpPGXpliMk3UoXgYlC2QNuQGbQ4E5v_UrLCzT58SXg902p9JXmLboTF42QkuZXIbdea_97h96lVovJ7xrA-iWTrZiOSRVZoBZsTrCW64XMrUcwggIcMIIBBqADAgECAgQk26tAMAsGCSqGSIb3DQEBCzAuMSwwKgYDVQQDEyNZdWJpY28gVTJGIFJvb3QgQ0EgU2VyaWFsIDQ1NzIwMDYzMTAgFw0xNDA4MDEwMDAwMDBaGA8yMDUwMDkwNDAwMDAwMFowKzEpMCcGA1UEAwwgWXViaWNvIFUyRiBFRSBTZXJpYWwgMTM1MDMyNzc4ODgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQCsJS-NH1HeUHEd46-xcpN7SpHn6oeb-w5r-veDCBwy1vUvWnJanjjv4dR_rV5G436ysKUAXUcsVe5fAnkORo2oxIwEDAOBgorBgEEAYLECgEBBAAwCwYJKoZIhvcNAQELA4IBAQCjY64OmDrzC7rxLIst81pZvxy7ShsPy2jEhFWEkPaHNFhluNsCacNG5VOITCxWB68OonuQrIzx70MfcqwYnbIcgkkUvxeIpVEaM9B7TI40ZHzp9h4VFqmps26QCkAgYfaapG4SxTK5k_lCPvqqTPmjtlS03d7ykkpUj9WZlVEN1Pf02aTVIZOHPHHJuH6GhT6eLadejwxtKDBTdNTv3V4UlvjDOQYQe9aL1jUNqtLDeBHso8pDvJMLc0CX3vadaI2UVQxM-xip4kuGouXYj0mYmaCbzluBDFNsrzkNyL3elg3zMMrKvAUhoYMjlX_-vKWcqQsgsQ0JtSMcWMJ-umeDMEUCIQCPkI4L_gHM88JrqJj_ZNRghQyC0gJyCC9RBrnfI2mDTwIgPOuEiD1AOfRaGO_EaHi-z4XyIGDhkG8-BYH-syVY5_o" }
+
+    before do
+      TwoFactorAuth.trusted_facet_list_url = "http://local.fidologin.com:3000"
+      sign_in current_user
+    end
+
+    describe "#new" do
+      it "has a form linking to create" do
+        get :new
+        assert_response :success
+        assert_select "form[action='/two_factor_auth/registrations']"
+      end
+    end
+
+    describe "#create" do
+      it "clears the pending challenge" do
+        controller.stub(:user_session, { 'pending_registration_request_challenge' => '5fxazqanRHtd7AtEHBGxxDpSj6mdBF26XF4xdA9m7Jw' }) do
+          post :create, clientData: clientData, registrationData: registrationData
+          controller.user_session.wont_include 'pending_registration_request_challenge'
+        end
+      end
+
+      describe "success" do
+
+        it "creates a Registration when the challenge is verified" do
+          controller.stub(:user_session, { 'pending_registration_request_challenge' => '5fxazqanRHtd7AtEHBGxxDpSj6mdBF26XF4xdA9m7Jw' }) do
+            Registration.count.must_equal 0
+            post :create, clientData: clientData, registrationData: registrationData
+            assert_response :redirect
+            assert_redirected_to '/'
+            current_user.registrations.count.must_equal 1
+          end
+        end
+
+      end
+
+      describe "failure" do
+        it "renders an error when challenge is not verified" do
+          controller.stub(:user_session, { 'pending_registration_request_challenge' => 'not matched' }) do
+            Registration.count.must_equal 0
+            post :create, clientData: clientData, registrationData: registrationData
+            response.status.must_equal 406
+            Registration.count.must_equal 0
+            response.body.must_include 'Unable to register'
+          end
+        end
+      end
+    end
+  end
+end

data/test/controllers/two_factor_auth/trusted_facets_controller_test.rb

@@ -0,0 +1,17 @@
+require "test_helper"
+
+module TwoFactorAuth
+  describe TrustedFacetsController do
+    it "returns the list of facets as json" do
+      TwoFactorAuth.facets = [ 'https://example.com', 'https://admin.example.com' ]
+      get :index
+      facets = JSON::parse(response.body)
+      facets.must_equal TwoFactorAuth.facets
+    end
+
+    it "has the U2F mimetype" do
+      get :index
+      response.content_type.must_equal "application/fido.trusted-apps+json"
+    end
+  end
+end

data/test/dummy/README.rdoc

@@ -0,0 +1,28 @@
+== README
+
+This README would normally document whatever steps are necessary to get the
+application up and running.
+
+Things you may want to cover:
+
+* Ruby version
+
+* System dependencies
+
+* Configuration
+
+* Database creation
+
+* Database initialization
+
+* How to run the test suite
+
+* Services (job queues, cache servers, search engines, etc.)
+
+* Deployment instructions
+
+* ...
+
+
+Please feel free to use a different markup language if you do not plan to run
+<tt>rake doc:app</tt>.

data/test/dummy/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+Rails.application.load_tasks

data/test/dummy/app/assets/javascripts/application.js

@@ -0,0 +1,13 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file.
+//
+// Read Sprockets README (https://github.com/sstephenson/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require_tree .

data/test/dummy/app/assets/stylesheets/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or vendor/assets/stylesheets of plugins, if any, can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any styles
+ * defined in the other CSS/SCSS files in this directory. It is generally better to create a new
+ * file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/test/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,5 @@
+class ApplicationController < ActionController::Base
+  # Prevent CSRF attacks by raising an exception.
+  # For APIs, you may want to use :null_session instead.
+  protect_from_forgery with: :exception
+end

data/test/dummy/app/controllers/secrets_controller.rb

@@ -0,0 +1,3 @@
+class SecretsController < ApplicationController
+  before_action :authenticate_user!
+end

data/test/dummy/app/helpers/application_helper.rb

@@ -0,0 +1,2 @@
+module ApplicationHelper
+end

data/test/dummy/app/models/user.rb

@@ -0,0 +1,8 @@
+class User < ActiveRecord::Base
+  # Include default devise modules. Others available are:
+  # :confirmable, :lockable, :timeoutable and :omniauthable
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable, :trackable, :validatable
+
+  has_many :registrations, inverse_of: :login, as: :login, dependent: :destroy, class_name: "TwoFactorAuth::Registration"
+end

data/test/dummy/app/views/layouts/application.html.erb

@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Dummy</title>
+  <%= stylesheet_link_tag    'application', media: 'all', 'data-turbolinks-track' => true %>
+  <%= javascript_include_tag 'application', 'data-turbolinks-track' => true %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+
+<div class="alert twofactorauth-status"><%= alert %></div>
+
+<%= yield %>
+
+</body>
+</html>

data/test/dummy/app/views/secrets/index.html.erb

@@ -0,0 +1,10 @@
+<h1>Secrets</h1>
+
+<ul>
+  <li><a href="#">Startup ideas (NDA required)</a></li>
+  <li><a href="#">Stock tips</a></li>
+  <li><a href="#">18 and 1/2 minutes of audio tape</a></li>
+  <li><a href="#">Great American novel (first draft)</a></li>
+  <li><a href="#">Crushes on boys</a></li>
+  <li><a href="#">IRS email backup</a></li>
+</ul>

data/test/dummy/bin/bundle

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+load Gem.bin_path('bundler', 'bundle')

data/test/dummy/bin/rails

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+APP_PATH = File.expand_path('../../config/application',  __FILE__)
+require_relative '../config/boot'
+require 'rails/commands'