two_factor_authentication 0.2 → 1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 39274f1841e29f847f6c2900a9228493e6103243
+  data.tar.gz: c0c3e1aebe06d8981301dfa2ccd85ab6f347b6e0
+SHA512:
+  metadata.gz: 3e4bf30aa6f90afd6ee31400b4acd5e75dfc6fa49162b9ceb18042e406c55b956a0841466b9881c289b842870cb56ca985005e639578861259862c9c04209e3c
+  data.tar.gz: 91f57824cfc4ea2588cd7658c50eb8ee0b221b6dff7c45362d2d2542c51911c61f3f88483e9d79951d14c1c61fb3a4c80a11065bf77a513a0cc5f15d41bd713f

data/.gitignore

@@ -18,3 +18,4 @@ patches-*
 capybara-*.html
 dump.rdb
 *.ids
+.rbenv-version

data/README.md

@@ -32,6 +32,20 @@ Finally, run the migration with:
 
     bundle exec rake db:migrate
 
+Add the following line to your model to fully enable two-factor auth:
+
+    has_one_time_password
+
+Set config values if desired for maximum second factor attempts count and allowed time drift for one-time passwords:
+
+    config.max_login_attempts = 3
+    config.allowed_otp_drift_seconds = 30
+
+Override the method to send one-time passwords in your model, this is automatically called when a user logs in:
+
+    def send_two_factor_authentication_code
+      # use Model#otp_code and send via SMS, etc.
+    end
 
 ### Manual installation
 
@@ -42,23 +56,22 @@ To manually enable two factor authentication for the User model, you should add
          :recoverable, :rememberable, :trackable, :validatable, :two_factor_authenticatable
 ```
 
-Two default parameters
+Add the following line to your model to fully enable two-factor auth:
 
-```ruby
-  config.login_code_random_pattern = /\w+/
-  config.max_login_attempts = 3
-```
+    has_one_time_password
 
-Possible random patterns
+Set config values if desired for maximum second factor attempts count and allowed time drift for one-time passwords:
 
-```ruby
-/\d{5}/
-/\w{4,8}/
-```
+    config.max_login_attempts = 3
+    config.allowed_otp_drift_seconds = 30
+
+Override the method to send one-time passwords in your model, this is automatically called when a user logs in:
 
-see more https://github.com/benburkert/randexp
+    def send_two_factor_authentication_code
+      # use Model#otp_code and send via SMS, etc.
+    end
 
-### Customisation
+### Customisation and Usage
 
 By default second factor authentication enabled for each user, you can change it with this method in your User model:
 
@@ -70,12 +83,12 @@ By default second factor authentication enabled for each user, you can change it
 
 this will disable two factor authentication for local users
 
-Your send sms logic should be in this method in your User model:
+This gem is compatible with Google Authenticator (https://support.google.com/accounts/answer/1066447?hl=en).  You can generate provisioning uris by invoking the following method on your model:
 
-```ruby
-  def send_two_factor_authentication_code(code)
-    puts code
-  end
-```
+    user.provisioning_uri #This assumes a user model with an email attributes
+
+This provisioning uri can then be turned in to a QR code if desired so that users may add the app to Google Authenticator easily.  Once this is done they may retrieve a one-time password directly from the Google Authenticator app as well as through whatever method you define in `send_two_factor_authentication_code`
+
+### Example
 
-This example just puts the code in the logs.
+[TwoFactorAuthenticationExample](https://github.com/Houdini/TwoFactorAuthenticationExample)

data/app/controllers/devise/two_factor_authentication_controller.rb

@@ -7,8 +7,8 @@ class Devise::TwoFactorAuthenticationController < DeviseController
 
   def update
     render :show and return if params[:code].nil?
-    md5 = Digest::MD5.hexdigest(params[:code])
-    if md5.eql?(resource.second_factor_pass_code)
+
+    if resource.authenticate_otp(params[:code])
       warden.session(resource_name)[:need_two_factor_authentication] = false
       sign_in resource_name, resource, :bypass => true
       redirect_to stored_location_for(resource_name) || :root
@@ -16,7 +16,7 @@ class Devise::TwoFactorAuthenticationController < DeviseController
     else
       resource.second_factor_attempts_count += 1
       resource.save
-      set_flash_message :notice, :attempt_failed
+      set_flash_message :error, :attempt_failed
       if resource.max_login_attempts?
         sign_out(resource)
         render :template => 'devise/two_factor_authentication/max_login_attempts_reached' and return

data/app/views/devise/two_factor_authentication/max_login_attempts_reached.html.erb

@@ -1,3 +1,3 @@
-<h2>Access completly denied as you have reached your attempts limit = <%= @limit %></h2>
-<p>Please contact your system administrator</p>
+<h2>Access completely denied as you have reached your attempts limit = <%= @limit %>.</h2>
+<p>Please contact your system administrator.</p>
 

data/config/locales/en.yml

@@ -1,4 +1,4 @@
 en:
   devise:
     two_factor_authentication:
-      attempt_failed: "Attemp failed"
+      attempt_failed: "Attempt failed."

data/lib/generators/active_record/templates/migration.rb

@@ -1,8 +1,15 @@
 class TwoFactorAuthenticationAddTo<%= table_name.camelize %> < ActiveRecord::Migration
-  def change
+  def up
     change_table :<%= table_name %> do |t|
-      t.string   :second_factor_pass_code     , :limit => 32
+      t.string   :otp_secret_key
       t.integer  :second_factor_attempts_count, :default => 0
     end
+
+    add_index :<%= table_name %>, :otp_secret_key, :unique => true
+  end
+
+  def down
+    remove_column :<%= table_name %>, :otp_secret_key
+    remove_column :<%= table_name %>, :second_factor_attempts_count
   end
 end

data/lib/two_factor_authentication.rb

@@ -1,15 +1,18 @@
 require 'two_factor_authentication/version'
-require 'randexp'
 require 'devise'
-require 'digest'
 require 'active_support/concern'
+require "active_model"
+require "active_record"
+require "active_support/core_ext/class/attribute_accessors"
+require "cgi"
+require "rotp"
 
 module Devise
-  mattr_accessor :login_code_random_pattern
-  @@login_code_random_pattern = /\w+/
-
   mattr_accessor :max_login_attempts
   @@max_login_attempts = 3
+
+  mattr_accessor :allowed_otp_drift_seconds
+  @@allowed_otp_drift_seconds = 30
 end
 
 module TwoFactorAuthentication

data/lib/two_factor_authentication/controllers/helpers.rb

@@ -10,17 +10,24 @@ module TwoFactorAuthentication
       private
 
       def handle_two_factor_authentication
-        if not request.format.nil? and request.format.html? and not devise_controller?
+        unless devise_controller?
           Devise.mappings.keys.flatten.any? do |scope|
             if signed_in?(scope) and warden.session(scope)[:need_two_factor_authentication]
-              session["#{scope}_return_tor"] = request.path if request.get?
-              redirect_to two_factor_authentication_path_for(scope)
-              return
+              handle_failed_second_factor(scope)
             end
           end
         end
       end
 
+      def handle_failed_second_factor(scope)
+        if request.format.present? and request.format.html?
+          session["#{scope}_return_tor"] = request.path if request.get?
+          redirect_to two_factor_authentication_path_for(scope)
+        else
+          render nothing: true, status: :unauthorized
+        end
+      end
+
       def two_factor_authentication_path_for(resource_or_scope = nil)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
         change_path = "#{scope}_two_factor_authentication_path"

data/lib/two_factor_authentication/hooks/two_factor_authenticatable.rb

@@ -1,10 +1,7 @@
 Warden::Manager.after_authentication do |user, auth, options|
   if user.respond_to?(:need_two_factor_authentication?)
     if auth.session(options[:scope])[:need_two_factor_authentication] = user.need_two_factor_authentication?(auth.request)
-      code = user.generate_two_factor_code
-      user.second_factor_pass_code = Digest::MD5.hexdigest(code)
-      user.save
-      user.send_two_factor_authentication_code(code)
+      user.send_two_factor_authentication_code
     end
   end
 end

data/lib/two_factor_authentication/models/two_factor_authenticatable.rb

@@ -5,23 +5,61 @@ module Devise
       extend ActiveSupport::Concern
 
       module ClassMethods
-        ::Devise::Models.config(self, :login_code_random_pattern, :max_login_attempts)
-      end
+        def has_one_time_password(options = {})
 
-      def need_two_factor_authentication?(request)
-        true
-      end
+          cattr_accessor :otp_column_name
+          self.otp_column_name = "otp_secret_key"
 
-      def generate_two_factor_code
-        self.class.login_code_random_pattern.gen
-      end
+          include InstanceMethodsOnActivation
+
+          before_create { self.otp_column = ROTP::Base32.random_base32 }
 
-      def send_two_factor_authentication_code(code)
-        p "Code is #{code}"
+          if respond_to?(:attributes_protected_by_default)
+            def self.attributes_protected_by_default #:nodoc:
+              super + [self.otp_column_name]
+            end
+          end
+        end
+        ::Devise::Models.config(self, :max_login_attempts, :allowed_otp_drift_seconds)
       end
 
-      def max_login_attempts?
-        second_factor_attempts_count >= self.class.max_login_attempts
+      module InstanceMethodsOnActivation
+        def authenticate_otp(code, options = {})
+          totp = ROTP::TOTP.new(self.otp_column)
+          drift = options[:drift] || self.class.allowed_otp_drift_seconds
+
+          totp.verify_with_drift(code, drift)
+        end
+
+        def otp_code(time = Time.now)
+          ROTP::TOTP.new(self.otp_column).at(time)
+        end
+
+        def provisioning_uri(account = nil)
+          account ||= self.email if self.respond_to?(:email)
+          ROTP::TOTP.new(self.otp_column).provisioning_uri(account)
+        end
+
+        def otp_column
+          self.send(self.class.otp_column_name)
+        end
+
+        def otp_column=(attr)
+          self.send("#{self.class.otp_column_name}=", attr)
+        end
+
+        def need_two_factor_authentication?(request)
+          true
+        end
+
+        def send_two_factor_authentication_code
+          raise NotImplementedError.new("No default implementation - please define in your class.")
+        end
+
+        def max_login_attempts?
+          second_factor_attempts_count >= self.class.max_login_attempts
+        end
+
       end
     end
   end

data/lib/two_factor_authentication/schema.rb

@@ -1,7 +1,7 @@
 module TwoFactorAuthentication
   module Schema
-    def second_factor_pass_code
-      apply_devise_schema :second_factor_pass_code, String, :limit => 32
+    def otp_secret_key
+      apply_devise_schema :otp_secret_key, String
     end
 
     def second_factor_attempts_count

data/lib/two_factor_authentication/version.rb

@@ -1,3 +1,3 @@
 module TwoFactorAuthentication
-  VERSION = "0.2".freeze
+  VERSION = "1.0".freeze
 end

data/spec/lib/two_factor_authentication/models/two_factor_authenticatable_spec.rb

@@ -0,0 +1,70 @@
+require 'spec_helper'
+include AuthenticatedModelHelper
+
+
+describe Devise::Models::TwoFactorAuthenticatable, '#otp_code' do
+  let(:instance) { AuthenticatedModelHelper.create_new_user }
+  subject { instance.otp_code(time) }
+  let(:time) { 1392852456 }
+
+  it "should return an error if no secret is set" do
+    expect {
+      subject
+    }.to raise_error
+  end
+
+  context "secret is set" do
+    before :each do
+      instance.otp_secret_key = "2z6hxkdwi3uvrnpn"
+    end
+
+    it "should not return an error" do
+      subject
+    end
+
+    context "with a known time" do
+      let(:time) { 1392852756 }
+
+      it "should return a known result" do
+        expect(subject).to eq(562202)
+      end
+    end
+  end
+end
+
+describe Devise::Models::TwoFactorAuthenticatable, '#authenticate_otp' do
+  let(:instance) { AuthenticatedModelHelper.create_new_user }
+
+  before :each do
+    instance.otp_secret_key = "2z6hxkdwi3uvrnpn"
+  end
+
+  def do_invoke code, options = {}
+    instance.authenticate_otp(code, options)
+  end
+
+  it "should be able to authenticate a recently created code" do
+    code = instance.otp_code
+    expect(do_invoke(code)).to eq(true)
+  end
+
+  it "should not authenticate an old code" do
+    code = instance.otp_code(1.minutes.ago.to_i)
+    expect(do_invoke(code)).to eq(false)
+  end
+end
+
+describe Devise::Models::TwoFactorAuthenticatable, '#send_two_factor_authentication_code' do
+
+  it "should raise an error by default" do
+    instance = AuthenticatedModelHelper.create_new_user
+    expect {
+      instance.send_two_factor_authentication_code
+    }.to raise_error(NotImplementedError)
+  end
+
+  it "should be overrideable" do
+    instance = AuthenticatedModelHelper.create_new_user_with_overrides
+    expect(instance.send_two_factor_authentication_code).to eq("Code sent")
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,21 @@
+require "rubygems"
+require "bundler/setup"
+
+require 'two_factor_authentication'
+
+
+Dir["#{Dir.pwd}/spec/support/**/*.rb"].each {|f| require f}
+
+
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = 'random'
+end

data/spec/support/authenticated_model_helper.rb

@@ -0,0 +1,29 @@
+module AuthenticatedModelHelper
+
+  class User
+    extend ActiveModel::Callbacks
+    include ActiveModel::Validations
+    include Devise::Models::TwoFactorAuthenticatable
+
+    define_model_callbacks :create
+    attr_accessor :otp_secret_key, :email
+
+    has_one_time_password
+  end
+
+  class UserWithOverrides < User
+
+    def send_two_factor_authentication_code
+      "Code sent"
+    end
+  end
+
+  def create_new_user
+    User.new
+  end
+
+  def create_new_user_with_overrides
+    UserWithOverrides.new
+  end
+
+end

data/two_factor_authentication.gemspec

@@ -24,9 +24,11 @@ Gem::Specification.new do |s|
   s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   s.require_paths = ["lib"]
 
+  s.add_development_dependency "rspec"
   s.add_runtime_dependency 'rails', '>= 3.1.1'
   s.add_runtime_dependency 'devise'
   s.add_runtime_dependency 'randexp'
+  s.add_runtime_dependency 'rotp'
 
   s.add_development_dependency 'bundler'
 end

metadata

@@ -1,83 +1,105 @@
 --- !ruby/object:Gem::Specification
 name: two_factor_authentication
 version: !ruby/object:Gem::Version
-  version: '0.2'
-  prerelease: 
+  version: '1.0'
 platform: ruby
 authors:
 - Dmitrii Golub
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-07-13 00:00:00.000000000 Z
+date: 2014-03-28 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: 3.1.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: 3.1.1
 - !ruby/object:Gem::Dependency
   name: devise
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: randexp
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rotp
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
-    none: false
     requirements:
-    - - ! '>='
+    - - '>='
       - !ruby/object:Gem::Version
         version: '0'
-description: ! "    ### Features ###\n    * control sms code pattern\n    * configure
-  max login attempts\n    * per user level control if he really need two factor authentication\n
-  \   * your own sms logic\n"
+description: |2
+      ### Features ###
+      * control sms code pattern
+      * configure max login attempts
+      * per user level control if he really need two factor authentication
+      * your own sms logic
 email:
 - dmitrii.golub@gmail.com
 executables: []
@@ -105,30 +127,35 @@ files:
 - lib/two_factor_authentication/routes.rb
 - lib/two_factor_authentication/schema.rb
 - lib/two_factor_authentication/version.rb
+- spec/lib/two_factor_authentication/models/two_factor_authenticatable_spec.rb
+- spec/spec_helper.rb
+- spec/support/authenticated_model_helper.rb
 - two_factor_authentication.gemspec
 homepage: https://github.com/Houdini/two_factor_authentication
 licenses: []
+metadata: {}
 post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
-  none: false
   requirements:
-  - - ! '>='
+  - - '>='
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: two_factor_authentication
-rubygems_version: 1.8.24
+rubygems_version: 2.1.11
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: Two factor authentication plugin for devise
-test_files: []
+test_files:
+- spec/lib/two_factor_authentication/models/two_factor_authenticatable_spec.rb
+- spec/spec_helper.rb
+- spec/support/authenticated_model_helper.rb
 has_rdoc: