two_factor_authentication 1.1.4 → 1.1.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6d9dcc7b4346ba04374293811dba157adfd55db2
-  data.tar.gz: aaa9d10892c25956248fa6c2325c0632e34f4cf3
+  metadata.gz: 75e8b63e29715336ec78a4a06db141ec2fdddf68
+  data.tar.gz: c2b09dd1294a966ce75425efc97b6e2089e33689
 SHA512:
-  metadata.gz: c5ac4fa24344211e03465875098f6fb5a09af71335747a9972829f5f304c8b10b12037fd581a47de6ad973cc562dba29c110ca3171d833b8d08d9fb8bd7faec9
-  data.tar.gz: 8ce9ce6d83afafdd9014f7cf7c4aef87a0409a54f193a1943c3b071a0e86e3a60b93fe9a58e06beb380ecb42857988c521132fc4b44d16a926c8fbe2c729367c
+  metadata.gz: 6d38f91cbb77148bd9c401f129d977f5fa22281ddb20ec12e4a12f02b1e35acabd04048bc88bad4d7e4cc80311e43f8720f45b0eeea116323c96fdee78cfb733
+  data.tar.gz: e7a2a0026e4558a8e0e8efbb3257b0fec162f7d45390a7521f249332e273c53568b309044000fae9ecdfcd55c3cfe13a951d2895f5327bb54b692a4fe2723fcf

data/.travis.yml

@@ -1,21 +1,28 @@
 language: ruby
 
 env:
-  - "RAILS_VERSION=3.2.0"
-  - "RAILS_VERSION=4.0.0"
-  - "RAILS_VERSION=4.1.1"
-  - "RAILS_VERSION=4.2.4"
+  - "RAILS_VERSION=3.2"
+  - "RAILS_VERSION=4.0"
+  - "RAILS_VERSION=4.1"
+  - "RAILS_VERSION=4.2"
   - "RAILS_VERSION=master"
 
 rvm:
-  - 1.9.3
   - 2.0
   - 2.1
-  - 2.2
+  - 2.2.2
 
 matrix:
   allow_failures:
     - env: "RAILS_VERSION=master"
+  exclude:
+    - rvm: 2.0
+      env: RAILS_VERSION=master
+    - rvm: 2.1
+      env: RAILS_VERSION=master
+
+before_install:
+  - gem update bundler
 
 before_script:
   - bundle exec rake app:db:migrate

data/CHANGELOG.md

@@ -0,0 +1,109 @@
+# Change Log
+
+## [Unreleased](https://github.com/houdini/two_factor_authentication/tree/HEAD)
+
+[Full Changelog](https://github.com/houdini/two_factor_authentication/compare/v1.1.4...HEAD)
+
+**Closed issues:**
+
+- How should I integrate Devise two factor authentication with custom sessions controller? [\#60](https://github.com/Houdini/two_factor_authentication/issues/60)
+
+**Merged pull requests:**
+
+- Update bundler on Travis before installing gems [\#63](https://github.com/Houdini/two_factor_authentication/pull/63) ([monfresh](https://github.com/monfresh))
+- Add support for OTP secret key encryption [\#62](https://github.com/Houdini/two_factor_authentication/pull/62) ([monfresh](https://github.com/monfresh))
+- Allow executing code after sign in and before sign out [\#61](https://github.com/Houdini/two_factor_authentication/pull/61) ([monfresh](https://github.com/monfresh))
+
+## [v1.1.4](https://github.com/houdini/two_factor_authentication/tree/v1.1.4) (2016-01-01)
+[Full Changelog](https://github.com/houdini/two_factor_authentication/compare/v1.1.3...v1.1.4)
+
+**Closed issues:**
+
+- Old OTP can be used after a new one has been generated [\#59](https://github.com/Houdini/two_factor_authentication/issues/59)
+- Do we have any two\_factor\_method like authenticate\_user! [\#58](https://github.com/Houdini/two_factor_authentication/issues/58)
+- Configuration [\#57](https://github.com/Houdini/two_factor_authentication/issues/57)
+
+**Merged pull requests:**
+
+- Abstract logic for two factor success and fail into separate methods.… [\#56](https://github.com/Houdini/two_factor_authentication/pull/56) ([kpheasey](https://github.com/kpheasey))
+- Move require rotp library to the file where it is used [\#55](https://github.com/Houdini/two_factor_authentication/pull/55) ([gkopylov](https://github.com/gkopylov))
+- Add support for remembering a user's 2FA session in a cookie [\#54](https://github.com/Houdini/two_factor_authentication/pull/54) ([boffbowsh](https://github.com/boffbowsh))
+- Test against Ruby 2.2 and Rails 4.2 [\#53](https://github.com/Houdini/two_factor_authentication/pull/53) ([boffbowsh](https://github.com/boffbowsh))
+- Eliminates appended '?' to redirects that have no query string [\#46](https://github.com/Houdini/two_factor_authentication/pull/46) ([daveriess](https://github.com/daveriess))
+
+## [v1.1.3](https://github.com/houdini/two_factor_authentication/tree/v1.1.3) (2014-12-14)
+[Full Changelog](https://github.com/houdini/two_factor_authentication/compare/list...v1.1.3)
+
+**Closed issues:**
+
+- rails g two\_factor\_authentication MODEL does not append .rb to end of migration [\#40](https://github.com/Houdini/two_factor_authentication/issues/40)
+
+**Merged pull requests:**
+
+- Allows length of OTP to be configured [\#44](https://github.com/Houdini/two_factor_authentication/pull/44) ([amoose](https://github.com/amoose))
+- Missing translation. [\#43](https://github.com/Houdini/two_factor_authentication/pull/43) ([sadfuzzy](https://github.com/sadfuzzy))
+- Preserve query parameters in \_return\_to for redirect. [\#42](https://github.com/Houdini/two_factor_authentication/pull/42) ([omb-awong](https://github.com/omb-awong))
+- Add file extension to ActiveRecord generator [\#41](https://github.com/Houdini/two_factor_authentication/pull/41) ([jackturnbull](https://github.com/jackturnbull))
+
+## [list](https://github.com/houdini/two_factor_authentication/tree/list) (2014-07-14)
+[Full Changelog](https://github.com/houdini/two_factor_authentication/compare/v1.1.2...list)
+
+## [v1.1.2](https://github.com/houdini/two_factor_authentication/tree/v1.1.2) (2014-07-14)
+[Full Changelog](https://github.com/houdini/two_factor_authentication/compare/v1.1.1...v1.1.2)
+
+**Closed issues:**
+
+- NoMethodError \(undefined method `scan' for nil:NilClass\) [\#37](https://github.com/Houdini/two_factor_authentication/issues/37)
+
+**Merged pull requests:**
+
+- Updated readme with rake task to update existing users with OTP secret k... [\#39](https://github.com/Houdini/two_factor_authentication/pull/39) ([Znow](https://github.com/Znow))
+- Updated readme with view overriding [\#38](https://github.com/Houdini/two_factor_authentication/pull/38) ([Znow](https://github.com/Znow))
+
+## [v1.1.1](https://github.com/houdini/two_factor_authentication/tree/v1.1.1) (2014-05-31)
+[Full Changelog](https://github.com/houdini/two_factor_authentication/compare/v1.1...v1.1.1)
+
+**Closed issues:**
+
+- Override views [\#36](https://github.com/Houdini/two_factor_authentication/issues/36)
+-  NoMethodError in Devise::TwoFactorAuthenticationController\#update [\#30](https://github.com/Houdini/two_factor_authentication/issues/30)
+
+**Merged pull requests:**
+
+- Use Strings and not Symbols for keys when storing variable in warden session [\#35](https://github.com/Houdini/two_factor_authentication/pull/35) ([karolsarnacki](https://github.com/karolsarnacki))
+- Chore/extract reused hash key [\#34](https://github.com/Houdini/two_factor_authentication/pull/34) ([rud](https://github.com/rud))
+- Pad OTP codes with less than 6 digits [\#31](https://github.com/Houdini/two_factor_authentication/pull/31) ([brissmyr](https://github.com/brissmyr))
+
+## [v1.1](https://github.com/houdini/two_factor_authentication/tree/v1.1) (2014-04-16)
+**Closed issues:**
+
+- Update [\#15](https://github.com/Houdini/two_factor_authentication/issues/15)
+- Data in formats other than HTML left unprotected [\#6](https://github.com/Houdini/two_factor_authentication/issues/6)
+- Wordlists [\#5](https://github.com/Houdini/two_factor_authentication/issues/5)
+- devise - wrong number of arguments \(1 for 0\) [\#3](https://github.com/Houdini/two_factor_authentication/issues/3)
+- gem? [\#1](https://github.com/Houdini/two_factor_authentication/issues/1)
+
+**Merged pull requests:**
+
+- added is\_fully\_authenticated helper for current version [\#28](https://github.com/Houdini/two_factor_authentication/pull/28) ([edg3r](https://github.com/edg3r))
+- Adds integration spec to ensure authentication code is sent on sign in [\#27](https://github.com/Houdini/two_factor_authentication/pull/27) ([rossta](https://github.com/rossta))
+- ensure return\_to location is properly stored [\#26](https://github.com/Houdini/two_factor_authentication/pull/26) ([rossta](https://github.com/rossta))
+- travis badge in README [\#25](https://github.com/Houdini/two_factor_authentication/pull/25) ([rossta](https://github.com/rossta))
+- Integration specs [\#24](https://github.com/Houdini/two_factor_authentication/pull/24) ([rossta](https://github.com/rossta))
+- README updates [\#23](https://github.com/Houdini/two_factor_authentication/pull/23) ([rossta](https://github.com/rossta))
+- extract method \#max\_login\_attempts [\#22](https://github.com/Houdini/two_factor_authentication/pull/22) ([rossta](https://github.com/rossta))
+- extract method \#populate\_otp\_column [\#21](https://github.com/Houdini/two_factor_authentication/pull/21) ([rossta](https://github.com/rossta))
+- specs for Model\#provisioning\_uri [\#20](https://github.com/Houdini/two_factor_authentication/pull/20) ([rossta](https://github.com/rossta))
+- Provide options for \#provisioning\_uri [\#19](https://github.com/Houdini/two_factor_authentication/pull/19) ([rossta](https://github.com/rossta))
+- Use time-based authentication codes [\#16](https://github.com/Houdini/two_factor_authentication/pull/16) ([mattmueller](https://github.com/mattmueller))
+- Add ru locales and locales for max\_limit\_reached view [\#13](https://github.com/Houdini/two_factor_authentication/pull/13) ([edg3r](https://github.com/edg3r))
+- Update README.md [\#11](https://github.com/Houdini/two_factor_authentication/pull/11) ([edg3r](https://github.com/edg3r))
+- Changed route from user to admin\_user [\#10](https://github.com/Houdini/two_factor_authentication/pull/10) ([ilanstern](https://github.com/ilanstern))
+- Changed :notice to :error when setting flash message on attempt failure. [\#9](https://github.com/Houdini/two_factor_authentication/pull/9) ([johnmichaelbradley](https://github.com/johnmichaelbradley))
+- Typo and punctuation corrections. [\#8](https://github.com/Houdini/two_factor_authentication/pull/8) ([johnmichaelbradley](https://github.com/johnmichaelbradley))
+- Respond with 401 for request non-HTML requests [\#7](https://github.com/Houdini/two_factor_authentication/pull/7) ([WojtekKruszewski](https://github.com/WojtekKruszewski))
+- need\_two\_factor\_authentication? method should accept request param. [\#4](https://github.com/Houdini/two_factor_authentication/pull/4) ([VladimirMikhailov](https://github.com/VladimirMikhailov))
+- Add generators to make it easier to install and fix deprecation warnings [\#2](https://github.com/Houdini/two_factor_authentication/pull/2) ([carvil](https://github.com/carvil))
+
+
+\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*

data/Gemfile

@@ -1,4 +1,4 @@
-source "http://rubygems.org"
+source 'https://rubygems.org'
 
 # Specify your gem's dependencies in devise_ip_filter.gemspec
 gemspec
@@ -20,6 +20,12 @@ if Gem::Version.new(RUBY_VERSION) >= Gem::Version.new('2.2.0')
   gem "test-unit", "~> 3.0"
 end
 
+group :test, :development do
+  gem 'sqlite3'
+end
+
 group :test do
-  gem "sqlite3"
+  gem 'rack_session_access'
+  gem 'ammeter'
+  gem 'pry'
 end

data/README.md

@@ -5,11 +5,12 @@
 
 ## Features
 
-* control sms code pattern
-* configure max login attempts
-* per user level control if he really need two factor authentication
-* your own sms logic
+* configurable OTP code digit length
+* configurable max login attempts
+* customizable logic to determine if a user needs two factor authentication
+* customizable logic for sending the OTP code to the user
 * configurable period where users won't be asked for 2FA again
+* option to encrypt the OTP secret key in the database, with iv and salt
 
 ## Configuration
 
@@ -23,62 +24,73 @@ Once that's done, run:
 
     bundle install
 
-### Automatic installation
+Note that Ruby 2.0 or greater is required.
 
-In order to add two factor authentication to a model, run the command:
+### Installation
 
-    bundle exec rails g two_factor_authentication MODEL
-
-Where MODEL is your model name (e.g. User or Admin). This generator will add `:two_factor_authenticatable` to your model
-and create a migration in `db/migrate/`, which will add `:otp_secret_key` and `:second_factor_attempts_count` to your table.
-Finally, run the migration with:
+#### Automatic initial setup
+To set up the model and database migration file automatically, run the
+following command:
 
-    bundle exec rake db:migrate
+    bundle exec rails g two_factor_authentication MODEL
 
-Add the following line to your model to fully enable two-factor auth:
+Where MODEL is your model name (e.g. User or Admin). This generator will add
+`:two_factor_authenticatable` to your model's Devise options and create a
+migration in `db/migrate/`, which will add the following columns to your table:
 
-    has_one_time_password
+- `:second_factor_attempts_count`
+- `:encrypted_otp_secret_key`
+- `:encrypted_otp_secret_key_iv`
+- `:encrypted_otp_secret_key_salt`
 
-Set config values, if desired:
+#### Manual initial setup
+If you prefer to set up the model and migration manually, add the
+`:two_factor_authentication` option to your existing devise options, such as:
 
 ```ruby
-config.max_login_attempts = 3  # Maximum second factor attempts count
-config.allowed_otp_drift_seconds = 30  # Allowed time drift
-config.otp_length = 6  # OTP code length
-config.remember_otp_session_for_seconds = 30.days  # Time before browser has to enter OTP code again
+devise :database_authenticatable, :registerable, :recoverable, :rememberable,
+       :trackable, :validatable, :two_factor_authenticatable
 ```
 
-Override the method to send one-time passwords in your model, this is automatically called when a user logs in:
+Then create your migration file using the Rails generator, such as:
 
-```ruby
-def send_two_factor_authentication_code
-  # use Model#otp_code and send via SMS, etc.
-end
+```
+rails g migration AddTwoFactorFieldsToUsers second_factor_attempts_count:integer encrypted_otp_secret_key:string:index encrypted_otp_secret_key_iv:string encrypted_otp_secret_key_salt:string
 ```
 
-### Manual installation
-
-To manually enable two factor authentication for the User model, you should add two_factor_authentication to your devise line, like:
+Open your migration file (it will be in the `db/migrate` directory and will be
+named something like `20151230163930_add_two_factor_fields_to_users.rb`), and
+add `unique: true` to the `add_index` line so that it looks like this:
 
 ```ruby
-devise :database_authenticatable, :registerable,
-       :recoverable, :rememberable, :trackable, :validatable, :two_factor_authenticatable
+add_index :users, :encrypted_otp_secret_key, unique: true
 ```
+Save the file.
+
+#### Complete the setup
+Run the migration with:
+
+    bundle exec rake db:migrate
 
 Add the following line to your model to fully enable two-factor auth:
 
-    has_one_time_password
+    has_one_time_password(encrypted: true)
 
-Set config values to devise.rb, if desired:
+Set config values in `config/initializers/devise.rb`:
 
 ```ruby
-config.max_login_attempts = 3  # Maximum second factor attempts count
-config.allowed_otp_drift_seconds = 30  # Allowed time drift
+config.max_login_attempts = 3  # Maximum second factor attempts count.
+config.allowed_otp_drift_seconds = 30  # Allowed time drift between client and server.
 config.otp_length = 6  # OTP code length
-config.remember_otp_session_for_seconds = 30.days  # Time before browser has to enter OTP code again
+config.remember_otp_session_for_seconds = 30.days  # Time before browser has to enter OTP code again. Default is 0.
+config.otp_secret_encryption_key = ENV['OTP_SECRET_ENCRYPTION_KEY']
 ```
+The `otp_secret_encryption_key` must be a random key that is not stored in the
+DB, and is not checked in to your repo. It is recommended to store it in an
+environment variable, and you can generate it with `bundle exec rake secret`.
 
-Override the method to send one-time passwords in your model, this is automatically called when a user logs in:
+Override the method to send one-time passwords in your model. This is
+automatically called when a user logs in:
 
 ```ruby
 def send_two_factor_authentication_code
@@ -86,10 +98,10 @@ def send_two_factor_authentication_code
 end
 ```
 
-
 ### Customisation and Usage
 
-By default second factor authentication enabled for each user, you can change it with this method in your User model:
+By default, second factor authentication is required for each user. You can
+change that by overriding the following method in your model:
 
 ```ruby
 def need_two_factor_authentication?(request)
@@ -97,19 +109,29 @@ def need_two_factor_authentication?(request)
 end
 ```
 
-this will disable two factor authentication for local users
+In the example above, two factor authentication will not be required for local
+users.
 
-This gem is compatible with Google Authenticator (https://support.google.com/accounts/answer/1066447?hl=en).  You can generate provisioning uris by invoking the following method on your model:
+This gem is compatible with [Google Authenticator](https://support.google.com/accounts/answer/1066447?hl=en).
+You can generate provisioning uris by invoking the following method on your model:
 
-    user.provisioning_uri #This assumes a user model with an email attributes
+```ruby
+user.provisioning_uri # This assumes a user model with an email attribute
+```
 
-This provisioning uri can then be turned in to a QR code if desired so that users may add the app to Google Authenticator easily.  Once this is done they may retrieve a one-time password directly from the Google Authenticator app as well as through whatever method you define in `send_two_factor_authentication_code`
+This provisioning uri can then be turned in to a QR code if desired so that
+users may add the app to Google Authenticator easily.  Once this is done, they
+may retrieve a one-time password directly from the Google Authenticator app as
+well as through whatever method you define in
+`send_two_factor_authentication_code`.
 
 #### Overriding the view
 
-The default view that shows the form can be overridden by first adding a folder named: "two_factor_authentication" inside "app/views/devise", in here you want to create a "show.html.erb" view.
+The default view that shows the form can be overridden by adding a
+file named `show.html.erb` (or `show.html.haml` if you prefer HAML)
+inside `app/views/devise/two_factor_authentication/` and customizing it.
+Below is an example using ERB:
 
-The full path should be "app/views/devise/two_factor_authentication/show.html.erb"
 
 ```html
 <h2>Hi, you received a code by email, please enter it below, thanks!</h2>
@@ -125,22 +147,128 @@ The full path should be "app/views/devise/two_factor_authentication/show.html.er
 
 #### Updating existing users with OTP secret key
 
-If you have existing users that needs to be provided with a OTP secret key, so they can take benefit of the two factor authentication, create a rake. It could look like this one below:
+If you have existing users that need to be provided with a OTP secret key, so
+they can use two factor authentication, create a rake task. It could look like this one below:
 
 ```ruby
-desc "rake task to update users with otp secret key"
+desc 'rake task to update users with otp secret key'
 task :update_users_with_otp_secret_key  => :environment do
-	users = User.all
-
-	users.each do |user|
-		key = ROTP::Base32.random_base32
-		user.update_attributes(:otp_secret_key => key)
-		user.save
-		puts "Rake[:update_users_with_otp_secret_key] => User '#{user.email}' OTP secret key set to '#{key}'"
-	end
+  User.find_each do |user|
+    user.otp_secret_key = ROTP::Base32.random_base32
+    user.save!
+    puts "Rake[:update_users_with_otp_secret_key] => OTP secret key set to '#{key}' for User '#{user.email}'"
+  end
+end
+```
+Then run the task with `bundle exec rake update_users_with_otp_secret_key`
+
+#### Adding the OTP encryption option to an existing app
+
+If you've already been using this gem, and want to start encrypting the OTP
+secret key in the database (recommended), you'll need to perform the following
+steps:
+
+1. Generate a migration to add the necessary columns to your model's table:
+
+   ```
+   rails g migration AddEncryptionFieldsToUsers encrypted_otp_secret_key:string:index encrypted_otp_secret_key_iv:string encrypted_otp_secret_key_salt:string
+   ```
+
+   Open your migration file (it will be in the `db/migrate` directory and will be
+   named something like `20151230163930_add_encryption_fields_to_users.rb`), and
+   add `unique: true` to the `add_index` line so that it looks like this:
+
+   ```ruby
+   add_index :users, :encrypted_otp_secret_key, unique: true
+   ```
+   Save the file.
+
+2. Run the migration: `bundle exec rake db:migrate`
+
+2. Update the gem: `bundle update two_factor_authentication`
+
+3. Add `encrypted: true` to `has_one_time_password` in your model.
+   For example: `has_one_time_password(encrypted: true)`
+
+4. Generate a migration to populate the new encryption fields:
+   ```
+   rails g migration PopulateEncryptedOtpFields
+   ```
+
+   Open the generated file, and replace its contents with the following:
+   ```ruby
+   class PopulateEncryptedOtpFields < ActiveRecord::Migration
+      def up
+        User.reset_column_information
+
+        User.find_each do |user|
+          user.otp_secret_key = user.read_attribute('otp_secret_key')
+          user.save!
+        end
+      end
+
+      def down
+        User.reset_column_information
+
+        User.find_each do |user|
+          user.otp_secret_key = ROTP::Base32.random_base32
+          user.save!
+        end
+      end
+    end
+  ```
+
+5. Generate a migration to remove the `:otp_secret_key` column:
+   ```
+   rails g migration RemoveOtpSecretKeyFromUsers otp_secret_key:string
+   ```
+
+6. Run the migrations: `bundle exec rake db:migrate`
+
+If, for some reason, you want to switch back to the old non-encrypted version,
+use these steps:
+
+1. Remove `(encrypted: true)` from `has_one_time_password`
+
+2. Roll back the last 3 migrations (assuming you haven't added any new ones
+after them):
+   ```
+   bundle exec rake db:rollback STEP=3
+   ```
+
+#### Executing some code after the user signs in and before they sign out
+
+In some cases, you might want to perform some action right after the user signs
+in, but before the OTP is sent, and also right before the user signs out. One
+scenario where you would need this is if you are requiring users to confirm
+their phone number first before they can receive an OTP. If they enter a wrong
+number, then sign out or close the browser before they confirm, they won't be
+able to confirm their real number. To solve this problem, we need to be able to
+reset their unconfirmed number before they sign out or sign in, and before the
+OTP code is sent.
+
+To define this action, create a `#{user.class}OtpSender` class that takes the
+current user as its parameter, and defines a `#reset_otp_state` instance method.
+For example, if your user's class is `User`, you would create a `UserOtpSender`
+class, like this:
+```ruby
+class UserOtpSender
+  def initialize(user)
+    @user = user
+  end
+
+  def reset_otp_state
+    if @user.unconfirmed_mobile.present?
+      @user.update(unconfirmed_mobile: nil)
+    end
+  end
 end
 ```
+If you have different types of users in your app (for example, User and Admin),
+and you need different logic for each type of user, create a second class for
+your admin user, such as `AdminOtpSender`, with its own logic for
+`#reset_otp_state`.
 
-### Example
+### Example App
 
 [TwoFactorAuthenticationExample](https://github.com/Houdini/TwoFactorAuthenticationExample)