two_factor_authentication 1.1.4 → 1.1.5

data/app/controllers/devise/two_factor_authentication_controller.rb

@@ -22,7 +22,7 @@ class Devise::TwoFactorAuthenticationController < DeviseController
 
     if expires_seconds && expires_seconds > 0
       cookies.signed[TwoFactorAuthentication::REMEMBER_TFA_COOKIE_NAME] = {
-          value: true,
+          value: "#{resource.class}-#{resource.id}",
           expires: expires_seconds.from_now
       }
     end

data/config/locales/fr.yml

@@ -0,0 +1,7 @@
+fr:
+  devise:
+    two_factor_authentication:
+      success: "Validation en deux étapes effectuée avec succès."
+      attempt_failed: "La connexion a échoué."
+      max_login_attempts_reached: "Limite de tentatives atteinte, accès refusé."
+      contact_administrator: "Merci de contacter votre administrateur système."

data/lib/generators/active_record/templates/migration.rb

@@ -1,15 +1,10 @@
 class TwoFactorAuthenticationAddTo<%= table_name.camelize %> < ActiveRecord::Migration
-  def up
-    change_table :<%= table_name %> do |t|
-      t.string   :otp_secret_key
-      t.integer  :second_factor_attempts_count, :default => 0
-    end
+  def change
+    add_column :<%= table_name %>, :second_factor_attempts_count, :integer, default: 0
+    add_column :<%= table_name %>, :encrypted_otp_secret_key, :string
+    add_column :<%= table_name %>, :encrypted_otp_secret_key_iv, :string
+    add_column :<%= table_name %>, :encrypted_otp_secret_key_salt, :string
 
-    add_index :<%= table_name %>, :otp_secret_key, :unique => true
-  end
-
-  def down
-    remove_column :<%= table_name %>, :otp_secret_key
-    remove_column :<%= table_name %>, :second_factor_attempts_count
+    add_index :<%= table_name %>, :encrypted_otp_secret_key, unique: true
   end
 end

data/lib/two_factor_authentication.rb

@@ -18,6 +18,9 @@ module Devise
 
   mattr_accessor :remember_otp_session_for_seconds
   @@remember_otp_session_for_seconds = 0
+
+  mattr_accessor :otp_secret_encryption_key
+  @@otp_secret_encryption_key = ''
 end
 
 module TwoFactorAuthentication

data/lib/two_factor_authentication/hooks/two_factor_authenticatable.rb

@@ -1,8 +1,32 @@
 Warden::Manager.after_authentication do |user, auth, options|
-  if user.respond_to?(:need_two_factor_authentication?) &&
-      !auth.env["action_dispatch.cookies"].signed[TwoFactorAuthentication::REMEMBER_TFA_COOKIE_NAME]
+  reset_otp_state_for(user)
+
+  expected_cookie_value = "#{user.class}-#{user.id}"
+  actual_cookie_value = auth.env["action_dispatch.cookies"].signed[TwoFactorAuthentication::REMEMBER_TFA_COOKIE_NAME]
+  if actual_cookie_value.nil?
+    bypass_by_cookie = false
+  else
+    bypass_by_cookie = actual_cookie_value == expected_cookie_value
+  end
+
+  if user.respond_to?(:need_two_factor_authentication?) && !bypass_by_cookie
     if auth.session(options[:scope])[TwoFactorAuthentication::NEED_AUTHENTICATION] = user.need_two_factor_authentication?(auth.request)
       user.send_two_factor_authentication_code
     end
   end
 end
+
+Warden::Manager.before_logout do |user, _auth, _options|
+  reset_otp_state_for(user)
+end
+
+def reset_otp_state_for(user)
+  klass_string = "#{user.class}OtpSender"
+  return unless Object.const_defined?(klass_string)
+
+  klass = Object.const_get(klass_string)
+
+  otp_sender = klass.new(user)
+
+  otp_sender.reset_otp_state if otp_sender.respond_to?(:reset_otp_state)
+end

data/lib/two_factor_authentication/models/two_factor_authenticatable.rb

@@ -1,5 +1,6 @@
 require 'two_factor_authentication/hooks/two_factor_authenticatable'
 require 'rotp'
+require 'encryptor'
 
 module Devise
   module Models
@@ -8,46 +9,37 @@ module Devise
 
       module ClassMethods
         def has_one_time_password(options = {})
-
-          cattr_accessor :otp_column_name
-          self.otp_column_name = "otp_secret_key"
-
           include InstanceMethodsOnActivation
+          include EncryptionInstanceMethods if options[:encrypted] == true
 
           before_create { populate_otp_column }
-
-          if respond_to?(:attributes_protected_by_default)
-            def self.attributes_protected_by_default #:nodoc:
-              super + [self.otp_column_name]
-            end
-          end
         end
-        ::Devise::Models.config(self, :max_login_attempts, :allowed_otp_drift_seconds, :otp_length, :remember_otp_session_for_seconds)
+
+        ::Devise::Models.config(
+          self, :max_login_attempts, :allowed_otp_drift_seconds, :otp_length,
+          :remember_otp_session_for_seconds, :otp_secret_encryption_key)
       end
 
       module InstanceMethodsOnActivation
         def authenticate_otp(code, options = {})
-          totp = ROTP::TOTP.new(self.otp_column, { digits: options[:otp_length] || self.class.otp_length })
+          totp = ROTP::TOTP.new(
+            otp_secret_key, digits: options[:otp_length] || self.class.otp_length
+          )
           drift = options[:drift] || self.class.allowed_otp_drift_seconds
 
           totp.verify_with_drift(code, drift)
         end
 
         def otp_code(time = Time.now, options = {})
-          ROTP::TOTP.new(self.otp_column, { digits: options[:otp_length] || self.class.otp_length }).at(time, true)
+          ROTP::TOTP.new(
+            otp_secret_key,
+            digits: options[:otp_length] || self.class.otp_length
+          ).at(time, true)
         end
 
         def provisioning_uri(account = nil, options = {})
           account ||= self.email if self.respond_to?(:email)
-          ROTP::TOTP.new(self.otp_column, options).provisioning_uri(account)
-        end
-
-        def otp_column
-          self.send(self.class.otp_column_name)
-        end
-
-        def otp_column=(attr)
-          self.send("#{self.class.otp_column_name}=", attr)
+          ROTP::TOTP.new(otp_secret_key, options).provisioning_uri(account)
         end
 
         def need_two_factor_authentication?(request)
@@ -67,9 +59,83 @@ module Devise
         end
 
         def populate_otp_column
-          self.otp_column = ROTP::Base32.random_base32
+          self.otp_secret_key = ROTP::Base32.random_base32
+        end
+      end
+
+      module EncryptionInstanceMethods
+        def otp_secret_key
+          decrypt(encrypted_otp_secret_key)
+        end
+
+        def otp_secret_key=(value)
+          self.encrypted_otp_secret_key = encrypt(value)
+        end
+
+        private
+
+        def decrypt(encrypted_value)
+          return encrypted_value if encrypted_value.blank?
+
+          encrypted_value = encrypted_value.unpack('m').first
+
+          value = ::Encryptor.decrypt(encryption_options_for(encrypted_value))
+
+          if defined?(Encoding)
+            encoding = Encoding.default_internal || Encoding.default_external
+            value = value.force_encoding(encoding.name)
+          end
+
+          value
+        end
+
+        def encrypt(value)
+          return value if value.blank?
+
+          value = value.to_s
+          encrypted_value = ::Encryptor.encrypt(encryption_options_for(value))
+
+          encrypted_value = [encrypted_value].pack('m')
+
+          encrypted_value
+        end
+
+        def encryption_options_for(value)
+          {
+            value: value,
+            key: Devise.otp_secret_encryption_key,
+            iv: iv_for_attribute,
+            salt: salt_for_attribute
+          }
+        end
+
+        def iv_for_attribute(algorithm = 'aes-256-cbc')
+          iv = encrypted_otp_secret_key_iv
+
+          if iv.nil?
+            algo = OpenSSL::Cipher::Cipher.new(algorithm)
+            iv = [algo.random_iv].pack('m')
+            self.encrypted_otp_secret_key_iv = iv
+          end
+
+          iv.unpack('m').first if iv.present?
+        end
+
+        def salt_for_attribute
+          salt = encrypted_otp_secret_key_salt ||
+                 self.encrypted_otp_secret_key_salt = generate_random_base64_encoded_salt
+
+          decode_salt_if_encoded(salt)
         end
 
+        def generate_random_base64_encoded_salt
+          prefix = '_'
+          prefix + [SecureRandom.random_bytes].pack('m')
+        end
+
+        def decode_salt_if_encoded(salt)
+          salt.slice(0).eql?('_') ? salt.slice(1..-1).unpack('m').first : salt
+        end
       end
     end
   end

data/lib/two_factor_authentication/schema.rb

@@ -1,11 +1,19 @@
 module TwoFactorAuthentication
   module Schema
-    def otp_secret_key
-      apply_devise_schema :otp_secret_key, String
-    end
-
     def second_factor_attempts_count
       apply_devise_schema :second_factor_attempts_count, Integer, :default => 0
     end
+
+    def encrypted_otp_secret_key
+      apply_devise_schema :encrypted_otp_secret_key, String
+    end
+
+    def encrypted_otp_secret_key_iv
+      apply_devise_schema :encrypted_otp_secret_key_iv, String
+    end
+
+    def encrypted_otp_secret_key_salt
+      apply_devise_schema :encrypted_otp_secret_key_salt, String
+    end
   end
 end

data/lib/two_factor_authentication/version.rb

@@ -1,3 +1,3 @@
 module TwoFactorAuthentication
-  VERSION = "1.1.4".freeze
+  VERSION = "1.1.5".freeze
 end

data/spec/controllers/two_factor_authentication_controller_spec.rb

@@ -0,0 +1,33 @@
+require 'spec_helper'
+
+describe Devise::TwoFactorAuthenticationController, type: :controller do
+  describe 'is_fully_authenticated? helper' do
+    before do
+      sign_in
+    end
+
+    context 'after user enters valid OTP code' do
+      it 'returns true' do
+        post :update, code: controller.current_user.otp_code
+
+        expect(subject.is_fully_authenticated?).to eq true
+      end
+    end
+
+    context 'when user has not entered any OTP yet' do
+      it 'returns false' do
+        get :show
+
+        expect(subject.is_fully_authenticated?).to eq false
+      end
+    end
+
+    context 'when user enters an invalid OTP' do
+      it 'returns false' do
+        post :update, code: '12345'
+
+        expect(subject.is_fully_authenticated?).to eq false
+      end
+    end
+  end
+end

data/spec/features/two_factor_authenticatable_spec.rb

@@ -1,47 +1,64 @@
 require 'spec_helper'
+include AuthenticatedModelHelper
 
 feature "User of two factor authentication" do
-  let(:user) { create_user }
+  context 'sending two factor authentication code via SMS' do
+    shared_examples 'sends and authenticates code' do |user, type|
+      before do
+        if type == 'encrypted'
+          allow(User).to receive(:has_one_time_password).with(encrypted: true)
+        end
+      end
 
-  scenario "must be logged in" do
-    visit user_two_factor_authentication_path
+      it 'does not send an SMS before the user has signed in' do
+        expect(SMSProvider.messages).to be_empty
+      end
 
-    expect(page).to have_content("Welcome Home")
-    expect(page).to have_content("You are signed out")
-  end
+      it 'sends code via SMS after sign in' do
+        visit new_user_session_path
+        complete_sign_in_form_for(user)
 
-  scenario "sends two factor authentication code after sign in" do
-    expect(SMSProvider.messages).to be_empty
+        expect(page).to have_content 'Enter your personal code'
 
-    visit new_user_session_path
-    complete_sign_in_form_for(user)
+        expect(SMSProvider.messages.size).to eq(1)
+        message = SMSProvider.last_message
+        expect(message.to).to eq(user.phone_number)
+        expect(message.body).to eq(user.otp_code)
+      end
 
-    expect(page).to have_content "Enter your personal code"
+      it 'authenticates a valid OTP code' do
+        visit new_user_session_path
+        complete_sign_in_form_for(user)
 
-    expect(SMSProvider.messages.size).to eq(1)
-    message = SMSProvider.last_message
-    expect(message.to).to eq(user.phone_number)
-    expect(message.body).to eq(user.otp_code)
-  end
+        expect(page).to have_content('You are signed in as Marissa')
 
-  context "when logged in" do
+        fill_in 'code', with: user.otp_code
+        click_button 'Submit'
 
-    background do
-      login_as user
+        within('.flash.notice') do
+          expect(page).to have_content('Two factor authentication successful.')
+        end
+
+        expect(current_path).to eq root_path
+      end
     end
 
-    scenario "can fill in TFA code" do
-      visit user_two_factor_authentication_path
+    it_behaves_like 'sends and authenticates code', create_user('not_encrypted')
+    it_behaves_like 'sends and authenticates code', create_user, 'encrypted'
+  end
 
-      expect(page).to have_content("You are signed in as Marissa")
-      expect(page).to have_content("Enter your personal code")
+  scenario "must be logged in" do
+    visit user_two_factor_authentication_path
 
-      fill_in "code", with: user.otp_code
-      click_button "Submit"
+    expect(page).to have_content("Welcome Home")
+    expect(page).to have_content("You are signed out")
+  end
 
-      within(".flash.notice") do
-        expect(page).to have_content("Two factor authentication successful.")
-      end
+  context "when logged in" do
+    let(:user) { create_user }
+
+    background do
+      login_as user
     end
 
     scenario "is redirected to TFA when path requires authentication" do
@@ -121,6 +138,125 @@ feature "User of two factor authentication" do
         expect(page).to have_content("You are signed in as Marissa")
         expect(page).to have_content("Enter your personal code")
       end
+
+      scenario 'TFA should be different for different users' do
+        visit user_two_factor_authentication_path
+        fill_in 'code', with: user.otp_code
+        click_button 'Submit'
+
+        tfa_cookie1 = get_tfa_cookie()
+
+        logout
+        reset_session!
+
+        user2 = create_user()
+        login_as(user2)
+        visit user_two_factor_authentication_path
+        fill_in 'code', with: user2.otp_code
+        click_button 'Submit'
+
+        tfa_cookie2 = get_tfa_cookie()
+
+        expect(tfa_cookie1).not_to eq tfa_cookie2
+      end
+
+      scenario 'TFA should be unique for specific user' do
+        visit user_two_factor_authentication_path
+        fill_in 'code', with: user.otp_code
+        click_button 'Submit'
+
+        tfa_cookie1 = get_tfa_cookie()
+
+        logout
+        reset_session!
+
+        user2 = create_user()
+        set_tfa_cookie(tfa_cookie1)
+        login_as(user2)
+        visit dashboard_path
+        expect(page).to have_content('Enter your personal code')
+      end
+    end
+
+    it 'sets the warden session need_two_factor_authentication key to true' do
+      session_hash = { 'need_two_factor_authentication' => true }
+
+      expect(page.get_rack_session_key('warden.user.user.session')).to eq session_hash
+    end
+  end
+
+  describe 'signing in' do
+    let(:user) { create_user }
+
+    scenario 'when UserOtpSender#reset_otp_state is defined' do
+      klass = stub_const 'UserOtpSender', Class.new
+
+      klass.class_eval do
+        def reset_otp_state; end
+      end
+
+      otp_sender = instance_double(UserOtpSender)
+      expect(UserOtpSender).to receive(:new).with(user).and_return(otp_sender)
+      expect(otp_sender).to receive(:reset_otp_state)
+
+      visit new_user_session_path
+      complete_sign_in_form_for(user)
+    end
+
+    scenario 'when UserOtpSender#reset_otp_state is not defined' do
+      klass = stub_const 'UserOtpSender', Class.new
+
+      klass.class_eval do
+        def reset_otp_state; end
+      end
+
+      otp_sender = instance_double(UserOtpSender)
+      allow(otp_sender).to receive(:respond_to?).with(:reset_otp_state).and_return(false)
+
+      expect(UserOtpSender).to receive(:new).with(user).and_return(otp_sender)
+      expect(otp_sender).to_not receive(:reset_otp_state)
+
+      visit new_user_session_path
+      complete_sign_in_form_for(user)
+    end
+  end
+
+  describe 'signing out' do
+    let(:user) { create_user }
+
+    scenario 'when UserOtpSender#reset_otp_state is defined' do
+      visit new_user_session_path
+      complete_sign_in_form_for(user)
+
+      klass = stub_const 'UserOtpSender', Class.new
+      klass.class_eval do
+        def reset_otp_state; end
+      end
+
+      otp_sender = instance_double(UserOtpSender)
+
+      expect(UserOtpSender).to receive(:new).with(user).and_return(otp_sender)
+      expect(otp_sender).to receive(:reset_otp_state)
+
+      visit destroy_user_session_path
+    end
+
+    scenario 'when UserOtpSender#reset_otp_state is not defined' do
+      visit new_user_session_path
+      complete_sign_in_form_for(user)
+
+      klass = stub_const 'UserOtpSender', Class.new
+      klass.class_eval do
+        def reset_otp_state; end
+      end
+
+      otp_sender = instance_double(UserOtpSender)
+      allow(otp_sender).to receive(:respond_to?).with(:reset_otp_state).and_return(false)
+
+      expect(UserOtpSender).to receive(:new).with(user).and_return(otp_sender)
+      expect(otp_sender).to_not receive(:reset_otp_state)
+
+      visit destroy_user_session_path
     end
   end
 end