two_factor_authentication 1.0 → 1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 39274f1841e29f847f6c2900a9228493e6103243
-  data.tar.gz: c0c3e1aebe06d8981301dfa2ccd85ab6f347b6e0
+  metadata.gz: 86b64f6f26de2115a9fb9c35afd02072d4d668ab
+  data.tar.gz: b6448de97e61ce3d00910f3a6b5b165ad683e642
 SHA512:
-  metadata.gz: 3e4bf30aa6f90afd6ee31400b4acd5e75dfc6fa49162b9ceb18042e406c55b956a0841466b9881c289b842870cb56ca985005e639578861259862c9c04209e3c
-  data.tar.gz: 91f57824cfc4ea2588cd7658c50eb8ee0b221b6dff7c45362d2d2542c51911c61f3f88483e9d79951d14c1c61fb3a4c80a11065bf77a513a0cc5f15d41bd713f
+  metadata.gz: 17445687f19fe7f427b15c788423e1d7e26b90298e9e1c174a56168f3a7e6bb16172e4edb2fa6b3b7d27f17d54bc46119267524ce0fb6cf4a5946d0e8639eda9
+  data.tar.gz: 3538d6195e8529e753eaaf5bf85a85f9c65eac7af9cf51c227fea2bfe2b42a01eb91be4909196bfe749a8e78e23c8e87ba12791255327e592ae54fd415a94ce7

data/.travis.yml

@@ -0,0 +1,20 @@
+language: ruby
+
+env:
+  - "RAILS_VERSION=3.2.0"
+  - "RAILS_VERSION=4.0.0"
+  - "RAILS_VERSION=master"
+
+rvm:
+  - 1.9.3
+  - 2.0
+  - 2.1
+
+matrix:
+  allow_failures:
+    - env: "RAILS_VERSION=master"
+
+before_script:
+  - bundle exec rake app:db:migrate
+
+script: bundle exec rake spec

data/Gemfile

@@ -2,3 +2,20 @@ source "http://rubygems.org"
 
 # Specify your gem's dependencies in devise_ip_filter.gemspec
 gemspec
+
+rails_version = ENV["RAILS_VERSION"] || "default"
+
+rails = case rails_version
+        when "master"
+          {github: "rails/rails"}
+        when "default"
+          "~> 3.2"
+        else
+          "~> #{rails_version}"
+        end
+
+gem "rails", rails
+
+group :test do
+  gem "sqlite3"
+end

data/README.md

@@ -1,4 +1,6 @@
-## Two factor authentication for Devise
+# Two factor authentication for Devise
+
+[![Build Status](https://travis-ci.org/Houdini/two_factor_authentication.svg?branch=master)](https://travis-ci.org/Houdini/two_factor_authentication)
 
 ## Features
 
@@ -19,7 +21,6 @@ Once that's done, run:
 
     bundle install
 
-
 ### Automatic installation
 
 In order to add two factor authorisation to a model, run the command:
@@ -27,7 +28,7 @@ In order to add two factor authorisation to a model, run the command:
     bundle exec rails g two_factor_authentication MODEL
 
 Where MODEL is your model name (e.g. User or Admin). This generator will add `:two_factor_authenticatable` to your model
-and create a migration in `db/migrate/`, which will add `::second_factor_pass_code` and `:second_factor_attempts_count` to your table.
+and create a migration in `db/migrate/`, which will add `:otp_secret_key` and `:second_factor_attempts_count` to your table.
 Finally, run the migration with:
 
     bundle exec rake db:migrate
@@ -38,22 +39,26 @@ Add the following line to your model to fully enable two-factor auth:
 
 Set config values if desired for maximum second factor attempts count and allowed time drift for one-time passwords:
 
-    config.max_login_attempts = 3
-    config.allowed_otp_drift_seconds = 30
+```ruby
+config.max_login_attempts = 3
+config.allowed_otp_drift_seconds = 30
+```
 
 Override the method to send one-time passwords in your model, this is automatically called when a user logs in:
 
-    def send_two_factor_authentication_code
-      # use Model#otp_code and send via SMS, etc.
-    end
+```ruby
+def send_two_factor_authentication_code
+  # use Model#otp_code and send via SMS, etc.
+end
+```
 
 ### Manual installation
 
 To manually enable two factor authentication for the User model, you should add two_factor_authentication to your devise line, like:
 
 ```ruby
-  devise :database_authenticatable, :registerable,
-         :recoverable, :rememberable, :trackable, :validatable, :two_factor_authenticatable
+devise :database_authenticatable, :registerable,
+       :recoverable, :rememberable, :trackable, :validatable, :two_factor_authenticatable
 ```
 
 Add the following line to your model to fully enable two-factor auth:
@@ -62,23 +67,27 @@ Add the following line to your model to fully enable two-factor auth:
 
 Set config values if desired for maximum second factor attempts count and allowed time drift for one-time passwords:
 
-    config.max_login_attempts = 3
-    config.allowed_otp_drift_seconds = 30
+```ruby
+config.max_login_attempts = 3
+config.allowed_otp_drift_seconds = 30
+```
 
 Override the method to send one-time passwords in your model, this is automatically called when a user logs in:
 
-    def send_two_factor_authentication_code
-      # use Model#otp_code and send via SMS, etc.
-    end
+```ruby
+def send_two_factor_authentication_code
+  # use Model#otp_code and send via SMS, etc.
+end
+```
 
 ### Customisation and Usage
 
 By default second factor authentication enabled for each user, you can change it with this method in your User model:
 
 ```ruby
-  def need_two_factor_authentication?(request)
-    request.ip != '127.0.0.1'
-  end
+def need_two_factor_authentication?(request)
+  request.ip != '127.0.0.1'
+end
 ```
 
 this will disable two factor authentication for local users

data/Rakefile

@@ -1 +1,14 @@
 require "bundler/gem_tasks"
+
+APP_RAKEFILE = File.expand_path("../spec/rails_app/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+
+require 'rspec/core/rake_task'
+
+desc "Run all specs in spec directory (excluding plugin specs)"
+RSpec::Core::RakeTask.new(:spec => 'app:db:test:prepare')
+
+task :default => :spec
+
+# To test against a specific version of Rails
+# export RAILS_VERSION=3.2.0; bundle update; rake

data/app/controllers/devise/two_factor_authentication_controller.rb

@@ -11,15 +11,16 @@ class Devise::TwoFactorAuthenticationController < DeviseController
     if resource.authenticate_otp(params[:code])
       warden.session(resource_name)[:need_two_factor_authentication] = false
       sign_in resource_name, resource, :bypass => true
+      set_flash_message :notice, :success
       redirect_to stored_location_for(resource_name) || :root
       resource.update_attribute(:second_factor_attempts_count, 0)
     else
       resource.second_factor_attempts_count += 1
       resource.save
-      set_flash_message :error, :attempt_failed
+      flash.now[:error] = find_message(:attempt_failed)
       if resource.max_login_attempts?
         sign_out(resource)
-        render :template => 'devise/two_factor_authentication/max_login_attempts_reached' and return
+        render :max_login_attempts_reached
       else
         render :show
       end
@@ -34,10 +35,10 @@ class Devise::TwoFactorAuthenticationController < DeviseController
 
     def prepare_and_validate
       redirect_to :root and return if resource.nil?
-      @limit = resource.class.max_login_attempts
+      @limit = resource.max_login_attempts
       if resource.max_login_attempts?
         sign_out(resource)
-        render :template => 'devise/two_factor_authentication/max_login_attempts_reached' and return
+        render :max_login_attempts_reached and return
       end
     end
 end

data/app/views/devise/two_factor_authentication/max_login_attempts_reached.html.erb

@@ -1,3 +1,3 @@
-<h2>Access completely denied as you have reached your attempts limit = <%= @limit %>.</h2>
-<p>Please contact your system administrator.</p>
+<h2><%= I18n.t("devise.two_factor_authentication.max_login_attempts_reached") %> = <%= @limit %>.</h2>
+<p><%= I18n.t("devise.two_factor_authentication.contact_administrator") %></p>
 

data/config/locales/en.yml

@@ -1,4 +1,7 @@
 en:
   devise:
     two_factor_authentication:
+      success: "Two factor authentication successful."
       attempt_failed: "Attempt failed."
+      max_login_attempts_reached: "Access completely denied as you have reached your attempts limit"
+      contact_administrator: "Please contact your system administrator."

data/config/locales/ru.yml

@@ -0,0 +1,6 @@
+ru:
+  devise:
+    two_factor_authentication:
+      attempt_failed: "Неверный код."
+      max_login_attempts_reached: "Доступ заблокирован. Превышено число попыток авторизации"
+      contact_administrator: "Пожалуйста, свяжитесь с системным администратором."

data/lib/two_factor_authentication/controllers/helpers.rb

@@ -21,7 +21,7 @@ module TwoFactorAuthentication
 
       def handle_failed_second_factor(scope)
         if request.format.present? and request.format.html?
-          session["#{scope}_return_tor"] = request.path if request.get?
+          session["#{scope}_return_to"] = request.path if request.get?
           redirect_to two_factor_authentication_path_for(scope)
         else
           render nothing: true, status: :unauthorized
@@ -37,3 +37,13 @@ module TwoFactorAuthentication
     end
   end
 end
+
+module Devise
+  module Controllers
+    module Helpers
+      def is_fully_authenticated?
+        !session["warden.user.user.session"].try(:[], :need_two_factor_authentication)
+      end
+    end
+  end
+end

data/lib/two_factor_authentication/models/two_factor_authenticatable.rb

@@ -12,7 +12,7 @@ module Devise
 
           include InstanceMethodsOnActivation
 
-          before_create { self.otp_column = ROTP::Base32.random_base32 }
+          before_create { populate_otp_column }
 
           if respond_to?(:attributes_protected_by_default)
             def self.attributes_protected_by_default #:nodoc:
@@ -35,9 +35,9 @@ module Devise
           ROTP::TOTP.new(self.otp_column).at(time)
         end
 
-        def provisioning_uri(account = nil)
+        def provisioning_uri(account = nil, options = {})
           account ||= self.email if self.respond_to?(:email)
-          ROTP::TOTP.new(self.otp_column).provisioning_uri(account)
+          ROTP::TOTP.new(self.otp_column, options).provisioning_uri(account)
         end
 
         def otp_column
@@ -57,7 +57,15 @@ module Devise
         end
 
         def max_login_attempts?
-          second_factor_attempts_count >= self.class.max_login_attempts
+          second_factor_attempts_count.to_i >= max_login_attempts.to_i
+        end
+
+        def max_login_attempts
+          self.class.max_login_attempts
+        end
+
+        def populate_otp_column
+          self.otp_column = ROTP::Base32.random_base32
         end
 
       end

data/lib/two_factor_authentication/version.rb

@@ -1,3 +1,3 @@
 module TwoFactorAuthentication
-  VERSION = "1.0".freeze
+  VERSION = "1.1".freeze
 end

data/spec/controllers/two_factor_auth_spec.rb

@@ -0,0 +1,20 @@
+require 'spec_helper'
+
+include Warden::Test::Helpers
+
+describe HomeController do
+  context "passed only 1st factor auth" do
+    let(:user) { create_user }
+
+    describe "is_fully_authenticated helper" do
+      it "should be true" do
+        login_as user, scope: :user
+        visit user_two_factor_authentication_path
+
+
+        controller.is_fully_authenticated?.should be_true
+      end
+    end
+
+  end
+end

data/spec/features/two_factor_authenticatable_spec.rb

@@ -0,0 +1,86 @@
+require 'spec_helper'
+
+feature "User of two factor authentication" do
+  let(:user) { create_user }
+
+  scenario "must be logged in" do
+    visit user_two_factor_authentication_path
+
+    expect(page).to have_content("Welcome Home")
+    expect(page).to have_content("You are signed out")
+  end
+
+  scenario "sends two factor authentication code after sign in" do
+    SMSProvider.messages.should be_empty
+
+    visit new_user_session_path
+    complete_sign_in_form_for(user)
+
+    expect(page).to have_content "Enter your personal code"
+
+    SMSProvider.messages.size.should eq(1)
+    message = SMSProvider.last_message
+    expect(message.to).to eq(user.phone_number)
+    expect(message.body).to eq(user.otp_code)
+  end
+
+  context "when logged in" do
+
+    background do
+      login_as user
+    end
+
+    scenario "can fill in TFA code" do
+      visit user_two_factor_authentication_path
+
+      expect(page).to have_content("You are signed in as Marissa")
+      expect(page).to have_content("Enter your personal code")
+
+      fill_in "code", with: user.otp_code
+      click_button "Submit"
+
+      within(".flash.notice") do
+        expect(page).to have_content("Two factor authentication successful.")
+      end
+    end
+
+    scenario "is redirected to TFA when path requires authentication" do
+      visit dashboard_path
+
+      expect(page).to_not have_content("Your Personal Dashboard")
+
+      fill_in "code", with: user.otp_code
+      click_button "Submit"
+
+      expect(page).to have_content("Your Personal Dashboard")
+      expect(page).to have_content("You are signed in as Marissa")
+    end
+
+    scenario "is locked out after max failed attempts" do
+      visit user_two_factor_authentication_path
+
+      max_attempts = User.max_login_attempts
+
+      max_attempts.times do
+        fill_in "code", with: "incorrect#{rand(100)}"
+        click_button "Submit"
+
+        within(".flash.error") do
+          expect(page).to have_content("Attempt failed")
+        end
+      end
+
+      expect(page).to have_content("Access completely denied")
+      expect(page).to have_content("You are signed out")
+    end
+
+    scenario "cannot retry authentication after max attempts" do
+      user.update_attribute(:second_factor_attempts_count, User.max_login_attempts)
+
+      visit user_two_factor_authentication_path
+
+      expect(page).to have_content("Access completely denied")
+      expect(page).to have_content("You are signed out")
+    end
+  end
+end

data/spec/lib/two_factor_authentication/models/two_factor_authenticatable_spec.rb

@@ -1,9 +1,8 @@
 require 'spec_helper'
 include AuthenticatedModelHelper
 
-
 describe Devise::Models::TwoFactorAuthenticatable, '#otp_code' do
-  let(:instance) { AuthenticatedModelHelper.create_new_user }
+  let(:instance) { build_guest_user }
   subject { instance.otp_code(time) }
   let(:time) { 1392852456 }
 
@@ -33,7 +32,7 @@ describe Devise::Models::TwoFactorAuthenticatable, '#otp_code' do
 end
 
 describe Devise::Models::TwoFactorAuthenticatable, '#authenticate_otp' do
-  let(:instance) { AuthenticatedModelHelper.create_new_user }
+  let(:instance) { build_guest_user }
 
   before :each do
     instance.otp_secret_key = "2z6hxkdwi3uvrnpn"
@@ -55,16 +54,103 @@ describe Devise::Models::TwoFactorAuthenticatable, '#authenticate_otp' do
 end
 
 describe Devise::Models::TwoFactorAuthenticatable, '#send_two_factor_authentication_code' do
+  let(:instance) { build_guest_user }
 
   it "should raise an error by default" do
-    instance = AuthenticatedModelHelper.create_new_user
     expect {
       instance.send_two_factor_authentication_code
     }.to raise_error(NotImplementedError)
   end
 
   it "should be overrideable" do
-    instance = AuthenticatedModelHelper.create_new_user_with_overrides
+    def instance.send_two_factor_authentication_code
+      "Code sent"
+    end
     expect(instance.send_two_factor_authentication_code).to eq("Code sent")
   end
-end
+end
+
+describe Devise::Models::TwoFactorAuthenticatable, '#provisioning_uri' do
+  let(:instance) { build_guest_user }
+
+  before do
+    instance.email = "houdini@example.com"
+    instance.run_callbacks :create
+  end
+
+  it "should return uri with user's email" do
+    expect(instance.provisioning_uri).to match(%r{otpauth://totp/houdini@example.com\?secret=\w{16}})
+  end
+
+  it "should return uri with issuer option" do
+    expect(instance.provisioning_uri("houdini")).to match(%r{otpauth://totp/houdini\?secret=\w{16}$})
+  end
+
+  it "should return uri with issuer option" do
+    require 'cgi'
+
+    uri = URI.parse(instance.provisioning_uri("houdini", issuer: 'Magic'))
+    params = CGI::parse(uri.query)
+
+    expect(uri.scheme).to eq("otpauth")
+    expect(uri.host).to eq("totp")
+    expect(uri.path).to eq("/houdini")
+    expect(params['issuer'].shift).to eq('Magic')
+    expect(params['secret'].shift).to match(%r{\w{16}})
+  end
+end
+
+describe Devise::Models::TwoFactorAuthenticatable, '#populate_otp_column' do
+  let(:instance) { build_guest_user }
+
+  it "populates otp_column on create" do
+    expect(instance.otp_secret_key).to be_nil
+
+    instance.run_callbacks :create # populate_otp_column called via before_create
+
+    expect(instance.otp_secret_key).to match(%r{\w{16}})
+  end
+
+  it "repopulates otp_column" do
+    instance.run_callbacks :create
+    original_key = instance.otp_secret_key
+
+    instance.populate_otp_column
+
+    expect(instance.otp_secret_key).to match(%r{\w{16}})
+    expect(instance.otp_secret_key).to_not eq(original_key)
+  end
+end
+
+describe Devise::Models::TwoFactorAuthenticatable, '#max_login_attempts' do
+  let(:instance) { build_guest_user }
+
+  before do
+    @original_max_login_attempts = GuestUser.max_login_attempts
+    GuestUser.max_login_attempts = 3
+  end
+
+  after { GuestUser.max_login_attempts = @original_max_login_attempts }
+
+  it "returns class setting" do
+    expect(instance.max_login_attempts).to eq(3)
+  end
+
+  it "returns false as boolean" do
+    instance.second_factor_attempts_count = nil
+    expect(instance.max_login_attempts?).to be_false
+    instance.second_factor_attempts_count = 0
+    expect(instance.max_login_attempts?).to be_false
+    instance.second_factor_attempts_count = 1
+    expect(instance.max_login_attempts?).to be_false
+    instance.second_factor_attempts_count = 2
+    expect(instance.max_login_attempts?).to be_false
+  end
+
+  it "returns true as boolean after too many attempts" do
+    instance.second_factor_attempts_count = 3
+    expect(instance.max_login_attempts?).to be_true
+    instance.second_factor_attempts_count = 4
+    expect(instance.max_login_attempts?).to be_true
+  end
+end