two_factor_authentication 2.1.1 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ba9192cf04aafc95a917e76b6efef8217fb22152
-  data.tar.gz: fe60bb1323aead63cb3712857e88bf4eaab08cfc
+  metadata.gz: 3d6d6636a281220ef8fd5aee19a4c4aaa4129797
+  data.tar.gz: 4954c89fa183dcb47c3104bfb14035ceaf6d20f4
 SHA512:
-  metadata.gz: 9a3d4c7cd0bb5eb3af1bc322ee3cad89a38bb8316178a9050dc5cce11f006930f3c3b916b41e29a1594f3acbc360814d831c6816e453504c21bd93b00b0834d4
-  data.tar.gz: e651f87940c8fc7d55b653c010c30da565cd18e2bcfd7708dc12c657dd953199f389aae800973b1a5bbfb6d09fdadf5d7689e3b28fe11403f7df3fcece5f2e15
+  metadata.gz: c559cf0c9c2c21519efdf25ce615ca5930dfc657564e4209b77298944ea3a2342414e7772b493db65c657c617641d0af4398a31bca0d3fbf81025e417fb688c2
+  data.tar.gz: 7e0d5abb909bb53f04d3d0cb887a4e869944eda656318c7e782562ecdf7bd635c8079d144506b1633e71c83368604b989dd9b4a21f2d8c21cb41d1f2849b3b58

data/.travis.yml

@@ -1,29 +1,28 @@
 language: ruby
 
 env:
-  - "RAILS_VERSION=4.0"
-  - "RAILS_VERSION=4.1"
   - "RAILS_VERSION=4.2"
+  - "RAILS_VERSION=5.2"
   - "RAILS_VERSION=master"
 
 rvm:
-  - 2.1
-  - 2.2
-  - 2.3.1
+  - 2.3.8
+  - 2.4.5
+  - 2.5.3
 
 matrix:
+  fast_finish: true
   allow_failures:
     - env: "RAILS_VERSION=master"
-  exclude:
-    - rvm: 2.1
-      env: RAILS_VERSION=master
+  include:
     - rvm: 2.2
-      env: RAILS_VERSION=master
+      env: RAILS_VERSION=4.2
 
 before_install:
-  - gem update bundler
+  - gem uninstall -v '>= 2' -i $(rvm gemdir)@global -ax bundler || true
+  - gem install bundler -v '< 2'
 
 before_script:
-  - bundle exec rake app:db:migrate
+  - bundle exec rake app:db:setup
 
 script: bundle exec rake spec

data/Gemfile

@@ -9,7 +9,7 @@ rails = case rails_version
         when "master"
           {github: "rails/rails"}
         when "default"
-          "~> 4.1"
+          "~> 5.2"
         else
           "~> #{rails_version}"
         end
@@ -27,5 +27,4 @@ end
 group :test do
   gem 'rack_session_access'
   gem 'ammeter'
-  gem 'pry'
 end

data/README.md

@@ -54,7 +54,7 @@ migration in `db/migrate/`, which will add the following columns to your table:
 #### Manual initial setup
 
 If you prefer to set up the model and migration manually, add the
-`:two_factor_authentication` option to your existing devise options, such as:
+`:two_factor_authenticatable` option to your existing devise options, such as:
 
 ```ruby
 devise :database_authenticatable, :registerable, :recoverable, :rememberable,
@@ -225,24 +225,24 @@ steps:
    Open the generated file, and replace its contents with the following:
    ```ruby
    class PopulateEncryptedOtpFields < ActiveRecord::Migration
-      def up
-        User.reset_column_information
-
-        User.find_each do |user|
-          user.otp_secret_key = user.read_attribute('otp_secret_key')
-          user.save!
-        end
-      end
-
-      def down
-        User.reset_column_information
-
-        User.find_each do |user|
-          user.otp_secret_key = ROTP::Base32.random_base32
-          user.save!
-        end
-      end
-    end
+     def up
+       User.reset_column_information
+
+       User.find_each do |user|
+         user.otp_secret_key = user.read_attribute('otp_secret_key')
+         user.save!
+       end
+     end
+
+     def down
+       User.reset_column_information
+
+       User.find_each do |user|
+         user.otp_secret_key = ROTP::Base32.random_base32
+         user.save!
+       end
+     end
+   end
    ```
 
 5. Generate a migration to remove the `:otp_secret_key` column:
@@ -263,6 +263,143 @@ after them):
    bundle exec rake db:rollback STEP=3
    ```
 
+#### Critical Security Note! Add before_action to your user registration controllers
+
+You should have a file registrations_controller.rb in your controllers folder
+to overwrite/customize user registrations. It should include the lines below, for 2FA protection of user model updates, meaning that users can only access the users/edit page after confirming 2FA fully, not simply by logging in. Otherwise the entire 2FA system can be bypassed!
+
+   ```ruby
+   class RegistrationsController < Devise::RegistrationsController
+     before_action :confirm_two_factor_authenticated, except: [:new, :create, :cancel]
+   
+     protected
+   
+     def confirm_two_factor_authenticated
+       return if is_fully_authenticated?
+
+       flash[:error] = t('devise.errors.messages.user_not_authenticated')
+       redirect_to user_two_factor_authentication_url
+     end
+   end
+   ```
+
+#### Critical Security Note! Add 2FA validation to your custom user actions
+
+Make sure you are passing the 2FA secret codes securely and checking for them upon critical user actions, such as API key updates, user email or pgp pubkey updates, or any other changess to private/secure account-related details. Validate the secret during the initial 2FA key/secret verification by the user also, of course.
+
+ For example, a simple account_controller.rb may look something like this:
+
+   ```
+   require 'json'
+
+   class AccountController < ApplicationController
+     before_action :require_signed_in!
+     before_action :authenticate_user!
+     respond_to :html, :json
+     
+     def account_API
+       resp = {}
+       begin       
+         if(account_params["twoFAKey"] && account_params["twoFASecret"])
+           current_user.otp_secret_key = account_params["twoFAKey"]
+           if(current_user.authenticate_totp(account_params["twoFASecret"]))
+             # user has validated their temporary 2FA code, save it to their account, enable 2FA on this account
+             current_user.save!
+             resp['success'] = "passed 2FA validation!"
+           else
+             resp['error'] = "failed 2FA validation!"
+           end
+         elsif(param[:userAccountStuff] && param[:userAccountWidget])
+           #before updating important user account stuff and widgets,
+           #check to see that the 2FA secret has also been passed in, and verify it...
+           if(account_params["twoFASecret"] && current_user.totp_enabled? && current_user.authenticate_totp(account_params["twoFASecret"]))
+             # user has passed 2FA checks, do cool user account stuff here
+             ...
+           else 
+             # user failed 2FA check! No cool user stuff happens!             
+              resp[error] = 'You failed 2FA validation!'
+           end
+           
+             ...
+           end
+         else
+           resp['error'] = 'unknown format error, not saved!'  
+         end
+       rescue Exception => e
+         puts "WARNING: account api threw error : '#{e}' for user #{current_user.username}"
+         #print "error trace: #{e.backtrace}\n"
+         resp['error'] = "unanticipated server response"
+       end
+       render json: resp.to_json
+     end
+   
+     def account_params
+       params.require(:twoFA).permit(:userAccountStuff, :userAcountWidget, :twoFAKey, :twoFASecret)
+     end
+   end   
+   ```
+
+
 ### Example App
 
 [TwoFactorAuthenticationExample](https://github.com/Houdini/TwoFactorAuthenticationExample)
+
+
+### Example user actions
+
+to use an ENV VAR for the 2FA encryption key:
+
+config.otp_secret_encryption_key = ENV['OTP_SECRET_ENCRYPTION_KEY']
+
+to set up TOTP for Google Authenticator for user:
+
+   ```
+   current_user.otp_secret_key =  current_user.generate_totp_secret
+   current_user.save!
+   ```
+   
+( encrypted db fields are set upon user model save action,
+rails c access relies on setting env var: OTP_SECRET_ENCRYPTION_KEY )
+
+to check if user has input the correct code (from the QR display page)
+before saving the user model:
+
+   ```
+   current_user.authenticate_totp('123456')
+   ```
+
+additional note:
+ 
+   ```
+   current_user.otp_secret_key
+   ```
+   
+This returns the OTP secret key in plaintext for the user (if you have set the env var) in the console
+the string used for generating the QR given to the user for their Google Auth is something like:
+
+otpauth://totp/LABEL?secret=p6wwetjnkjnrcmpd    (example secret used here)
+
+where LABEL should be something like "example.com (Username)", which shows up in their GA app to remind them the code is for example.com
+
+this returns true or false with an allowed_otp_drift_seconds 'grace period'
+
+to set TOTP to DISABLED for a user account:
+
+   ```
+   current_user.second_factor_attempts_count=nil
+   current_user.encrypted_otp_secret_key=nil
+   current_user.encrypted_otp_secret_key_iv=nil
+   current_user.encrypted_otp_secret_key_salt=nil
+   current_user.direct_otp=nil
+   current_user.direct_otp_sent_at=nil
+   current_user.totp_timestamp=nil
+   current_user.direct_otp=nil
+   current_user.otp_secret_key=nil
+   current_user.otp_confirmed=nil
+   current_user.save! (if in ruby code instead of console)
+   current_user.direct_otp? => false
+   current_user.totp_enabled? => false
+   ```
+   
+
+

data/lib/two_factor_authentication.rb

@@ -2,7 +2,6 @@ require 'two_factor_authentication/version'
 require 'devise'
 require 'active_support/concern'
 require "active_model"
-require "active_record"
 require "active_support/core_ext/class/attribute_accessors"
 require "cgi"
 
@@ -47,7 +46,7 @@ end
 
 Devise.add_module :two_factor_authenticatable, :model => 'two_factor_authentication/models/two_factor_authenticatable', :controller => :two_factor_authentication, :route => :two_factor_authentication
 
-require 'two_factor_authentication/orm/active_record'
+require 'two_factor_authentication/orm/active_record' if defined?(ActiveRecord::Base)
 require 'two_factor_authentication/routes'
 require 'two_factor_authentication/models/two_factor_authenticatable'
 require 'two_factor_authentication/rails'

data/lib/two_factor_authentication/controllers/helpers.rb

@@ -24,7 +24,7 @@ module TwoFactorAuthentication
           session["#{scope}_return_to"] = request.original_fullpath if request.get?
           redirect_to two_factor_authentication_path_for(scope)
         else
-          render nothing: true, status: :unauthorized
+          head :unauthorized
         end
       end
 

data/lib/two_factor_authentication/models/two_factor_authenticatable.rb

@@ -39,7 +39,10 @@ module Devise
           drift = options[:drift] || self.class.allowed_otp_drift_seconds
           raise "authenticate_totp called with no otp_secret_key set" if totp_secret.nil?
           totp = ROTP::TOTP.new(totp_secret, digits: digits)
-          new_timestamp = totp.verify_with_drift_and_prior(code, drift, totp_timestamp)
+          new_timestamp = totp.verify(
+            without_spaces(code), 
+            drift_ahead: drift, drift_behind: drift, after: totp_timestamp
+          )
           return false unless new_timestamp
           self.totp_timestamp = new_timestamp
           true
@@ -103,6 +106,10 @@ module Devise
 
         private
 
+        def without_spaces(code)
+          code.gsub(/\s/, '')
+        end
+
         def random_base10(digits)
           SecureRandom.random_number(10**digits).to_s.rjust(digits, '0')
         end

data/lib/two_factor_authentication/orm/active_record.rb

@@ -1,3 +1,5 @@
+require "active_record"
+
 module TwoFactorAuthentication
   module Orm
     module ActiveRecord

data/lib/two_factor_authentication/version.rb

@@ -1,3 +1,3 @@
 module TwoFactorAuthentication
-  VERSION = "2.1.1".freeze
+  VERSION = "2.2.0".freeze
 end

data/spec/controllers/two_factor_authentication_controller_spec.rb

@@ -2,6 +2,14 @@ require 'spec_helper'
 
 describe Devise::TwoFactorAuthenticationController, type: :controller do
   describe 'is_fully_authenticated? helper' do
+    def post_code(code)
+      if Rails::VERSION::MAJOR >= 5
+        post :update, params: { code: code }
+      else
+        post :update, code: code
+      end
+    end
+
     before do
       sign_in
     end
@@ -9,7 +17,7 @@ describe Devise::TwoFactorAuthenticationController, type: :controller do
     context 'after user enters valid OTP code' do
       it 'returns true' do
         controller.current_user.send_new_otp
-        post :update, code: controller.current_user.direct_otp
+        post_code controller.current_user.direct_otp
         expect(subject.is_fully_authenticated?).to eq true
       end
     end
@@ -24,7 +32,7 @@ describe Devise::TwoFactorAuthenticationController, type: :controller do
 
     context 'when user enters an invalid OTP' do
       it 'returns false' do
-        post :update, code: '12345'
+        post_code '12345'
 
         expect(subject.is_fully_authenticated?).to eq false
       end

data/spec/lib/two_factor_authentication/models/two_factor_authenticatable_spec.rb

@@ -86,6 +86,11 @@ describe Devise::Models::TwoFactorAuthenticatable do
         expect(do_invoke(code, instance)).to eq(true)
       end
 
+      it 'authenticates a code entered with a space' do
+        code = @totp_helper.totp_code.insert(3, ' ')
+        expect(do_invoke(code, instance)).to eq(true)
+      end
+
       it 'does not authenticate an old code' do
         code = @totp_helper.totp_code(1.minutes.ago.to_i)
         expect(do_invoke(code, instance)).to eq(false)
@@ -133,12 +138,12 @@ describe Devise::Models::TwoFactorAuthenticatable do
 
         it "returns uri with user's email" do
           expect(instance.provisioning_uri).
-            to match(%r{otpauth://totp/houdini@example.com\?secret=\w{16}})
+            to match(%r{otpauth://totp/houdini@example.com\?secret=\w{32}})
         end
 
         it 'returns uri with issuer option' do
           expect(instance.provisioning_uri('houdini')).
-            to match(%r{otpauth://totp/houdini\?secret=\w{16}$})
+            to match(%r{otpauth://totp/houdini\?secret=\w{32}$})
         end
 
         it 'returns uri with issuer option' do
@@ -150,7 +155,7 @@ describe Devise::Models::TwoFactorAuthenticatable do
           expect(uri.host).to eq('totp')
           expect(uri.path).to eq('/Magic:houdini')
           expect(params['issuer'].shift).to eq('Magic')
-          expect(params['secret'].shift).to match(/\w{16}/)
+          expect(params['secret'].shift).to match(/\w{32}/)
         end
       end
     end
@@ -163,10 +168,10 @@ describe Devise::Models::TwoFactorAuthenticatable do
     shared_examples 'generate_totp_secret' do |klass|
       let(:instance) { klass.new }
 
-      it 'returns a 16 character string' do
+      it 'returns a 32 character string' do
         secret = instance.generate_totp_secret
 
-        expect(secret).to match(/\w{16}/)
+        expect(secret).to match(/\w{32}/)
       end
     end
 

data/spec/rails_app/db/migrate/20140403184646_devise_create_users.rb

@@ -1,4 +1,4 @@
-class DeviseCreateUsers < ActiveRecord::Migration
+class DeviseCreateUsers < ActiveRecord::Migration[4.2]
   def change
     create_table(:users) do |t|
       ## Database authenticatable

data/spec/rails_app/db/migrate/20140407172619_two_factor_authentication_add_to_users.rb

@@ -1,4 +1,4 @@
-class TwoFactorAuthenticationAddToUsers < ActiveRecord::Migration
+class TwoFactorAuthenticationAddToUsers < ActiveRecord::Migration[4.2]
   def up
     change_table :users do |t|
       t.string   :otp_secret_key

data/spec/rails_app/db/migrate/20140407215513_add_nickanme_to_users.rb

@@ -1,4 +1,4 @@
-class AddNickanmeToUsers < ActiveRecord::Migration
+class AddNickanmeToUsers < ActiveRecord::Migration[4.2]
   def change
     change_table :users do |t|
       t.column :nickname, :string, limit: 64

data/spec/rails_app/db/migrate/20151224171231_add_encrypted_columns_to_user.rb

@@ -1,4 +1,4 @@
-class AddEncryptedColumnsToUser < ActiveRecord::Migration
+class AddEncryptedColumnsToUser < ActiveRecord::Migration[4.2]
   def change
     add_column :users, :encrypted_otp_secret_key, :string
     add_column :users, :encrypted_otp_secret_key_iv, :string

data/spec/rails_app/db/migrate/20151224180310_populate_otp_column.rb

@@ -1,4 +1,4 @@
-class PopulateOtpColumn < ActiveRecord::Migration
+class PopulateOtpColumn < ActiveRecord::Migration[4.2]
   def up
     User.reset_column_information
 

data/spec/rails_app/db/migrate/20151228230340_remove_otp_secret_key_from_user.rb

@@ -1,4 +1,4 @@
-class RemoveOtpSecretKeyFromUser < ActiveRecord::Migration
+class RemoveOtpSecretKeyFromUser < ActiveRecord::Migration[4.2]
   def change
     remove_column :users, :otp_secret_key, :string
   end

data/spec/rails_app/db/migrate/20160209032439_devise_create_admins.rb

@@ -1,4 +1,4 @@
-class DeviseCreateAdmins < ActiveRecord::Migration
+class DeviseCreateAdmins < ActiveRecord::Migration[4.2]
   def change
     create_table(:admins) do |t|
       ## Database authenticatable

data/spec/rails_app/db/schema.rb

@@ -1,4 +1,3 @@
-# encoding: UTF-8
 # This file is auto-generated from the current state of the database. Instead
 # of editing this file, please use the migrations feature of Active Record to
 # incrementally modify your database, and then regenerate this schema definition.
@@ -11,48 +10,46 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20160209032439) do
+ActiveRecord::Schema.define(version: 2016_02_09_032439) do
 
   create_table "admins", force: :cascade do |t|
-    t.string   "email",                  default: "", null: false
-    t.string   "encrypted_password",     default: "", null: false
-    t.string   "reset_password_token"
+    t.string "email", default: "", null: false
+    t.string "encrypted_password", default: "", null: false
+    t.string "reset_password_token"
     t.datetime "reset_password_sent_at"
     t.datetime "remember_created_at"
-    t.integer  "sign_in_count",          default: 0,  null: false
+    t.integer "sign_in_count", default: 0, null: false
     t.datetime "current_sign_in_at"
     t.datetime "last_sign_in_at"
-    t.string   "current_sign_in_ip"
-    t.string   "last_sign_in_ip"
-    t.datetime "created_at",                          null: false
-    t.datetime "updated_at",                          null: false
+    t.string "current_sign_in_ip"
+    t.string "last_sign_in_ip"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["email"], name: "index_admins_on_email", unique: true
+    t.index ["reset_password_token"], name: "index_admins_on_reset_password_token", unique: true
   end
 
-  add_index "admins", ["email"], name: "index_admins_on_email", unique: true
-  add_index "admins", ["reset_password_token"], name: "index_admins_on_reset_password_token", unique: true
-
   create_table "users", force: :cascade do |t|
-    t.string   "email",                                    default: "", null: false
-    t.string   "encrypted_password",                       default: "", null: false
-    t.string   "reset_password_token"
+    t.string "email", default: "", null: false
+    t.string "encrypted_password", default: "", null: false
+    t.string "reset_password_token"
     t.datetime "reset_password_sent_at"
     t.datetime "remember_created_at"
-    t.integer  "sign_in_count",                            default: 0,  null: false
+    t.integer "sign_in_count", default: 0, null: false
     t.datetime "current_sign_in_at"
     t.datetime "last_sign_in_at"
-    t.string   "current_sign_in_ip"
-    t.string   "last_sign_in_ip"
-    t.datetime "created_at",                                            null: false
-    t.datetime "updated_at",                                            null: false
-    t.integer  "second_factor_attempts_count",             default: 0
-    t.string   "nickname",                      limit: 64
-    t.string   "encrypted_otp_secret_key"
-    t.string   "encrypted_otp_secret_key_iv"
-    t.string   "encrypted_otp_secret_key_salt"
+    t.string "current_sign_in_ip"
+    t.string "last_sign_in_ip"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.integer "second_factor_attempts_count", default: 0
+    t.string "nickname", limit: 64
+    t.string "encrypted_otp_secret_key"
+    t.string "encrypted_otp_secret_key_iv"
+    t.string "encrypted_otp_secret_key_salt"
+    t.index ["email"], name: "index_users_on_email", unique: true
+    t.index ["encrypted_otp_secret_key"], name: "index_users_on_encrypted_otp_secret_key", unique: true
+    t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
   end
 
-  add_index "users", ["email"], name: "index_users_on_email", unique: true
-  add_index "users", ["encrypted_otp_secret_key"], name: "index_users_on_encrypted_otp_secret_key", unique: true
-  add_index "users", ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
-
 end

data/spec/support/authenticated_model_helper.rb

@@ -29,7 +29,7 @@ module AuthenticatedModelHelper
   end
 
   def create_table_for_nonencrypted_user
-    silence_stream(STDOUT) do
+    ActiveRecord::Migration.suppress_messages do
       ActiveRecord::Schema.define(version: 1) do
         create_table 'users', force: :cascade do |t|
           t.string    'email', default: '', null: false

data/spec/support/totp_helper.rb

@@ -6,6 +6,6 @@ class TotpHelper
   end
 
   def totp_code(time = Time.now)
-    ROTP::TOTP.new(@secret_key, digits: @otp_length).at(time, true)
+    ROTP::TOTP.new(@secret_key, digits: @otp_length).at(time)
   end
 end

data/two_factor_authentication.gemspec

@@ -27,13 +27,13 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency 'rails', '>= 3.1.1'
   s.add_runtime_dependency 'devise'
   s.add_runtime_dependency 'randexp'
-  s.add_runtime_dependency 'rotp', '>= 3.2.0'
+  s.add_runtime_dependency 'rotp', '>= 4.0.0'
   s.add_runtime_dependency 'encryptor'
 
   s.add_development_dependency 'bundler'
   s.add_development_dependency 'rake'
   s.add_development_dependency 'rspec-rails', '>= 3.0.1'
-  s.add_development_dependency 'capybara', '2.4.1'
+  s.add_development_dependency 'capybara', '~> 2.5'
   s.add_development_dependency 'pry'
   s.add_development_dependency 'timecop'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: two_factor_authentication
 version: !ruby/object:Gem::Version
-  version: 2.1.1
+  version: 2.2.0
 platform: ruby
 authors:
 - Dmitrii Golub
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-07-10 00:00:00.000000000 Z
+date: 2019-01-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.2.0
+        version: 4.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.2.0
+        version: 4.0.0
 - !ruby/object:Gem::Dependency
   name: encryptor
   requirement: !ruby/object:Gem::Requirement
@@ -126,16 +126,16 @@ dependencies:
   name: capybara
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.4.1
+        version: '2.5'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.4.1
+        version: '2.5'
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement