two_factor_authentication 1.1.5 → 2.0.0

data/spec/lib/two_factor_authentication/models/two_factor_authenticatable_spec.rb

@@ -2,121 +2,156 @@ require 'spec_helper'
 include AuthenticatedModelHelper
 
 describe Devise::Models::TwoFactorAuthenticatable do
-  describe '#otp_code' do
-    shared_examples 'otp_code' do |instance|
-      subject { instance.otp_code(time) }
-      let(:time) { 1_392_852_456 }
+  describe '#create_direct_otp' do
+    let(:instance) { build_guest_user }
+
+    it 'set direct_otp field' do
+      expect(instance.direct_otp).to be_nil
+      instance.create_direct_otp
+      expect(instance.direct_otp).not_to be_nil
+    end
 
-      it 'returns an error if no secret is set' do
-        expect { subject }.to raise_error Exception
+    it 'set direct_otp_send_at field to current time' do
+      Timecop.freeze() do
+        instance.create_direct_otp
+        expect(instance.direct_otp_sent_at).to eq(Time.now)
       end
+    end
 
-      context 'secret is set' do
-        before :each do
-          instance.otp_secret_key = '2z6hxkdwi3uvrnpn'
-        end
+    it 'honors .direct_otp_length' do
+      expect(instance.class).to receive(:direct_otp_length).and_return(10)
+      instance.create_direct_otp
+      expect(instance.direct_otp.length).to equal(10)
 
-        it 'does not return an error' do
-          subject
-        end
+      expect(instance.class).to receive(:direct_otp_length).and_return(6)
+      instance.create_direct_otp
+      expect(instance.direct_otp.length).to equal(6)
+    end
 
-        it 'matches Devise configured length' do
-          expect(subject.length).to eq(Devise.otp_length)
-        end
+    it "honors 'direct_otp_length' in options paramater" do
+      instance.create_direct_otp(length: 8)
+      expect(instance.direct_otp.length).to equal(8)
+      instance.create_direct_otp(length: 10)
+      expect(instance.direct_otp.length).to equal(10)
+    end
+  end
 
-        context 'with a known time' do
-          let(:time) { 1_392_852_756 }
+  describe '#authenticate_direct_otp' do
+    let(:instance) { build_guest_user }
+    it 'fails if no direct_otp has been set' do
+      expect(instance.authenticate_direct_otp('12345')).to eq(false)
+    end
 
-          it 'returns a known result' do
-            expect(subject).
-              to eq('0000000524562202'.split(//).last(Devise.otp_length).join)
-          end
-        end
+    context 'after generating an OTP' do
+      before :each do
+        instance.create_direct_otp
+      end
 
-        context 'with a known time yielding a result with less than 6 digits' do
-          let(:time) { 1_393_065_856 }
+      it 'accepts correct OTP' do
+        Timecop.freeze(Time.now + instance.class.direct_otp_valid_for - 1.second)
+        expect(instance.authenticate_direct_otp(instance.direct_otp)).to eq(true)
+      end
 
-          it 'returns a known result padded with zeroes' do
-            expect(subject).
-              to eq('0000001608007672'.split(//).last(Devise.otp_length).join)
-          end
-        end
+      it 'rejects invalid OTP' do
+        Timecop.freeze(Time.now + instance.class.direct_otp_valid_for - 1.second)
+        expect(instance.authenticate_direct_otp('12340')).to eq(false)
       end
-    end
 
-    it_behaves_like 'otp_code', GuestUser.new
-    it_behaves_like 'otp_code', EncryptedUser.new
+      it 'rejects expired OTP' do
+        Timecop.freeze(Time.now + instance.class.direct_otp_valid_for + 1.second)
+        expect(instance.authenticate_direct_otp(instance.direct_otp)).to eq(false)
+      end
+
+      it 'prevents code re-use' do
+        expect(instance.authenticate_direct_otp(instance.direct_otp)).to eq(true)
+        expect(instance.authenticate_direct_otp(instance.direct_otp)).to eq(false)
+      end
+    end
   end
 
-  describe '#authenticate_otp' do
-    shared_examples 'authenticate_otp' do |instance|
+  describe '#authenticate_totp' do
+    shared_examples 'authenticate_totp' do |instance|
       before :each do
         instance.otp_secret_key = '2z6hxkdwi3uvrnpn'
+        instance.totp_timestamp = nil
+        @totp_helper = TotpHelper.new(instance.otp_secret_key, instance.class.otp_length)
       end
 
       def do_invoke(code, user)
-        user.authenticate_otp(code)
+        user.authenticate_totp(code)
       end
 
       it 'authenticates a recently created code' do
-        code = instance.otp_code
+        code = @totp_helper.totp_code
         expect(do_invoke(code, instance)).to eq(true)
       end
 
       it 'does not authenticate an old code' do
-        code = instance.otp_code(1.minutes.ago.to_i)
+        code = @totp_helper.totp_code(1.minutes.ago.to_i)
+        expect(do_invoke(code, instance)).to eq(false)
+      end
+
+      it 'prevents code reuse' do
+        code = @totp_helper.totp_code
+        expect(do_invoke(code, instance)).to eq(true)
         expect(do_invoke(code, instance)).to eq(false)
       end
     end
 
-    it_behaves_like 'authenticate_otp', GuestUser.new
-    it_behaves_like 'authenticate_otp', EncryptedUser.new
+    it_behaves_like 'authenticate_totp', GuestUser.new
+    it_behaves_like 'authenticate_totp', EncryptedUser.new
   end
 
   describe '#send_two_factor_authentication_code' do
     let(:instance) { build_guest_user }
 
     it 'raises an error by default' do
-      expect { instance.send_two_factor_authentication_code }.
+      expect { instance.send_two_factor_authentication_code(123) }.
         to raise_error(NotImplementedError)
     end
 
     it 'is overrideable' do
-      def instance.send_two_factor_authentication_code
+      def instance.send_two_factor_authentication_code(code)
         'Code sent'
       end
-      expect(instance.send_two_factor_authentication_code).to eq('Code sent')
+      expect(instance.send_two_factor_authentication_code(123)).to eq('Code sent')
     end
   end
 
   describe '#provisioning_uri' do
+
     shared_examples 'provisioning_uri' do |instance|
-      before do
-        instance.email = 'houdini@example.com'
-        instance.run_callbacks :create
+      it 'fails until generate_totp_secret is called' do
+        expect { instance.provisioning_uri }.to raise_error(Exception)
       end
 
-      it "returns uri with user's email" do
-        expect(instance.provisioning_uri).
-          to match(%r{otpauth://totp/houdini@example.com\?secret=\w{16}})
-      end
+      describe 'with secret set' do
+        before do
+          instance.email = 'houdini@example.com'
+          instance.otp_secret_key = instance.generate_totp_secret
+        end
 
-      it 'returns uri with issuer option' do
-        expect(instance.provisioning_uri('houdini')).
-          to match(%r{otpauth://totp/houdini\?secret=\w{16}$})
-      end
+        it "returns uri with user's email" do
+          expect(instance.provisioning_uri).
+            to match(%r{otpauth://totp/houdini@example.com\?secret=\w{16}})
+        end
 
-      it 'returns uri with issuer option' do
-        require 'cgi'
+        it 'returns uri with issuer option' do
+          expect(instance.provisioning_uri('houdini')).
+            to match(%r{otpauth://totp/houdini\?secret=\w{16}$})
+        end
 
-        uri = URI.parse(instance.provisioning_uri('houdini', issuer: 'Magic'))
-        params = CGI.parse(uri.query)
+        it 'returns uri with issuer option' do
+          require 'cgi'
+          uri = URI.parse(instance.provisioning_uri('houdini', issuer: 'Magic'))
+          params = CGI.parse(uri.query)
 
-        expect(uri.scheme).to eq('otpauth')
-        expect(uri.host).to eq('totp')
-        expect(uri.path).to eq('/houdini')
-        expect(params['issuer'].shift).to eq('Magic')
-        expect(params['secret'].shift).to match(/\w{16}/)
+          expect(uri.scheme).to eq('otpauth')
+          expect(uri.host).to eq('totp')
+          expect(uri.path).to eq('/Magic:houdini')
+          expect(params['issuer'].shift).to eq('Magic')
+          expect(params['secret'].shift).to match(/\w{16}/)
+        end
       end
     end
 
@@ -124,32 +159,50 @@ describe Devise::Models::TwoFactorAuthenticatable do
     it_behaves_like 'provisioning_uri', EncryptedUser.new
   end
 
-  describe '#populate_otp_column' do
-    shared_examples 'populate_otp_column' do |klass|
+  describe '#generate_totp_secret' do
+    shared_examples 'generate_totp_secret' do |klass|
       let(:instance) { klass.new }
 
-      it 'populates otp_column on create' do
-        expect(instance.otp_secret_key).to be_nil
+      it 'returns a 16 character string' do
+        secret = instance.generate_totp_secret
 
-        # populate_otp_column called via before_create
-        instance.run_callbacks :create
+        expect(secret).to match(/\w{16}/)
+      end
+    end
+
+    it_behaves_like 'generate_totp_secret', GuestUser
+    it_behaves_like 'generate_totp_secret', EncryptedUser
+  end
+
+  describe '#confirm_totp_secret' do
+    shared_examples 'confirm_totp_secret' do |klass|
+      let(:instance) { klass.new }
+      let(:secret) { instance.generate_totp_secret }
+      let(:totp_helper) { TotpHelper.new(secret, instance.class.otp_length) }
 
-        expect(instance.otp_secret_key).to match(/\w{16}/)
+      it 'populates otp_secret_key column when given correct code' do
+        instance.confirm_totp_secret(secret, totp_helper.totp_code)
+
+        expect(instance.otp_secret_key).to match(secret)
       end
 
-      it 'repopulates otp_column' do
-        instance.run_callbacks :create
-        original_key = instance.otp_secret_key
+      it 'does not populate otp_secret_key when when given incorrect code' do
+        instance.confirm_totp_secret(secret, '123')
+        expect(instance.otp_secret_key).to be_nil
+      end
 
-        instance.populate_otp_column
+      it 'returns true when given correct code' do
+        expect(instance.confirm_totp_secret(secret, totp_helper.totp_code)).to be true
+      end
 
-        expect(instance.otp_secret_key).to match(/\w{16}/)
-        expect(instance.otp_secret_key).to_not eq(original_key)
+      it 'returns false when given incorrect code' do
+        expect(instance.confirm_totp_secret(secret, '123')).to be false
       end
+
     end
 
-    it_behaves_like 'populate_otp_column', GuestUser
-    it_behaves_like 'populate_otp_column', EncryptedUser
+    it_behaves_like 'confirm_totp_secret', GuestUser
+    it_behaves_like 'confirm_totp_secret', EncryptedUser
   end
 
   describe '#max_login_attempts' do
@@ -227,16 +280,20 @@ describe Devise::Models::TwoFactorAuthenticatable do
           to raise_error ArgumentError
       end
 
-      it 'passes in the correct options to Encryptor' do
+      it 'passes in the correct options to Encryptor.
+          We test here output of
+          Devise::Models::TwoFactorAuthenticatable::EncryptionInstanceMethods.encryption_options_for' do
         instance.otp_secret_key = 'testing'
         iv = instance.encrypted_otp_secret_key_iv
         salt = instance.encrypted_otp_secret_key_salt
 
+        # it's important here to put the same crypto algorithm from that method
         encrypted = Encryptor.encrypt(
           value: 'testing',
           key: Devise.otp_secret_encryption_key,
           iv: iv.unpack('m').first,
-          salt: salt.unpack('m').first
+          salt: salt.unpack('m').first,
+          algorithm: 'aes-256-cbc'
         )
 
         expect(instance.encrypted_otp_secret_key).to eq [encrypted].pack('m')

data/spec/rails_app/app/controllers/home_controller.rb

@@ -1,5 +1,5 @@
 class HomeController < ApplicationController
-  before_filter :authenticate_user!, only: :dashboard
+  before_action :authenticate_user!, only: :dashboard
 
   def index
   end

data/spec/rails_app/app/models/admin.rb

@@ -0,0 +1,6 @@
+class Admin < ActiveRecord::Base
+  # Include default devise modules. Others available are:
+  # :confirmable, :lockable, :timeoutable and :omniauthable
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable, :trackable, :validatable
+end

data/spec/rails_app/app/models/encrypted_user.rb

@@ -8,7 +8,8 @@ class EncryptedUser
                 :encrypted_otp_secret_key_iv,
                 :encrypted_otp_secret_key_salt,
                 :email,
-                :second_factor_attempts_count
+                :second_factor_attempts_count,
+                :totp_timestamp
 
   has_one_time_password(encrypted: true)
 end

data/spec/rails_app/app/models/guest_user.rb

@@ -4,7 +4,14 @@ class GuestUser
   include Devise::Models::TwoFactorAuthenticatable
 
   define_model_callbacks :create
-  attr_accessor :otp_secret_key, :email, :second_factor_attempts_count
+  attr_accessor :direct_otp, :direct_otp_sent_at, :otp_secret_key, :email,
+    :second_factor_attempts_count, :totp_timestamp
+
+  def update_attributes(attrs)
+    attrs.each do |key, value|
+      send(key.to_s + '=', value)
+    end
+  end
 
   has_one_time_password
 end

data/spec/rails_app/app/models/user.rb

@@ -4,8 +4,8 @@ class User < ActiveRecord::Base
 
   has_one_time_password
 
-  def send_two_factor_authentication_code
-    SMSProvider.send_message(to: phone_number, body: otp_code)
+  def send_two_factor_authentication_code(code)
+    SMSProvider.send_message(to: phone_number, body: code)
   end
 
   def phone_number

data/spec/rails_app/config/initializers/devise.rb

@@ -206,11 +206,11 @@ Devise.setup do |config|
 
   # Configure the default scope given to Warden. By default it's the first
   # devise role declared in your routes (usually :user).
-  # config.default_scope = :user
+  config.default_scope = :user
 
   # Set this configuration to false if you want /users/sign_out to sign out
   # only the current scope. By default, Devise signs out all scopes.
-  # config.sign_out_all_scopes = true
+  config.sign_out_all_scopes = false
 
   # ==> Navigation configuration
   # Lists the formats that should be treated as navigational. Formats like

data/spec/rails_app/config/routes.rb

@@ -1,4 +1,5 @@
 Dummy::Application.routes.draw do
+  devise_for :admins
   root to: "home#index"
 
   match "/dashboard", to: "home#dashboard", as: :dashboard, via: [:get]

data/spec/rails_app/db/migrate/20140403184646_devise_create_users.rb

@@ -31,7 +31,7 @@ class DeviseCreateUsers < ActiveRecord::Migration
       # t.datetime :locked_at
 
 
-      t.timestamps
+      t.timestamps null: false
     end
 
     add_index :users, :email,                unique: true

data/spec/rails_app/db/migrate/20160209032439_devise_create_admins.rb

@@ -0,0 +1,42 @@
+class DeviseCreateAdmins < ActiveRecord::Migration
+  def change
+    create_table(:admins) do |t|
+      ## Database authenticatable
+      t.string :email,              null: false, default: ""
+      t.string :encrypted_password, null: false, default: ""
+
+      ## Recoverable
+      t.string   :reset_password_token
+      t.datetime :reset_password_sent_at
+
+      ## Rememberable
+      t.datetime :remember_created_at
+
+      ## Trackable
+      t.integer  :sign_in_count, default: 0, null: false
+      t.datetime :current_sign_in_at
+      t.datetime :last_sign_in_at
+      t.string   :current_sign_in_ip
+      t.string   :last_sign_in_ip
+
+      ## Confirmable
+      # t.string   :confirmation_token
+      # t.datetime :confirmed_at
+      # t.datetime :confirmation_sent_at
+      # t.string   :unconfirmed_email # Only if using reconfirmable
+
+      ## Lockable
+      # t.integer  :failed_attempts, default: 0, null: false # Only if lock strategy is :failed_attempts
+      # t.string   :unlock_token # Only if unlock strategy is :email or :both
+      # t.datetime :locked_at
+
+
+      t.timestamps null: false
+    end
+
+    add_index :admins, :email,                unique: true
+    add_index :admins, :reset_password_token, unique: true
+    # add_index :admins, :confirmation_token,   unique: true
+    # add_index :admins, :unlock_token,         unique: true
+  end
+end

data/spec/rails_app/db/schema.rb

@@ -11,7 +11,25 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20151228230340) do
+ActiveRecord::Schema.define(version: 20160209032439) do
+
+  create_table "admins", force: :cascade do |t|
+    t.string   "email",                  default: "", null: false
+    t.string   "encrypted_password",     default: "", null: false
+    t.string   "reset_password_token"
+    t.datetime "reset_password_sent_at"
+    t.datetime "remember_created_at"
+    t.integer  "sign_in_count",          default: 0,  null: false
+    t.datetime "current_sign_in_at"
+    t.datetime "last_sign_in_at"
+    t.string   "current_sign_in_ip"
+    t.string   "last_sign_in_ip"
+    t.datetime "created_at",                          null: false
+    t.datetime "updated_at",                          null: false
+  end
+
+  add_index "admins", ["email"], name: "index_admins_on_email", unique: true
+  add_index "admins", ["reset_password_token"], name: "index_admins_on_reset_password_token", unique: true
 
   create_table "users", force: :cascade do |t|
     t.string   "email",                                    default: "", null: false