two_factor_authentication 1.1.5 → 2.0.0

data/app/controllers/devise/two_factor_authentication_controller.rb

@@ -1,6 +1,8 @@
+require 'devise/version'
+
 class Devise::TwoFactorAuthenticationController < DeviseController
-  prepend_before_filter :authenticate_scope!
-  before_filter :prepare_and_validate, :handle_two_factor_authentication
+  prepend_before_action :authenticate_scope!
+  before_action :prepare_and_validate, :handle_two_factor_authentication
 
   def show
   end
@@ -15,24 +17,39 @@ class Devise::TwoFactorAuthenticationController < DeviseController
     end
   end
 
+  def resend_code
+    resource.send_new_otp
+    redirect_to send("#{resource_name}_two_factor_authentication_path"), notice: I18n.t('devise.two_factor_authentication.code_has_been_sent')
+  end
+
   private
 
   def after_two_factor_success_for(resource)
+    set_remember_two_factor_cookie(resource)
+
+    warden.session(resource_name)[TwoFactorAuthentication::NEED_AUTHENTICATION] = false
+    # For compatability with devise versions below v4.2.0
+    # https://github.com/plataformatec/devise/commit/2044fffa25d781fcbaf090e7728b48b65c854ccb
+    if respond_to?(:bypass_sign_in)
+      bypass_sign_in(resource, scope: resource_name)
+    else
+      sign_in(resource_name, resource, bypass: true)
+    end
+    set_flash_message :notice, :success
+    resource.update_attribute(:second_factor_attempts_count, 0)
+
+    redirect_to after_two_factor_success_path_for(resource)
+  end
+
+  def set_remember_two_factor_cookie(resource)
     expires_seconds = resource.class.remember_otp_session_for_seconds
 
     if expires_seconds && expires_seconds > 0
       cookies.signed[TwoFactorAuthentication::REMEMBER_TFA_COOKIE_NAME] = {
-          value: "#{resource.class}-#{resource.id}",
+          value: "#{resource.class}-#{resource.public_send(Devise.second_factor_resource_id)}",
           expires: expires_seconds.from_now
       }
     end
-
-    warden.session(resource_name)[TwoFactorAuthentication::NEED_AUTHENTICATION] = false
-    sign_in resource_name, resource, :bypass => true
-    set_flash_message :notice, :success
-    resource.update_attribute(:second_factor_attempts_count, 0)
-
-    redirect_to after_two_factor_success_path_for(resource)
   end
 
   def after_two_factor_success_path_for(resource)
@@ -42,12 +59,11 @@ class Devise::TwoFactorAuthenticationController < DeviseController
   def after_two_factor_fail_for(resource)
     resource.second_factor_attempts_count += 1
     resource.save
-    flash.now[:error] = find_message(:attempt_failed)
+    set_flash_message :alert, :attempt_failed, now: true
 
     if resource.max_login_attempts?
       sign_out(resource)
       render :max_login_attempts_reached
-
     else
       render :show
     end

data/app/views/devise/two_factor_authentication/show.html.erb

@@ -1,4 +1,8 @@
-<h2>Enter your personal code</h2>
+<% if resource.direct_otp %>
+<h2>Enter the code that was sent to you</h2>
+<% else %>
+<h2>Enter the code from your authenticator app</h2>
+<% end %>
 
 <p><%= flash[:notice] %></p>
 
@@ -7,4 +11,9 @@
   <%= submit_tag "Submit" %>
 <% end %>
 
+<% if resource.direct_otp %>
+<%= link_to "Resend Code", resend_code_user_two_factor_authentication_path, action: :get %>
+<% else %>
+<%= link_to "Send me a code instead", resend_code_user_two_factor_authentication_path, action: :get %>
+<% end %>
 <%= link_to "Sign out", destroy_user_session_path, :method => :delete %>

data/config/locales/en.yml

@@ -5,3 +5,4 @@ en:
       attempt_failed: "Attempt failed."
       max_login_attempts_reached: "Access completely denied as you have reached your attempts limit"
       contact_administrator: "Please contact your system administrator."
+      code_has_been_sent: "Your authentication code has been sent."

data/config/locales/es.yml

@@ -0,0 +1,8 @@
+es:
+  devise:
+    two_factor_authentication:
+      success: "Autenticación multi-factor realizada exitosamente."
+      attempt_failed: "La autenticación ha fallado."
+      max_login_attempts_reached: "Has llegado al límite de intentos fallidos, acceso denegado."
+      contact_administrator: "Contacte a su administrador de sistema."
+      code_has_been_sent: "El código de autenticación ha sido enviado."

data/config/locales/fr.yml

@@ -5,3 +5,4 @@ fr:
       attempt_failed: "La connexion a échoué."
       max_login_attempts_reached: "Limite de tentatives atteinte, accès refusé."
       contact_administrator: "Merci de contacter votre administrateur système."
+      code_has_been_sent: "Votre code de validation envoyé."

data/config/locales/ru.yml

@@ -5,3 +5,4 @@ ru:
       attempt_failed: "Неверный код."
       max_login_attempts_reached: "Доступ заблокирован. Превышено число попыток авторизации"
       contact_administrator: "Пожалуйста, свяжитесь с системным администратором."
+      code_has_been_sent: "Ваш персональный код был отправлен."

data/lib/generators/active_record/templates/migration.rb

@@ -4,6 +4,9 @@ class TwoFactorAuthenticationAddTo<%= table_name.camelize %> < ActiveRecord::Mig
     add_column :<%= table_name %>, :encrypted_otp_secret_key, :string
     add_column :<%= table_name %>, :encrypted_otp_secret_key_iv, :string
     add_column :<%= table_name %>, :encrypted_otp_secret_key_salt, :string
+    add_column :<%= table_name %>, :direct_otp, :string
+    add_column :<%= table_name %>, :direct_otp_sent_at, :datetime
+    add_column :<%= table_name %>, :totp_timestamp, :timestamp
 
     add_index :<%= table_name %>, :encrypted_otp_secret_key, unique: true
   end

data/lib/two_factor_authentication.rb

@@ -16,11 +16,20 @@ module Devise
   mattr_accessor :otp_length
   @@otp_length = 6
 
+  mattr_accessor :direct_otp_length
+  @@direct_otp_length = 6
+
+  mattr_accessor :direct_otp_valid_for
+  @@direct_otp_valid_for = 5.minutes
+
   mattr_accessor :remember_otp_session_for_seconds
   @@remember_otp_session_for_seconds = 0
 
   mattr_accessor :otp_secret_encryption_key
   @@otp_secret_encryption_key = ''
+
+  mattr_accessor :second_factor_resource_id
+  @@second_factor_resource_id = 'id'
 end
 
 module TwoFactorAuthentication

data/lib/two_factor_authentication/controllers/helpers.rb

@@ -4,7 +4,7 @@ module TwoFactorAuthentication
       extend ActiveSupport::Concern
 
       included do
-        before_filter :handle_two_factor_authentication
+        before_action :handle_two_factor_authentication
       end
 
       private

data/lib/two_factor_authentication/hooks/two_factor_authenticatable.rb

@@ -1,32 +1,13 @@
 Warden::Manager.after_authentication do |user, auth, options|
-  reset_otp_state_for(user)
-
-  expected_cookie_value = "#{user.class}-#{user.id}"
-  actual_cookie_value = auth.env["action_dispatch.cookies"].signed[TwoFactorAuthentication::REMEMBER_TFA_COOKIE_NAME]
-  if actual_cookie_value.nil?
-    bypass_by_cookie = false
-  else
+  if auth.env["action_dispatch.cookies"]
+    expected_cookie_value = "#{user.class}-#{user.public_send(Devise.second_factor_resource_id)}"
+    actual_cookie_value = auth.env["action_dispatch.cookies"].signed[TwoFactorAuthentication::REMEMBER_TFA_COOKIE_NAME]
     bypass_by_cookie = actual_cookie_value == expected_cookie_value
   end
 
   if user.respond_to?(:need_two_factor_authentication?) && !bypass_by_cookie
     if auth.session(options[:scope])[TwoFactorAuthentication::NEED_AUTHENTICATION] = user.need_two_factor_authentication?(auth.request)
-      user.send_two_factor_authentication_code
+      user.send_new_otp unless user.totp_enabled?
     end
   end
 end
-
-Warden::Manager.before_logout do |user, _auth, _options|
-  reset_otp_state_for(user)
-end
-
-def reset_otp_state_for(user)
-  klass_string = "#{user.class}OtpSender"
-  return unless Object.const_defined?(klass_string)
-
-  klass = Object.const_get(klass_string)
-
-  otp_sender = klass.new(user)
-
-  otp_sender.reset_otp_state if otp_sender.respond_to?(:reset_otp_state)
-end

data/lib/two_factor_authentication/models/two_factor_authenticatable.rb

@@ -11,42 +11,57 @@ module Devise
         def has_one_time_password(options = {})
           include InstanceMethodsOnActivation
           include EncryptionInstanceMethods if options[:encrypted] == true
-
-          before_create { populate_otp_column }
         end
 
         ::Devise::Models.config(
           self, :max_login_attempts, :allowed_otp_drift_seconds, :otp_length,
-          :remember_otp_session_for_seconds, :otp_secret_encryption_key)
+          :remember_otp_session_for_seconds, :otp_secret_encryption_key,
+          :direct_otp_length, :direct_otp_valid_for, :totp_timestamp)
       end
 
       module InstanceMethodsOnActivation
         def authenticate_otp(code, options = {})
-          totp = ROTP::TOTP.new(
-            otp_secret_key, digits: options[:otp_length] || self.class.otp_length
-          )
-          drift = options[:drift] || self.class.allowed_otp_drift_seconds
+          return true if direct_otp && authenticate_direct_otp(code)
+          return true if totp_enabled? && authenticate_totp(code, options)
+          false
+        end
 
-          totp.verify_with_drift(code, drift)
+        def authenticate_direct_otp(code)
+          return false if direct_otp.nil? || direct_otp != code || direct_otp_expired?
+          clear_direct_otp
+          true
         end
 
-        def otp_code(time = Time.now, options = {})
-          ROTP::TOTP.new(
-            otp_secret_key,
-            digits: options[:otp_length] || self.class.otp_length
-          ).at(time, true)
+        def authenticate_totp(code, options = {})
+          totp_secret = options[:otp_secret_key] || otp_secret_key
+          digits = options[:otp_length] || self.class.otp_length
+          drift = options[:drift] || self.class.allowed_otp_drift_seconds
+          raise "authenticate_totp called with no otp_secret_key set" if totp_secret.nil?
+          totp = ROTP::TOTP.new(totp_secret, digits: digits)
+          new_timestamp = totp.verify_with_drift_and_prior(code, drift, totp_timestamp)
+          return false unless new_timestamp
+          self.totp_timestamp = new_timestamp
+          true
         end
 
         def provisioning_uri(account = nil, options = {})
-          account ||= self.email if self.respond_to?(:email)
-          ROTP::TOTP.new(otp_secret_key, options).provisioning_uri(account)
+          totp_secret = options[:otp_secret_key] || otp_secret_key
+          options[:digits] ||= options[:otp_length] || self.class.otp_length
+          raise "provisioning_uri called with no otp_secret_key set" if totp_secret.nil?
+          account ||= email if respond_to?(:email)
+          ROTP::TOTP.new(totp_secret, options).provisioning_uri(account)
         end
 
         def need_two_factor_authentication?(request)
           true
         end
 
-        def send_two_factor_authentication_code
+        def send_new_otp(options = {})
+          create_direct_otp options
+          send_two_factor_authentication_code(direct_otp)
+        end
+
+        def send_two_factor_authentication_code(code)
           raise NotImplementedError.new("No default implementation - please define in your class.")
         end
 
@@ -58,8 +73,41 @@ module Devise
           self.class.max_login_attempts
         end
 
-        def populate_otp_column
-          self.otp_secret_key = ROTP::Base32.random_base32
+        def totp_enabled?
+          respond_to?(:otp_secret_key) && !otp_secret_key.nil?
+        end
+
+        def confirm_totp_secret(secret, code, options = {})
+          return false unless authenticate_totp(code, {otp_secret_key: secret})
+          self.otp_secret_key = secret
+          true
+        end
+
+        def generate_totp_secret
+          ROTP::Base32.random_base32
+        end
+
+        def create_direct_otp(options = {})
+          # Create a new random OTP and store it in the database
+          digits = options[:length] || self.class.direct_otp_length || 6
+          update_attributes(
+            direct_otp: random_base10(digits),
+            direct_otp_sent_at: Time.now.utc
+          )
+        end
+
+        private
+
+        def random_base10(digits)
+          SecureRandom.random_number(10**digits).to_s.rjust(digits, '0')
+        end
+
+        def direct_otp_expired?
+          Time.now.utc > direct_otp_sent_at + self.class.direct_otp_valid_for
+        end
+
+        def clear_direct_otp
+          update_attributes(direct_otp: nil, direct_otp_sent_at: nil)
         end
       end
 
@@ -105,7 +153,8 @@ module Devise
             value: value,
             key: Devise.otp_secret_encryption_key,
             iv: iv_for_attribute,
-            salt: salt_for_attribute
+            salt: salt_for_attribute,
+            algorithm: 'aes-256-cbc'
           }
         end
 

data/lib/two_factor_authentication/routes.rb

@@ -3,7 +3,9 @@ module ActionDispatch::Routing
     protected
 
       def devise_two_factor_authentication(mapping, controllers)
-        resource :two_factor_authentication, :only => [:show, :update], :path => mapping.path_names[:two_factor_authentication], :controller => controllers[:two_factor_authentication]
+        resource :two_factor_authentication, :only => [:show, :update, :resend_code], :path => mapping.path_names[:two_factor_authentication], :controller => controllers[:two_factor_authentication] do
+          collection { get "resend_code" }
+        end
       end
   end
 end

data/lib/two_factor_authentication/schema.rb

@@ -15,5 +15,17 @@ module TwoFactorAuthentication
     def encrypted_otp_secret_key_salt
       apply_devise_schema :encrypted_otp_secret_key_salt, String
     end
+
+    def direct_otp
+      apply_devise_schema :direct_otp, String
+    end
+
+    def direct_otp_sent_at
+      apply_devise_schema :direct_otp_sent_at, DateTime
+    end
+
+    def totp_timestamp
+      apply_devise_schema :totp_timestamp, Timestamp
+    end
   end
 end

data/lib/two_factor_authentication/version.rb

@@ -1,3 +1,3 @@
 module TwoFactorAuthentication
-  VERSION = "1.1.5".freeze
+  VERSION = "2.0.0".freeze
 end

data/spec/controllers/two_factor_authentication_controller_spec.rb

@@ -8,8 +8,8 @@ describe Devise::TwoFactorAuthenticationController, type: :controller do
 
     context 'after user enters valid OTP code' do
       it 'returns true' do
-        post :update, code: controller.current_user.otp_code
-
+        controller.current_user.send_new_otp
+        post :update, code: controller.current_user.direct_otp
         expect(subject.is_fully_authenticated?).to eq true
       end
     end

data/spec/features/two_factor_authenticatable_spec.rb

@@ -5,6 +5,7 @@ feature "User of two factor authentication" do
   context 'sending two factor authentication code via SMS' do
     shared_examples 'sends and authenticates code' do |user, type|
       before do
+        user.reload
         if type == 'encrypted'
           allow(User).to receive(:has_one_time_password).with(encrypted: true)
         end
@@ -18,12 +19,12 @@ feature "User of two factor authentication" do
         visit new_user_session_path
         complete_sign_in_form_for(user)
 
-        expect(page).to have_content 'Enter your personal code'
+        expect(page).to have_content 'Enter the code that was sent to you'
 
         expect(SMSProvider.messages.size).to eq(1)
         message = SMSProvider.last_message
         expect(message.to).to eq(user.phone_number)
-        expect(message.body).to eq(user.otp_code)
+        expect(message.body).to eq(user.reload.direct_otp)
       end
 
       it 'authenticates a valid OTP code' do
@@ -32,7 +33,7 @@ feature "User of two factor authentication" do
 
         expect(page).to have_content('You are signed in as Marissa')
 
-        fill_in 'code', with: user.otp_code
+        fill_in 'code', with: SMSProvider.last_message.body
         click_button 'Submit'
 
         within('.flash.notice') do
@@ -66,7 +67,7 @@ feature "User of two factor authentication" do
 
       expect(page).to_not have_content("Your Personal Dashboard")
 
-      fill_in "code", with: user.otp_code
+      fill_in "code", with: SMSProvider.last_message.body
       click_button "Submit"
 
       expect(page).to have_content("Your Personal Dashboard")
@@ -84,7 +85,7 @@ feature "User of two factor authentication" do
         fill_in "code", with: "incorrect#{rand(100)}"
         click_button "Submit"
 
-        within(".flash.error") do
+        within(".flash.alert") do
           expect(page).to have_content("Attempt failed")
         end
       end
@@ -113,9 +114,7 @@ feature "User of two factor authentication" do
       end
 
       scenario "doesn't require TFA code again within 30 days" do
-        visit user_two_factor_authentication_path
-        fill_in "code", with: user.otp_code
-        click_button "Submit"
+        sms_sign_in
 
         logout
 
@@ -126,9 +125,7 @@ feature "User of two factor authentication" do
       end
 
       scenario "requires TFA code again after 30 days" do
-        visit user_two_factor_authentication_path
-        fill_in "code", with: user.otp_code
-        click_button "Submit"
+        sms_sign_in
 
         logout
 
@@ -136,13 +133,11 @@ feature "User of two factor authentication" do
         login_as user
         visit dashboard_path
         expect(page).to have_content("You are signed in as Marissa")
-        expect(page).to have_content("Enter your personal code")
+        expect(page).to have_content("Enter the code that was sent to you")
       end
 
       scenario 'TFA should be different for different users' do
-        visit user_two_factor_authentication_path
-        fill_in 'code', with: user.otp_code
-        click_button 'Submit'
+        sms_sign_in
 
         tfa_cookie1 = get_tfa_cookie()
 
@@ -151,19 +146,22 @@ feature "User of two factor authentication" do
 
         user2 = create_user()
         login_as(user2)
-        visit user_two_factor_authentication_path
-        fill_in 'code', with: user2.otp_code
-        click_button 'Submit'
+        sms_sign_in
 
         tfa_cookie2 = get_tfa_cookie()
 
         expect(tfa_cookie1).not_to eq tfa_cookie2
       end
 
-      scenario 'TFA should be unique for specific user' do
+      def sms_sign_in
+        SMSProvider.messages.clear()
         visit user_two_factor_authentication_path
-        fill_in 'code', with: user.otp_code
+        fill_in 'code', with: SMSProvider.last_message.body
         click_button 'Submit'
+      end
+
+      scenario 'TFA should be unique for specific user' do
+        sms_sign_in
 
         tfa_cookie1 = get_tfa_cookie()
 
@@ -174,7 +172,7 @@ feature "User of two factor authentication" do
         set_tfa_cookie(tfa_cookie1)
         login_as(user2)
         visit dashboard_path
-        expect(page).to have_content('Enter your personal code')
+        expect(page).to have_content("Enter the code that was sent to you")
       end
     end
 
@@ -187,76 +185,41 @@ feature "User of two factor authentication" do
 
   describe 'signing in' do
     let(:user) { create_user }
+    let(:admin) { create_admin }
 
-    scenario 'when UserOtpSender#reset_otp_state is defined' do
-      klass = stub_const 'UserOtpSender', Class.new
-
-      klass.class_eval do
-        def reset_otp_state; end
-      end
-
-      otp_sender = instance_double(UserOtpSender)
-      expect(UserOtpSender).to receive(:new).with(user).and_return(otp_sender)
-      expect(otp_sender).to receive(:reset_otp_state)
-
+    scenario 'user signs is' do
       visit new_user_session_path
       complete_sign_in_form_for(user)
-    end
-
-    scenario 'when UserOtpSender#reset_otp_state is not defined' do
-      klass = stub_const 'UserOtpSender', Class.new
 
-      klass.class_eval do
-        def reset_otp_state; end
-      end
-
-      otp_sender = instance_double(UserOtpSender)
-      allow(otp_sender).to receive(:respond_to?).with(:reset_otp_state).and_return(false)
+      expect(page).to have_content('Signed in successfully.')
+    end
 
-      expect(UserOtpSender).to receive(:new).with(user).and_return(otp_sender)
-      expect(otp_sender).to_not receive(:reset_otp_state)
+    scenario 'admin signs in' do
+      visit new_admin_session_path
+      complete_sign_in_form_for(admin)
 
-      visit new_user_session_path
-      complete_sign_in_form_for(user)
+      expect(page).to have_content('Signed in successfully.')
     end
   end
 
   describe 'signing out' do
     let(:user) { create_user }
+    let(:admin) { create_admin }
 
-    scenario 'when UserOtpSender#reset_otp_state is defined' do
+    scenario 'user signs out' do
       visit new_user_session_path
       complete_sign_in_form_for(user)
-
-      klass = stub_const 'UserOtpSender', Class.new
-      klass.class_eval do
-        def reset_otp_state; end
-      end
-
-      otp_sender = instance_double(UserOtpSender)
-
-      expect(UserOtpSender).to receive(:new).with(user).and_return(otp_sender)
-      expect(otp_sender).to receive(:reset_otp_state)
-
       visit destroy_user_session_path
-    end
-
-    scenario 'when UserOtpSender#reset_otp_state is not defined' do
-      visit new_user_session_path
-      complete_sign_in_form_for(user)
 
-      klass = stub_const 'UserOtpSender', Class.new
-      klass.class_eval do
-        def reset_otp_state; end
-      end
-
-      otp_sender = instance_double(UserOtpSender)
-      allow(otp_sender).to receive(:respond_to?).with(:reset_otp_state).and_return(false)
+      expect(page).to have_content('Signed out successfully.')
+    end
 
-      expect(UserOtpSender).to receive(:new).with(user).and_return(otp_sender)
-      expect(otp_sender).to_not receive(:reset_otp_state)
+    scenario 'admin signs out' do
+      visit new_admin_session_path
+      complete_sign_in_form_for(admin)
+      visit destroy_admin_session_path
 
-      visit destroy_user_session_path
+      expect(page).to have_content('Signed out successfully.')
     end
   end
 end