two_factor_authentication 1.1.3 → 2.2.0

data/spec/lib/two_factor_authentication/models/two_factor_authenticatable_spec.rb

@@ -1,168 +1,326 @@
 require 'spec_helper'
 include AuthenticatedModelHelper
 
-describe Devise::Models::TwoFactorAuthenticatable, '#otp_code' do
-  let(:instance) { build_guest_user }
-  subject { instance.otp_code(time) }
-  let(:time) { 1392852456 }
-
-  it "should return an error if no secret is set" do
-    expect {
-      subject
-    }.to raise_error
-  end
+describe Devise::Models::TwoFactorAuthenticatable do
+  describe '#create_direct_otp' do
+    let(:instance) { build_guest_user }
+
+    it 'set direct_otp field' do
+      expect(instance.direct_otp).to be_nil
+      instance.create_direct_otp
+      expect(instance.direct_otp).not_to be_nil
+    end
 
-  context "secret is set" do
-    before :each do
-      instance.otp_secret_key = "2z6hxkdwi3uvrnpn"
+    it 'set direct_otp_send_at field to current time' do
+      Timecop.freeze() do
+        instance.create_direct_otp
+        expect(instance.direct_otp_sent_at).to eq(Time.now)
+      end
     end
 
-    it "should not return an error" do
-      subject
+    it 'honors .direct_otp_length' do
+      expect(instance.class).to receive(:direct_otp_length).and_return(10)
+      instance.create_direct_otp
+      expect(instance.direct_otp.length).to equal(10)
+
+      expect(instance.class).to receive(:direct_otp_length).and_return(6)
+      instance.create_direct_otp
+      expect(instance.direct_otp.length).to equal(6)
     end
 
-    it "should be configured length" do
-      expect(subject.length).to eq(Devise.otp_length)
+    it "honors 'direct_otp_length' in options paramater" do
+      instance.create_direct_otp(length: 8)
+      expect(instance.direct_otp.length).to equal(8)
+      instance.create_direct_otp(length: 10)
+      expect(instance.direct_otp.length).to equal(10)
     end
+  end
 
-    context "with a known time" do
-      let(:time) { 1392852756 }
+  describe '#authenticate_direct_otp' do
+    let(:instance) { build_guest_user }
+    it 'fails if no direct_otp has been set' do
+      expect(instance.authenticate_direct_otp('12345')).to eq(false)
+    end
 
-      it "should return a known result" do
-        expect(subject).to eq("0000000524562202".split(//).last(Devise.otp_length).join)
+    context 'after generating an OTP' do
+      before :each do
+        instance.create_direct_otp
       end
-    end
 
-    context "with a known time yielding a result with less than 6 digits" do
-      let(:time) { 1393065856 }
+      it 'accepts correct OTP' do
+        Timecop.freeze(Time.now + instance.class.direct_otp_valid_for - 1.second)
+        expect(instance.authenticate_direct_otp(instance.direct_otp)).to eq(true)
+      end
 
-      it "should return a known result padded with zeroes" do
-        expect(subject).to eq("0000001608007672".split(//).last(Devise.otp_length).join)
+      it 'rejects invalid OTP' do
+        Timecop.freeze(Time.now + instance.class.direct_otp_valid_for - 1.second)
+        expect(instance.authenticate_direct_otp('12340')).to eq(false)
+      end
+
+      it 'rejects expired OTP' do
+        Timecop.freeze(Time.now + instance.class.direct_otp_valid_for + 1.second)
+        expect(instance.authenticate_direct_otp(instance.direct_otp)).to eq(false)
+      end
+
+      it 'prevents code re-use' do
+        expect(instance.authenticate_direct_otp(instance.direct_otp)).to eq(true)
+        expect(instance.authenticate_direct_otp(instance.direct_otp)).to eq(false)
       end
     end
   end
-end
 
-describe Devise::Models::TwoFactorAuthenticatable, '#authenticate_otp' do
-  let(:instance) { build_guest_user }
+  describe '#authenticate_totp' do
+    shared_examples 'authenticate_totp' do |instance|
+      before :each do
+        instance.otp_secret_key = '2z6hxkdwi3uvrnpn'
+        instance.totp_timestamp = nil
+        @totp_helper = TotpHelper.new(instance.otp_secret_key, instance.class.otp_length)
+      end
 
-  before :each do
-    instance.otp_secret_key = "2z6hxkdwi3uvrnpn"
-  end
+      def do_invoke(code, user)
+        user.authenticate_totp(code)
+      end
 
-  def do_invoke code, options = {}
-    instance.authenticate_otp(code, options)
-  end
+      it 'authenticates a recently created code' do
+        code = @totp_helper.totp_code
+        expect(do_invoke(code, instance)).to eq(true)
+      end
 
-  it "should be able to authenticate a recently created code" do
-    code = instance.otp_code
-    expect(do_invoke(code)).to eq(true)
-  end
+      it 'authenticates a code entered with a space' do
+        code = @totp_helper.totp_code.insert(3, ' ')
+        expect(do_invoke(code, instance)).to eq(true)
+      end
 
-  it "should not authenticate an old code" do
-    code = instance.otp_code(1.minutes.ago.to_i)
-    expect(do_invoke(code)).to eq(false)
-  end
-end
+      it 'does not authenticate an old code' do
+        code = @totp_helper.totp_code(1.minutes.ago.to_i)
+        expect(do_invoke(code, instance)).to eq(false)
+      end
 
-describe Devise::Models::TwoFactorAuthenticatable, '#send_two_factor_authentication_code' do
-  let(:instance) { build_guest_user }
+      it 'prevents code reuse' do
+        code = @totp_helper.totp_code
+        expect(do_invoke(code, instance)).to eq(true)
+        expect(do_invoke(code, instance)).to eq(false)
+      end
+    end
 
-  it "should raise an error by default" do
-    expect {
-      instance.send_two_factor_authentication_code
-    }.to raise_error(NotImplementedError)
+    it_behaves_like 'authenticate_totp', GuestUser.new
+    it_behaves_like 'authenticate_totp', EncryptedUser.new
   end
 
-  it "should be overrideable" do
-    def instance.send_two_factor_authentication_code
-      "Code sent"
+  describe '#send_two_factor_authentication_code' do
+    let(:instance) { build_guest_user }
+
+    it 'raises an error by default' do
+      expect { instance.send_two_factor_authentication_code(123) }.
+        to raise_error(NotImplementedError)
+    end
+
+    it 'is overrideable' do
+      def instance.send_two_factor_authentication_code(code)
+        'Code sent'
+      end
+      expect(instance.send_two_factor_authentication_code(123)).to eq('Code sent')
     end
-    expect(instance.send_two_factor_authentication_code).to eq("Code sent")
   end
-end
 
-describe Devise::Models::TwoFactorAuthenticatable, '#provisioning_uri' do
-  let(:instance) { build_guest_user }
+  describe '#provisioning_uri' do
 
-  before do
-    instance.email = "houdini@example.com"
-    instance.run_callbacks :create
-  end
+    shared_examples 'provisioning_uri' do |instance|
+      it 'fails until generate_totp_secret is called' do
+        expect { instance.provisioning_uri }.to raise_error(Exception)
+      end
 
-  it "should return uri with user's email" do
-    expect(instance.provisioning_uri).to match(%r{otpauth://totp/houdini@example.com\?secret=\w{16}})
-  end
+      describe 'with secret set' do
+        before do
+          instance.email = 'houdini@example.com'
+          instance.otp_secret_key = instance.generate_totp_secret
+        end
+
+        it "returns uri with user's email" do
+          expect(instance.provisioning_uri).
+            to match(%r{otpauth://totp/houdini@example.com\?secret=\w{32}})
+        end
+
+        it 'returns uri with issuer option' do
+          expect(instance.provisioning_uri('houdini')).
+            to match(%r{otpauth://totp/houdini\?secret=\w{32}$})
+        end
+
+        it 'returns uri with issuer option' do
+          require 'cgi'
+          uri = URI.parse(instance.provisioning_uri('houdini', issuer: 'Magic'))
+          params = CGI.parse(uri.query)
+
+          expect(uri.scheme).to eq('otpauth')
+          expect(uri.host).to eq('totp')
+          expect(uri.path).to eq('/Magic:houdini')
+          expect(params['issuer'].shift).to eq('Magic')
+          expect(params['secret'].shift).to match(/\w{32}/)
+        end
+      end
+    end
 
-  it "should return uri with issuer option" do
-    expect(instance.provisioning_uri("houdini")).to match(%r{otpauth://totp/houdini\?secret=\w{16}$})
+    it_behaves_like 'provisioning_uri', GuestUser.new
+    it_behaves_like 'provisioning_uri', EncryptedUser.new
   end
 
-  it "should return uri with issuer option" do
-    require 'cgi'
+  describe '#generate_totp_secret' do
+    shared_examples 'generate_totp_secret' do |klass|
+      let(:instance) { klass.new }
+
+      it 'returns a 32 character string' do
+        secret = instance.generate_totp_secret
 
-    uri = URI.parse(instance.provisioning_uri("houdini", issuer: 'Magic'))
-    params = CGI::parse(uri.query)
+        expect(secret).to match(/\w{32}/)
+      end
+    end
 
-    expect(uri.scheme).to eq("otpauth")
-    expect(uri.host).to eq("totp")
-    expect(uri.path).to eq("/houdini")
-    expect(params['issuer'].shift).to eq('Magic')
-    expect(params['secret'].shift).to match(%r{\w{16}})
+    it_behaves_like 'generate_totp_secret', GuestUser
+    it_behaves_like 'generate_totp_secret', EncryptedUser
   end
-end
 
-describe Devise::Models::TwoFactorAuthenticatable, '#populate_otp_column' do
-  let(:instance) { build_guest_user }
+  describe '#confirm_totp_secret' do
+    shared_examples 'confirm_totp_secret' do |klass|
+      let(:instance) { klass.new }
+      let(:secret) { instance.generate_totp_secret }
+      let(:totp_helper) { TotpHelper.new(secret, instance.class.otp_length) }
 
-  it "populates otp_column on create" do
-    expect(instance.otp_secret_key).to be_nil
+      it 'populates otp_secret_key column when given correct code' do
+        instance.confirm_totp_secret(secret, totp_helper.totp_code)
 
-    instance.run_callbacks :create # populate_otp_column called via before_create
+        expect(instance.otp_secret_key).to match(secret)
+      end
 
-    expect(instance.otp_secret_key).to match(%r{\w{16}})
-  end
+      it 'does not populate otp_secret_key when when given incorrect code' do
+        instance.confirm_totp_secret(secret, '123')
+        expect(instance.otp_secret_key).to be_nil
+      end
 
-  it "repopulates otp_column" do
-    instance.run_callbacks :create
-    original_key = instance.otp_secret_key
+      it 'returns true when given correct code' do
+        expect(instance.confirm_totp_secret(secret, totp_helper.totp_code)).to be true
+      end
 
-    instance.populate_otp_column
+      it 'returns false when given incorrect code' do
+        expect(instance.confirm_totp_secret(secret, '123')).to be false
+      end
+
+    end
 
-    expect(instance.otp_secret_key).to match(%r{\w{16}})
-    expect(instance.otp_secret_key).to_not eq(original_key)
+    it_behaves_like 'confirm_totp_secret', GuestUser
+    it_behaves_like 'confirm_totp_secret', EncryptedUser
   end
-end
 
-describe Devise::Models::TwoFactorAuthenticatable, '#max_login_attempts' do
-  let(:instance) { build_guest_user }
+  describe '#max_login_attempts' do
+    let(:instance) { build_guest_user }
 
-  before do
-    @original_max_login_attempts = GuestUser.max_login_attempts
-    GuestUser.max_login_attempts = 3
-  end
+    before do
+      @original_max_login_attempts = GuestUser.max_login_attempts
+      GuestUser.max_login_attempts = 3
+    end
 
-  after { GuestUser.max_login_attempts = @original_max_login_attempts }
+    after { GuestUser.max_login_attempts = @original_max_login_attempts }
 
-  it "returns class setting" do
-    expect(instance.max_login_attempts).to eq(3)
-  end
+    it 'returns class setting' do
+      expect(instance.max_login_attempts).to eq(3)
+    end
 
-  it "returns false as boolean" do
-    instance.second_factor_attempts_count = nil
-    expect(instance.max_login_attempts?).to be_falsey
-    instance.second_factor_attempts_count = 0
-    expect(instance.max_login_attempts?).to be_falsey
-    instance.second_factor_attempts_count = 1
-    expect(instance.max_login_attempts?).to be_falsey
-    instance.second_factor_attempts_count = 2
-    expect(instance.max_login_attempts?).to be_falsey
+    it 'returns false as boolean' do
+      instance.second_factor_attempts_count = nil
+      expect(instance.max_login_attempts?).to be_falsey
+      instance.second_factor_attempts_count = 0
+      expect(instance.max_login_attempts?).to be_falsey
+      instance.second_factor_attempts_count = 1
+      expect(instance.max_login_attempts?).to be_falsey
+      instance.second_factor_attempts_count = 2
+      expect(instance.max_login_attempts?).to be_falsey
+    end
+
+    it 'returns true as boolean after too many attempts' do
+      instance.second_factor_attempts_count = 3
+      expect(instance.max_login_attempts?).to be_truthy
+      instance.second_factor_attempts_count = 4
+      expect(instance.max_login_attempts?).to be_truthy
+    end
   end
 
-  it "returns true as boolean after too many attempts" do
-    instance.second_factor_attempts_count = 3
-    expect(instance.max_login_attempts?).to be_truthy
-    instance.second_factor_attempts_count = 4
-    expect(instance.max_login_attempts?).to be_truthy
+  describe '.has_one_time_password' do
+    context 'when encrypted: true option is passed' do
+      let(:instance) { EncryptedUser.new }
+
+      it 'encrypts otp_secret_key with iv, salt, and encoding' do
+        instance.otp_secret_key = '2z6hxkdwi3uvrnpn'
+
+        expect(instance.encrypted_otp_secret_key).to match(/.{44}/)
+
+        expect(instance.encrypted_otp_secret_key_iv).to match(/.{24}/)
+
+        expect(instance.encrypted_otp_secret_key_salt).to match(/.{25}/)
+      end
+
+      it 'does not encrypt a nil otp_secret_key' do
+        instance.otp_secret_key = nil
+
+        expect(instance.encrypted_otp_secret_key).to be_nil
+
+        expect(instance.encrypted_otp_secret_key_iv).to be_nil
+
+        expect(instance.encrypted_otp_secret_key_salt).to be_nil
+      end
+
+      it 'does not encrypt an empty otp_secret_key' do
+        instance.otp_secret_key = ''
+
+        expect(instance.encrypted_otp_secret_key).to eq ''
+
+        expect(instance.encrypted_otp_secret_key_iv).to be_nil
+
+        expect(instance.encrypted_otp_secret_key_salt).to be_nil
+      end
+
+      it 'raises an error when Devise.otp_secret_encryption_key is not set' do
+        allow(Devise).to receive(:otp_secret_encryption_key).and_return nil
+
+        # This error is raised by the encryptor gem
+        expect { instance.otp_secret_key = '2z6hxkdwi3uvrnpn' }.
+          to raise_error ArgumentError
+      end
+
+      it 'passes in the correct options to Encryptor.
+          We test here output of
+          Devise::Models::TwoFactorAuthenticatable::EncryptionInstanceMethods.encryption_options_for' do
+        instance.otp_secret_key = 'testing'
+        iv = instance.encrypted_otp_secret_key_iv
+        salt = instance.encrypted_otp_secret_key_salt
+
+        # it's important here to put the same crypto algorithm from that method
+        encrypted = Encryptor.encrypt(
+          value: 'testing',
+          key: Devise.otp_secret_encryption_key,
+          iv: iv.unpack('m').first,
+          salt: salt.unpack('m').first,
+          algorithm: 'aes-256-cbc'
+        )
+
+        expect(instance.encrypted_otp_secret_key).to eq [encrypted].pack('m')
+      end
+
+      it 'varies the iv per instance' do
+        instance.otp_secret_key = 'testing'
+        user2 = EncryptedUser.new
+        user2.otp_secret_key = 'testing'
+
+        expect(user2.encrypted_otp_secret_key_iv).
+          to_not eq instance.encrypted_otp_secret_key_iv
+      end
+
+      it 'varies the salt per instance' do
+        instance.otp_secret_key = 'testing'
+        user2 = EncryptedUser.new
+        user2.otp_secret_key = 'testing'
+
+        expect(user2.encrypted_otp_secret_key_salt).
+          to_not eq instance.encrypted_otp_secret_key_salt
+      end
+    end
   end
 end

data/spec/rails_app/app/controllers/home_controller.rb

@@ -1,5 +1,5 @@
 class HomeController < ApplicationController
-  before_filter :authenticate_user!, only: :dashboard
+  before_action :authenticate_user!, only: :dashboard
 
   def index
   end

data/spec/rails_app/app/models/admin.rb

@@ -0,0 +1,6 @@
+class Admin < ActiveRecord::Base
+  # Include default devise modules. Others available are:
+  # :confirmable, :lockable, :timeoutable and :omniauthable
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable, :trackable, :validatable
+end

data/spec/rails_app/app/models/encrypted_user.rb

@@ -0,0 +1,15 @@
+class EncryptedUser
+  extend ActiveModel::Callbacks
+  include ActiveModel::Validations
+  include Devise::Models::TwoFactorAuthenticatable
+
+  define_model_callbacks :create
+  attr_accessor :encrypted_otp_secret_key,
+                :encrypted_otp_secret_key_iv,
+                :encrypted_otp_secret_key_salt,
+                :email,
+                :second_factor_attempts_count,
+                :totp_timestamp
+
+  has_one_time_password(encrypted: true)
+end

data/spec/rails_app/app/models/guest_user.rb

@@ -4,7 +4,14 @@ class GuestUser
   include Devise::Models::TwoFactorAuthenticatable
 
   define_model_callbacks :create
-  attr_accessor :otp_secret_key, :email, :second_factor_attempts_count
+  attr_accessor :direct_otp, :direct_otp_sent_at, :otp_secret_key, :email,
+    :second_factor_attempts_count, :totp_timestamp
+
+  def update_attributes(attrs)
+    attrs.each do |key, value|
+      send(key.to_s + '=', value)
+    end
+  end
 
   has_one_time_password
 end

data/spec/rails_app/app/models/user.rb

@@ -1,12 +1,11 @@
 class User < ActiveRecord::Base
   devise :two_factor_authenticatable, :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable,
-         :two_factor_authenticatable
+         :recoverable, :rememberable, :trackable, :validatable
 
   has_one_time_password
 
-  def send_two_factor_authentication_code
-    SMSProvider.send_message(to: phone_number, body: otp_code)
+  def send_two_factor_authentication_code(code)
+    SMSProvider.send_message(to: phone_number, body: code)
   end
 
   def phone_number

data/spec/rails_app/config/environments/test.rb

@@ -9,7 +9,13 @@ Dummy::Application.configure do
   config.eager_load = false
 
   # Configure static asset server for tests with Cache-Control for performance
-  config.serve_static_assets = true
+  if Rails::VERSION::MAJOR == 4 && Rails::VERSION::MINOR >= 2 ||
+    Rails::VERSION::MAJOR >= 5
+    config.serve_static_files = true
+  else
+    config.serve_static_assets = true
+  end
+
   config.static_cache_control = "public, max-age=3600"
 
   # Show full error reports and disable caching
@@ -29,4 +35,7 @@ Dummy::Application.configure do
 
   # Print deprecation notices to the stderr
   config.active_support.deprecation = :stderr
+
+  # For testing session variables in Capybara specs
+  config.middleware.use RackSessionAccess::Middleware
 end

data/spec/rails_app/config/initializers/devise.rb

@@ -206,11 +206,11 @@ Devise.setup do |config|
 
   # Configure the default scope given to Warden. By default it's the first
   # devise role declared in your routes (usually :user).
-  # config.default_scope = :user
+  config.default_scope = :user
 
   # Set this configuration to false if you want /users/sign_out to sign out
   # only the current scope. By default, Devise signs out all scopes.
-  # config.sign_out_all_scopes = true
+  config.sign_out_all_scopes = false
 
   # ==> Navigation configuration
   # Lists the formats that should be treated as navigational. Formats like
@@ -224,7 +224,7 @@ Devise.setup do |config|
   # config.navigational_formats = ['*/*', :html]
 
   # The default HTTP method used to sign out a resource. Default is :delete.
-  config.sign_out_via = :delete
+  config.sign_out_via = Rails.env.test? ? :get : :delete
 
   # ==> OmniAuth
   # Add a new OmniAuth provider. Check the wiki for more information on setting
@@ -253,4 +253,6 @@ Devise.setup do |config|
   # When using omniauth, Devise cannot automatically set Omniauth path,
   # so you need to do it manually. For the users scope, it would be:
   # config.omniauth_path_prefix = '/my_engine/users/auth'
+
+  config.otp_secret_encryption_key = '0a8283fba984da1de24e4df1e93046cb53c5787944ef037b2dbf3e61d20fe11f25e25a855cec605fdf65b162329890d7230afdf64f681b4c32020281054e73ec'
 end

data/spec/rails_app/config/routes.rb

@@ -1,4 +1,5 @@
 Dummy::Application.routes.draw do
+  devise_for :admins
   root to: "home#index"
 
   match "/dashboard", to: "home#dashboard", as: :dashboard, via: [:get]

data/spec/rails_app/db/migrate/20140403184646_devise_create_users.rb

@@ -1,4 +1,4 @@
-class DeviseCreateUsers < ActiveRecord::Migration
+class DeviseCreateUsers < ActiveRecord::Migration[4.2]
   def change
     create_table(:users) do |t|
       ## Database authenticatable
@@ -31,7 +31,7 @@ class DeviseCreateUsers < ActiveRecord::Migration
       # t.datetime :locked_at
 
 
-      t.timestamps
+      t.timestamps null: false
     end
 
     add_index :users, :email,                unique: true

data/spec/rails_app/db/migrate/20140407172619_two_factor_authentication_add_to_users.rb

@@ -1,4 +1,4 @@
-class TwoFactorAuthenticationAddToUsers < ActiveRecord::Migration
+class TwoFactorAuthenticationAddToUsers < ActiveRecord::Migration[4.2]
   def up
     change_table :users do |t|
       t.string   :otp_secret_key

data/spec/rails_app/db/migrate/20140407215513_add_nickanme_to_users.rb

@@ -1,4 +1,4 @@
-class AddNickanmeToUsers < ActiveRecord::Migration
+class AddNickanmeToUsers < ActiveRecord::Migration[4.2]
   def change
     change_table :users do |t|
       t.column :nickname, :string, limit: 64

data/spec/rails_app/db/migrate/20151224171231_add_encrypted_columns_to_user.rb

@@ -0,0 +1,9 @@
+class AddEncryptedColumnsToUser < ActiveRecord::Migration[4.2]
+  def change
+    add_column :users, :encrypted_otp_secret_key, :string
+    add_column :users, :encrypted_otp_secret_key_iv, :string
+    add_column :users, :encrypted_otp_secret_key_salt, :string
+
+    add_index :users, :encrypted_otp_secret_key, unique: true
+  end
+end

data/spec/rails_app/db/migrate/20151224180310_populate_otp_column.rb

@@ -0,0 +1,19 @@
+class PopulateOtpColumn < ActiveRecord::Migration[4.2]
+  def up
+    User.reset_column_information
+
+    User.find_each do |user|
+      user.otp_secret_key = user.read_attribute('otp_secret_key')
+      user.save!
+    end
+  end
+
+  def down
+    User.reset_column_information
+
+    User.find_each do |user|
+      user.otp_secret_key = ROTP::Base32.random_base32
+      user.save!
+    end
+  end
+end

data/spec/rails_app/db/migrate/20151228230340_remove_otp_secret_key_from_user.rb

@@ -0,0 +1,5 @@
+class RemoveOtpSecretKeyFromUser < ActiveRecord::Migration[4.2]
+  def change
+    remove_column :users, :otp_secret_key, :string
+  end
+end