two_factor_authentication 1.1.3 → 2.2.0

data/lib/two_factor_authentication/hooks/two_factor_authenticatable.rb

@@ -1,7 +1,17 @@
 Warden::Manager.after_authentication do |user, auth, options|
-  if user.respond_to?(:need_two_factor_authentication?)
+  if auth.env["action_dispatch.cookies"]
+    expected_cookie_value = "#{user.class}-#{user.public_send(Devise.second_factor_resource_id)}"
+    actual_cookie_value = auth.env["action_dispatch.cookies"].signed[TwoFactorAuthentication::REMEMBER_TFA_COOKIE_NAME]
+    bypass_by_cookie = actual_cookie_value == expected_cookie_value
+  end
+
+  if user.respond_to?(:need_two_factor_authentication?) && !bypass_by_cookie
     if auth.session(options[:scope])[TwoFactorAuthentication::NEED_AUTHENTICATION] = user.need_two_factor_authentication?(auth.request)
-      user.send_two_factor_authentication_code
+      user.send_new_otp if user.send_new_otp_after_login?
     end
   end
 end
+
+Warden::Manager.before_logout do |user, auth, _options|
+  auth.cookies.delete TwoFactorAuthentication::REMEMBER_TFA_COOKIE_NAME if Devise.delete_cookie_on_logout
+end

data/lib/two_factor_authentication/models/two_factor_authenticatable.rb

@@ -1,4 +1,7 @@
 require 'two_factor_authentication/hooks/two_factor_authenticatable'
+require 'rotp'
+require 'encryptor'
+
 module Devise
   module Models
     module TwoFactorAuthenticatable
@@ -6,53 +9,67 @@ module Devise
 
       module ClassMethods
         def has_one_time_password(options = {})
-
-          cattr_accessor :otp_column_name
-          self.otp_column_name = "otp_secret_key"
-
           include InstanceMethodsOnActivation
-
-          before_create { populate_otp_column }
-
-          if respond_to?(:attributes_protected_by_default)
-            def self.attributes_protected_by_default #:nodoc:
-              super + [self.otp_column_name]
-            end
-          end
+          include EncryptionInstanceMethods if options[:encrypted] == true
         end
-        ::Devise::Models.config(self, :max_login_attempts, :allowed_otp_drift_seconds, :otp_length)
+
+        ::Devise::Models.config(
+          self, :max_login_attempts, :allowed_otp_drift_seconds, :otp_length,
+          :remember_otp_session_for_seconds, :otp_secret_encryption_key,
+          :direct_otp_length, :direct_otp_valid_for, :totp_timestamp, :delete_cookie_on_logout
+        )
       end
 
       module InstanceMethodsOnActivation
         def authenticate_otp(code, options = {})
-          totp = ROTP::TOTP.new(self.otp_column, { digits: options[:otp_length] || self.class.otp_length })
-          drift = options[:drift] || self.class.allowed_otp_drift_seconds
+          return true if direct_otp && authenticate_direct_otp(code)
+          return true if totp_enabled? && authenticate_totp(code, options)
+          false
+        end
 
-          totp.verify_with_drift(code, drift)
+        def authenticate_direct_otp(code)
+          return false if direct_otp.nil? || direct_otp != code || direct_otp_expired?
+          clear_direct_otp
+          true
         end
 
-        def otp_code(time = Time.now, options = {})
-          ROTP::TOTP.new(self.otp_column, { digits: options[:otp_length] || self.class.otp_length }).at(time, true)
+        def authenticate_totp(code, options = {})
+          totp_secret = options[:otp_secret_key] || otp_secret_key
+          digits = options[:otp_length] || self.class.otp_length
+          drift = options[:drift] || self.class.allowed_otp_drift_seconds
+          raise "authenticate_totp called with no otp_secret_key set" if totp_secret.nil?
+          totp = ROTP::TOTP.new(totp_secret, digits: digits)
+          new_timestamp = totp.verify(
+            without_spaces(code), 
+            drift_ahead: drift, drift_behind: drift, after: totp_timestamp
+          )
+          return false unless new_timestamp
+          self.totp_timestamp = new_timestamp
+          true
         end
 
         def provisioning_uri(account = nil, options = {})
-          account ||= self.email if self.respond_to?(:email)
-          ROTP::TOTP.new(self.otp_column, options).provisioning_uri(account)
+          totp_secret = options[:otp_secret_key] || otp_secret_key
+          options[:digits] ||= options[:otp_length] || self.class.otp_length
+          raise "provisioning_uri called with no otp_secret_key set" if totp_secret.nil?
+          account ||= email if respond_to?(:email)
+          ROTP::TOTP.new(totp_secret, options).provisioning_uri(account)
         end
 
-        def otp_column
-          self.send(self.class.otp_column_name)
+        def need_two_factor_authentication?(request)
+          true
         end
 
-        def otp_column=(attr)
-          self.send("#{self.class.otp_column_name}=", attr)
+        def send_new_otp(options = {})
+          create_direct_otp options
+          send_two_factor_authentication_code(direct_otp)
         end
 
-        def need_two_factor_authentication?(request)
-          true
+        def send_new_otp_after_login?
+          !totp_enabled?
         end
 
-        def send_two_factor_authentication_code
+        def send_two_factor_authentication_code(code)
           raise NotImplementedError.new("No default implementation - please define in your class.")
         end
 
@@ -64,10 +81,122 @@ module Devise
           self.class.max_login_attempts
         end
 
-        def populate_otp_column
-          self.otp_column = ROTP::Base32.random_base32
+        def totp_enabled?
+          respond_to?(:otp_secret_key) && !otp_secret_key.nil?
         end
 
+        def confirm_totp_secret(secret, code, options = {})
+          return false unless authenticate_totp(code, {otp_secret_key: secret})
+          self.otp_secret_key = secret
+          true
+        end
+
+        def generate_totp_secret
+          ROTP::Base32.random_base32
+        end
+
+        def create_direct_otp(options = {})
+          # Create a new random OTP and store it in the database
+          digits = options[:length] || self.class.direct_otp_length || 6
+          update_attributes(
+            direct_otp: random_base10(digits),
+            direct_otp_sent_at: Time.now.utc
+          )
+        end
+
+        private
+
+        def without_spaces(code)
+          code.gsub(/\s/, '')
+        end
+
+        def random_base10(digits)
+          SecureRandom.random_number(10**digits).to_s.rjust(digits, '0')
+        end
+
+        def direct_otp_expired?
+          Time.now.utc > direct_otp_sent_at + self.class.direct_otp_valid_for
+        end
+
+        def clear_direct_otp
+          update_attributes(direct_otp: nil, direct_otp_sent_at: nil)
+        end
+      end
+
+      module EncryptionInstanceMethods
+        def otp_secret_key
+          otp_decrypt(encrypted_otp_secret_key)
+        end
+
+        def otp_secret_key=(value)
+          self.encrypted_otp_secret_key = otp_encrypt(value)
+        end
+
+        private
+
+        def otp_decrypt(encrypted_value)
+          return encrypted_value if encrypted_value.blank?
+
+          encrypted_value = encrypted_value.unpack('m').first
+
+          value = ::Encryptor.decrypt(encryption_options_for(encrypted_value))
+
+          if defined?(Encoding)
+            encoding = Encoding.default_internal || Encoding.default_external
+            value = value.force_encoding(encoding.name)
+          end
+
+          value
+        end
+
+        def otp_encrypt(value)
+          return value if value.blank?
+
+          value = value.to_s
+          encrypted_value = ::Encryptor.encrypt(encryption_options_for(value))
+
+          encrypted_value = [encrypted_value].pack('m')
+
+          encrypted_value
+        end
+
+        def encryption_options_for(value)
+          {
+            value: value,
+            key: Devise.otp_secret_encryption_key,
+            iv: iv_for_attribute,
+            salt: salt_for_attribute,
+            algorithm: 'aes-256-cbc'
+          }
+        end
+
+        def iv_for_attribute(algorithm = 'aes-256-cbc')
+          iv = encrypted_otp_secret_key_iv
+
+          if iv.nil?
+            algo = OpenSSL::Cipher.new(algorithm)
+            iv = [algo.random_iv].pack('m')
+            self.encrypted_otp_secret_key_iv = iv
+          end
+
+          iv.unpack('m').first if iv.present?
+        end
+
+        def salt_for_attribute
+          salt = encrypted_otp_secret_key_salt ||
+                 self.encrypted_otp_secret_key_salt = generate_random_base64_encoded_salt
+
+          decode_salt_if_encoded(salt)
+        end
+
+        def generate_random_base64_encoded_salt
+          prefix = '_'
+          prefix + [SecureRandom.random_bytes].pack('m')
+        end
+
+        def decode_salt_if_encoded(salt)
+          salt.slice(0).eql?('_') ? salt.slice(1..-1).unpack('m').first : salt
+        end
       end
     end
   end

data/lib/two_factor_authentication/orm/active_record.rb

@@ -1,3 +1,5 @@
+require "active_record"
+
 module TwoFactorAuthentication
   module Orm
     module ActiveRecord

data/lib/two_factor_authentication/routes.rb

@@ -3,7 +3,9 @@ module ActionDispatch::Routing
     protected
 
       def devise_two_factor_authentication(mapping, controllers)
-        resource :two_factor_authentication, :only => [:show, :update], :path => mapping.path_names[:two_factor_authentication], :controller => controllers[:two_factor_authentication]
+        resource :two_factor_authentication, :only => [:show, :update, :resend_code], :path => mapping.path_names[:two_factor_authentication], :controller => controllers[:two_factor_authentication] do
+          collection { get "resend_code" }
+        end
       end
   end
 end

data/lib/two_factor_authentication/schema.rb

@@ -1,11 +1,31 @@
 module TwoFactorAuthentication
   module Schema
-    def otp_secret_key
-      apply_devise_schema :otp_secret_key, String
-    end
-
     def second_factor_attempts_count
       apply_devise_schema :second_factor_attempts_count, Integer, :default => 0
     end
+
+    def encrypted_otp_secret_key
+      apply_devise_schema :encrypted_otp_secret_key, String
+    end
+
+    def encrypted_otp_secret_key_iv
+      apply_devise_schema :encrypted_otp_secret_key_iv, String
+    end
+
+    def encrypted_otp_secret_key_salt
+      apply_devise_schema :encrypted_otp_secret_key_salt, String
+    end
+
+    def direct_otp
+      apply_devise_schema :direct_otp, String
+    end
+
+    def direct_otp_sent_at
+      apply_devise_schema :direct_otp_sent_at, DateTime
+    end
+
+    def totp_timestamp
+      apply_devise_schema :totp_timestamp, Timestamp
+    end
   end
 end

data/lib/two_factor_authentication/version.rb

@@ -1,3 +1,3 @@
 module TwoFactorAuthentication
-  VERSION = "1.1.3".freeze
+  VERSION = "2.2.0".freeze
 end

data/lib/two_factor_authentication.rb

@@ -2,10 +2,8 @@ require 'two_factor_authentication/version'
 require 'devise'
 require 'active_support/concern'
 require "active_model"
-require "active_record"
 require "active_support/core_ext/class/attribute_accessors"
 require "cgi"
-require "rotp"
 
 module Devise
   mattr_accessor :max_login_attempts
@@ -16,10 +14,29 @@ module Devise
 
   mattr_accessor :otp_length
   @@otp_length = 6
+
+  mattr_accessor :direct_otp_length
+  @@direct_otp_length = 6
+
+  mattr_accessor :direct_otp_valid_for
+  @@direct_otp_valid_for = 5.minutes
+
+  mattr_accessor :remember_otp_session_for_seconds
+  @@remember_otp_session_for_seconds = 0
+
+  mattr_accessor :otp_secret_encryption_key
+  @@otp_secret_encryption_key = ''
+
+  mattr_accessor :second_factor_resource_id
+  @@second_factor_resource_id = 'id'
+
+  mattr_accessor :delete_cookie_on_logout
+  @@delete_cookie_on_logout = false
 end
 
 module TwoFactorAuthentication
   NEED_AUTHENTICATION = 'need_two_factor_authentication'
+  REMEMBER_TFA_COOKIE_NAME = "remember_tfa"
 
   autoload :Schema, 'two_factor_authentication/schema'
   module Controllers
@@ -29,7 +46,7 @@ end
 
 Devise.add_module :two_factor_authenticatable, :model => 'two_factor_authentication/models/two_factor_authenticatable', :controller => :two_factor_authentication, :route => :two_factor_authentication
 
-require 'two_factor_authentication/orm/active_record'
+require 'two_factor_authentication/orm/active_record' if defined?(ActiveRecord::Base)
 require 'two_factor_authentication/routes'
 require 'two_factor_authentication/models/two_factor_authenticatable'
 require 'two_factor_authentication/rails'

data/spec/controllers/two_factor_authentication_controller_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+
+describe Devise::TwoFactorAuthenticationController, type: :controller do
+  describe 'is_fully_authenticated? helper' do
+    def post_code(code)
+      if Rails::VERSION::MAJOR >= 5
+        post :update, params: { code: code }
+      else
+        post :update, code: code
+      end
+    end
+
+    before do
+      sign_in
+    end
+
+    context 'after user enters valid OTP code' do
+      it 'returns true' do
+        controller.current_user.send_new_otp
+        post_code controller.current_user.direct_otp
+        expect(subject.is_fully_authenticated?).to eq true
+      end
+    end
+
+    context 'when user has not entered any OTP yet' do
+      it 'returns false' do
+        get :show
+
+        expect(subject.is_fully_authenticated?).to eq false
+      end
+    end
+
+    context 'when user enters an invalid OTP' do
+      it 'returns false' do
+        post_code '12345'
+
+        expect(subject.is_fully_authenticated?).to eq false
+      end
+    end
+  end
+end

data/spec/features/two_factor_authenticatable_spec.rb

@@ -1,47 +1,65 @@
 require 'spec_helper'
+include AuthenticatedModelHelper
 
 feature "User of two factor authentication" do
-  let(:user) { create_user }
+  context 'sending two factor authentication code via SMS' do
+    shared_examples 'sends and authenticates code' do |user, type|
+      before do
+        user.reload
+        if type == 'encrypted'
+          allow(User).to receive(:has_one_time_password).with(encrypted: true)
+        end
+      end
 
-  scenario "must be logged in" do
-    visit user_two_factor_authentication_path
+      it 'does not send an SMS before the user has signed in' do
+        expect(SMSProvider.messages).to be_empty
+      end
 
-    expect(page).to have_content("Welcome Home")
-    expect(page).to have_content("You are signed out")
-  end
+      it 'sends code via SMS after sign in' do
+        visit new_user_session_path
+        complete_sign_in_form_for(user)
 
-  scenario "sends two factor authentication code after sign in" do
-    expect(SMSProvider.messages).to be_empty
+        expect(page).to have_content 'Enter the code that was sent to you'
 
-    visit new_user_session_path
-    complete_sign_in_form_for(user)
+        expect(SMSProvider.messages.size).to eq(1)
+        message = SMSProvider.last_message
+        expect(message.to).to eq(user.phone_number)
+        expect(message.body).to eq(user.reload.direct_otp)
+      end
 
-    expect(page).to have_content "Enter your personal code"
+      it 'authenticates a valid OTP code' do
+        visit new_user_session_path
+        complete_sign_in_form_for(user)
 
-    expect(SMSProvider.messages.size).to eq(1)
-    message = SMSProvider.last_message
-    expect(message.to).to eq(user.phone_number)
-    expect(message.body).to eq(user.otp_code)
-  end
+        expect(page).to have_content('You are signed in as Marissa')
 
-  context "when logged in" do
+        fill_in 'code', with: SMSProvider.last_message.body
+        click_button 'Submit'
 
-    background do
-      login_as user
+        within('.flash.notice') do
+          expect(page).to have_content('Two factor authentication successful.')
+        end
+
+        expect(current_path).to eq root_path
+      end
     end
 
-    scenario "can fill in TFA code" do
-      visit user_two_factor_authentication_path
+    it_behaves_like 'sends and authenticates code', create_user('not_encrypted')
+    it_behaves_like 'sends and authenticates code', create_user, 'encrypted'
+  end
 
-      expect(page).to have_content("You are signed in as Marissa")
-      expect(page).to have_content("Enter your personal code")
+  scenario "must be logged in" do
+    visit user_two_factor_authentication_path
 
-      fill_in "code", with: user.otp_code
-      click_button "Submit"
+    expect(page).to have_content("Welcome Home")
+    expect(page).to have_content("You are signed out")
+  end
 
-      within(".flash.notice") do
-        expect(page).to have_content("Two factor authentication successful.")
-      end
+  context "when logged in" do
+    let(:user) { create_user }
+
+    background do
+      login_as user
     end
 
     scenario "is redirected to TFA when path requires authentication" do
@@ -49,7 +67,7 @@ feature "User of two factor authentication" do
 
       expect(page).to_not have_content("Your Personal Dashboard")
 
-      fill_in "code", with: user.otp_code
+      fill_in "code", with: SMSProvider.last_message.body
       click_button "Submit"
 
       expect(page).to have_content("Your Personal Dashboard")
@@ -67,7 +85,7 @@ feature "User of two factor authentication" do
         fill_in "code", with: "incorrect#{rand(100)}"
         click_button "Submit"
 
-        within(".flash.error") do
+        within(".flash.alert") do
           expect(page).to have_content("Attempt failed")
         end
       end
@@ -84,5 +102,136 @@ feature "User of two factor authentication" do
       expect(page).to have_content("Access completely denied")
       expect(page).to have_content("You are signed out")
     end
+
+    describe "rememberable TFA" do
+      before do
+        @original_remember_otp_session_for_seconds = User.remember_otp_session_for_seconds
+        User.remember_otp_session_for_seconds = 30.days
+      end
+
+      after do
+        User.remember_otp_session_for_seconds = @original_remember_otp_session_for_seconds
+      end
+
+      scenario "doesn't require TFA code again within 30 days" do
+        sms_sign_in
+
+        logout
+
+        login_as user
+        visit dashboard_path
+        expect(page).to have_content("Your Personal Dashboard")
+        expect(page).to have_content("You are signed in as Marissa")
+      end
+
+      scenario "requires TFA code again after 30 days" do
+        sms_sign_in
+
+        logout
+
+        Timecop.travel(30.days.from_now)
+        login_as user
+        visit dashboard_path
+        expect(page).to have_content("You are signed in as Marissa")
+        expect(page).to have_content("Enter the code that was sent to you")
+      end
+
+      scenario 'TFA should be different for different users' do
+        sms_sign_in
+
+        tfa_cookie1 = get_tfa_cookie()
+
+        logout
+        reset_session!
+
+        user2 = create_user()
+        login_as(user2)
+        sms_sign_in
+
+        tfa_cookie2 = get_tfa_cookie()
+
+        expect(tfa_cookie1).not_to eq tfa_cookie2
+      end
+
+      def sms_sign_in
+        SMSProvider.messages.clear()
+        visit user_two_factor_authentication_path
+        fill_in 'code', with: SMSProvider.last_message.body
+        click_button 'Submit'
+      end
+
+      scenario 'TFA should be unique for specific user' do
+        sms_sign_in
+
+        tfa_cookie1 = get_tfa_cookie()
+
+        logout
+        reset_session!
+
+        user2 = create_user()
+        set_tfa_cookie(tfa_cookie1)
+        login_as(user2)
+        visit dashboard_path
+        expect(page).to have_content("Enter the code that was sent to you")
+      end
+
+      scenario 'Delete cookie when user logs out if enabled' do
+        user.class.delete_cookie_on_logout = true
+
+        login_as user
+        logout
+
+        login_as user
+
+        visit dashboard_path
+        expect(page).to have_content("Enter the code that was sent to you")
+      end
+    end
+
+    it 'sets the warden session need_two_factor_authentication key to true' do
+      session_hash = { 'need_two_factor_authentication' => true }
+
+      expect(page.get_rack_session_key('warden.user.user.session')).to eq session_hash
+    end
+  end
+
+  describe 'signing in' do
+    let(:user) { create_user }
+    let(:admin) { create_admin }
+
+    scenario 'user signs is' do
+      visit new_user_session_path
+      complete_sign_in_form_for(user)
+
+      expect(page).to have_content('Signed in successfully.')
+    end
+
+    scenario 'admin signs in' do
+      visit new_admin_session_path
+      complete_sign_in_form_for(admin)
+
+      expect(page).to have_content('Signed in successfully.')
+    end
+  end
+
+  describe 'signing out' do
+    let(:user) { create_user }
+    let(:admin) { create_admin }
+
+    scenario 'user signs out' do
+      visit new_user_session_path
+      complete_sign_in_form_for(user)
+      visit destroy_user_session_path
+
+      expect(page).to have_content('Signed out successfully.')
+    end
+
+    scenario 'admin signs out' do
+      visit new_admin_session_path
+      complete_sign_in_form_for(admin)
+      visit destroy_admin_session_path
+
+      expect(page).to have_content('Signed out successfully.')
+    end
   end
 end

data/spec/generators/active_record/two_factor_authentication_generator_spec.rb

@@ -0,0 +1,36 @@
+require 'spec_helper'
+
+require 'generators/active_record/two_factor_authentication_generator'
+
+describe ActiveRecord::Generators::TwoFactorAuthenticationGenerator, type: :generator do
+  destination File.expand_path('../../../../../tmp', __FILE__)
+
+  before do
+    prepare_destination
+  end
+
+  it 'runs all methods in the generator' do
+    gen = generator %w(users)
+    expect(gen).to receive(:copy_two_factor_authentication_migration)
+    gen.invoke_all
+  end
+
+  describe 'the generated files' do
+    before do
+      run_generator %w(users)
+    end
+
+    describe 'the migration' do
+      subject { migration_file('db/migrate/two_factor_authentication_add_to_users.rb') }
+
+      it { is_expected.to exist }
+      it { is_expected.to be_a_migration }
+      it { is_expected.to contain /def change/ }
+      it { is_expected.to contain /add_column :users, :second_factor_attempts_count, :integer, default: 0/ }
+      it { is_expected.to contain /add_column :users, :encrypted_otp_secret_key, :string/ }
+      it { is_expected.to contain /add_column :users, :encrypted_otp_secret_key_iv, :string/ }
+      it { is_expected.to contain /add_column :users, :encrypted_otp_secret_key_salt, :string/ }
+      it { is_expected.to contain /add_index :users, :encrypted_otp_secret_key, unique: true/ }
+    end
+  end
+end