two_step 1.0.0

data/app/helpers/two_step/application_helper.rb

@@ -0,0 +1,23 @@
+module TwoStep
+  module ApplicationHelper
+    def two_step_layout_title
+      TwoStep.configuration.resolve_layout_title(controller: controller)
+    end
+
+    def two_step_layout_stylesheets
+      TwoStep.configuration.resolve_layout_stylesheets(controller: controller)
+    end
+
+    def two_step_layout_html_attributes
+      TwoStep.configuration.resolve_layout_html_attributes(controller: controller)
+    end
+
+    def two_step_layout_body_attributes
+      TwoStep.configuration.resolve_layout_body_attributes(controller: controller)
+    end
+
+    def two_step_layout_brand
+      TwoStep.configuration.resolve_layout_brand(controller: controller)
+    end
+  end
+end

data/app/jobs/two_step/application_job.rb

@@ -0,0 +1,4 @@
+module TwoStep
+  class ApplicationJob < ActiveJob::Base
+  end
+end

data/app/mailers/two_step/application_mailer.rb

@@ -0,0 +1,6 @@
+module TwoStep
+  class ApplicationMailer < ActionMailer::Base
+    default from: "from@example.com"
+    layout "mailer"
+  end
+end

data/app/models/two_step/application_record.rb

@@ -0,0 +1,5 @@
+module TwoStep
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+  end
+end

data/app/views/layouts/two_step/application.html.erb

@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html <%= tag.attributes(two_step_layout_html_attributes) %>>
+<head>
+  <title><%= two_step_layout_title %></title>
+  <meta name="viewport" content="width=device-width,initial-scale=1">
+  <%= csrf_meta_tags %>
+  <%= csp_meta_tag %>
+
+  <%= yield :head %>
+
+  <% two_step_layout_stylesheets.each do |stylesheet| %>
+    <%= stylesheet_link_tag stylesheet, media: "all" %>
+  <% end %>
+</head>
+<body <%= tag.attributes(two_step_layout_body_attributes) %>>
+  <div class="two_step-shell__mesh" aria-hidden="true"></div>
+  <main class="two_step-card">
+    <% if two_step_layout_brand.present? %>
+      <p class="two_step-brand"><%= two_step_layout_brand %></p>
+    <% end %>
+    <% flash.each do |type, message| %>
+      <p class="two_step-flash two_step-flash--<%= type %>"><%= message %></p>
+    <% end %>
+
+    <%= yield %>
+  </main>
+</body>
+</html>

data/app/views/two_step/two_step_challenges/new.html.erb

@@ -0,0 +1,27 @@
+<header class="two_step-header">
+  <p class="two_step-kicker"><%= t("two_step.views.challenge.kicker", default: "Security check") %></p>
+  <h1><%= t("two_step.views.challenge.title", default: "Two-Factor Authentication") %></h1>
+  <p class="two_step-copy"><%= t("two_step.views.challenge.subtitle", default: "Enter the 6-digit code from your authenticator app to continue.") %></p>
+</header>
+
+<%= form_with url: two_step_challenge_path, method: :post, class: "two_step-form" do |form| %>
+  <div class="two_step-field">
+    <%= form.label :otp_code, t("two_step.views.challenge.otp_label", default: "Authenticator code") %>
+    <%= form.text_field :otp_code, autocomplete: "one-time-code", inputmode: "numeric", maxlength: 6, pattern: "\\d{6}", placeholder: "123456", autofocus: true %>
+    <p class="two_step-field-note"><%= t("two_step.views.challenge.otp_help", default: "Codes refresh every 30 seconds.") %></p>
+  </div>
+  <%= form.submit t("two_step.views.challenge.submit", default: "Verify code") %>
+<% end %>
+
+<details class="two_step-details">
+  <summary><%= t("two_step.views.challenge.use_backup", default: "Use a backup code instead") %></summary>
+  <p class="two_step-copy"><%= t("two_step.views.challenge.backup_help", default: "Backup codes are one-time use. Enter one exactly as saved.") %></p>
+  
+  <%= form_with url: two_step_challenge_path, method: :post, class: "two_step-form" do |form| %>
+    <div class="two_step-field">
+      <%= form.label :backup_code, t("two_step.views.challenge.backup_label", default: "Backup code") %>
+      <%= form.text_field :backup_code, autocomplete: "one-time-code", placeholder: "ABC-123-DEF-456" %>
+    </div>
+    <%= form.submit t("two_step.views.challenge.submit_backup", default: "Verify backup code") %>
+  <% end %>
+</details>

data/app/views/two_step/two_step_setups/complete.html.erb

@@ -0,0 +1,20 @@
+<header class="two_step-header">
+  <p class="two_step-kicker"><%= t("two_step.views.complete.kicker", default: "Setup complete") %></p>
+  <h1><%= t("two_step.views.complete.title") %></h1>
+  <p class="two_step-copy"><%= t("two_step.views.complete.backup_codes") %></p>
+</header>
+
+<div class="two_step-warning">
+  <strong><%= t("two_step.views.complete.warning_title", default: "Save these now") %></strong>
+  <p><%= t("two_step.views.complete.warning_body", default: "Each backup code can be used only once. Keep them in a password manager or another secure place.") %></p>
+</div>
+
+<ul class="two_step-backup-codes">
+  <% @backup_codes.each do |code| %>
+    <li><code><%= code %></code></li>
+  <% end %>
+</ul>
+
+<p class="two_step-actions">
+  <%= link_to t("two_step.views.complete.done"), TwoStep.configuration.resolve_after_two_step_login_path(setup_resource, controller: controller), class: "two_step-link-button" %>
+</p>

data/app/views/two_step/two_step_setups/new.html.erb

@@ -0,0 +1,28 @@
+<header class="two_step-header">
+  <p class="two_step-kicker"><%= t("two_step.views.setup.kicker", default: "Security setup") %></p>
+  <h1><%= t("two_step.views.setup.title") %></h1>
+  <p class="two_step-copy"><%= t("two_step.views.setup.subtitle", default: "Protect your account with one more verification step.") %></p>
+  <% if setup_requires_login_challenge? %>
+    <p class="two_step-badge"><%= t("two_step.views.setup.required_now", default: "Required before this sign-in can continue") %></p>
+  <% end %>
+</header>
+
+<ol class="two_step-steps">
+  <li><%= t("two_step.views.setup.scan_qr") %></li>
+  <li><%= t("two_step.views.setup.manual_fallback", default: "If scanning fails, enter the setup key manually.") %></li>
+  <li><%= t("two_step.views.setup.confirm_label") %></li>
+</ol>
+
+<div class="two_step-qr" role="img" aria-label="<%= t("two_step.views.setup.qr_label", default: "QR code for authenticator setup") %>">
+  <%= @qr_svg %>
+</div>
+<p class="two_step-manual-key"><%= t("two_step.views.setup.manual_key") %> <code><%= setup_resource.otp_secret %></code></p>
+
+<%= form_with url: two_step_setup_path, method: :post, class: "two_step-form" do |form| %>
+  <div class="two_step-field">
+    <%= form.label :otp_code, t("two_step.views.setup.confirm_label") %>
+    <%= form.text_field :otp_code, autocomplete: "one-time-code", inputmode: "numeric", maxlength: 6, pattern: "\\d{6}", placeholder: "123456" %>
+    <p class="two_step-field-note"><%= t("two_step.views.setup.confirm_help", default: "Open your authenticator app and enter the latest 6-digit code.") %></p>
+  </div>
+  <%= form.submit t("two_step.views.setup.enable") %>
+<% end %>

data/config/locales/en.yml

@@ -0,0 +1,39 @@
+en:
+  two_step:
+    challenges:
+      invalid_otp: "Invalid two-factor code."
+      invalid_backup: "Invalid backup code."
+    setups:
+      invalid_otp: "Invalid code. Please try again."
+      disabled: "TwoStep disabled."
+    views:
+      challenge:
+        kicker: "Security check"
+        title: "Two-Factor Authentication"
+        subtitle: "Enter the 6-digit code from your authenticator app to continue."
+        otp_label: "Authenticator code"
+        otp_help: "Codes refresh every 30 seconds."
+        submit: "Verify code"
+        use_backup: "Use a backup code instead"
+        backup_label: "Backup code"
+        backup_help: "Backup codes are one-time use. Enter one exactly as saved."
+        submit_backup: "Verify backup code"
+      setup:
+        kicker: "Security setup"
+        title: "Set Up Two-Factor Authentication"
+        subtitle: "Protect your account with one more verification step."
+        required_now: "Required before this sign-in can continue"
+        scan_qr: "Scan this QR code with your authenticator app:"
+        manual_fallback: "If scanning fails, enter the setup key manually."
+        qr_label: "QR code for authenticator setup"
+        manual_key: "Or enter this key manually:"
+        confirm_label: "Enter the 6-digit code to confirm"
+        confirm_help: "Open your authenticator app and enter the latest 6-digit code."
+        enable: "Enable"
+      complete:
+        kicker: "Setup complete"
+        title: "Two-Factor Authentication Enabled"
+        backup_codes: "Save these backup codes in a secure place. Each can be used once."
+        warning_title: "Save these now"
+        warning_body: "Each backup code can be used only once. Keep them in a password manager or another secure place."
+        done: "Continue"

data/config/locales/ja.yml

@@ -0,0 +1,39 @@
+ja:
+  two_step:
+    challenges:
+      invalid_otp: "2段階認証コードが正しくありません。"
+      invalid_backup: "バックアップコードが正しくありません。"
+    setups:
+      invalid_otp: "コードが正しくありません。もう一度お試しください。"
+      disabled: "2段階認証を無効にしました。"
+    views:
+      challenge:
+        kicker: "セキュリティ確認"
+        title: "2段階認証"
+        subtitle: "続行するには、認証アプリに表示される6桁コードを入力してください。"
+        otp_label: "認証コード"
+        otp_help: "コードは30秒ごとに更新されます。"
+        submit: "コードを確認"
+        use_backup: "バックアップコードを使う"
+        backup_label: "バックアップコード"
+        backup_help: "バックアップコードは1回限り有効です。保存した形式で入力してください。"
+        submit_backup: "バックアップコードを確認"
+      setup:
+        kicker: "セキュリティ設定"
+        title: "2段階認証を設定"
+        subtitle: "もう1つの確認ステップでアカウントを保護します。"
+        required_now: "このサインインを続行するには設定が必要です"
+        scan_qr: "認証アプリでこのQRコードを読み取ってください:"
+        manual_fallback: "読み取れない場合は、セットアップキーを手動で入力してください。"
+        qr_label: "認証アプリ設定用のQRコード"
+        manual_key: "手動入力キー:"
+        confirm_label: "確認のため6桁コードを入力"
+        confirm_help: "認証アプリを開き、最新の6桁コードを入力してください。"
+        enable: "有効化する"
+      complete:
+        kicker: "設定完了"
+        title: "2段階認証を有効にしました"
+        backup_codes: "バックアップコードを安全な場所に保管してください。各コードは1回だけ使えます。"
+        warning_title: "今すぐ保存してください"
+        warning_body: "各バックアップコードは1回のみ使用可能です。パスワードマネージャーなど安全な場所に保管してください。"
+        done: "続行"

data/config/routes.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+TwoStep::Engine.routes.draw do
+  resource :two_step_challenge, only: %i[new create], path: "challenge"
+  resource :two_step_setup, only: %i[new create], path: "setup" do
+    post :disable, on: :member
+  end
+end

data/lib/generators/two_step/install_generator.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require "rails/generators/active_record"
+
+module TwoStep
+  class InstallGenerator < Rails::Generators::Base
+    include ActiveRecord::Generators::Migration
+
+    source_root File.expand_path("templates", __dir__)
+
+    class_option :model, type: :string, default: "User", desc: "Model name (e.g. User, Admin)"
+
+    desc "Adds TwoStep columns and initializer"
+
+    def create_migration_file
+      migration_template(
+        "migration.rb.erb",
+        "db/migrate/add_two_step_to_#{table_name}.rb",
+        migration_version: migration_version
+      )
+    end
+
+    def create_initializer
+      template "initializer.rb.erb", "config/initializers/two_step.rb"
+    end
+
+    def show_readme
+      say "Add to your #{model} model:", :green
+      say "  include TwoStep::Models::Authenticatable"
+      say "  encrypts :otp_secret  # recommended (Rails 7+)"
+    end
+
+    private
+
+    def table_name
+      model.underscore.pluralize
+    end
+
+    def model
+      options[:model]
+    end
+
+    def migration_version
+      "[#{Rails::VERSION::MAJOR}.#{Rails::VERSION::MINOR}]"
+    end
+  end
+end

data/lib/generators/two_step/templates/initializer.rb.erb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+TwoStep.configure do |config|
+  config.issuer = "<%= Rails.application.class.module_parent_name %>"
+
+  config.resource_finder = ->(session) {
+    <%= model %>.find_by(id: session[:two_step_pending_<%= model.underscore %>_id])
+  }
+
+  config.current_resource_finder = ->(session) {
+    <%= model %>.find_by(id: session[:<%= model.underscore %>_id])
+  }
+
+  config.login_path = "/login"
+  config.after_two_step_login_path = "/"
+  config.layout_title = -> { "#{config.issuer} Security" }
+  config.layout_stylesheets = ["two_step/application"]
+  config.layout_html_attributes = -> { {lang: I18n.locale} }
+  config.layout_body_attributes = {class: "two_step-shell"}
+  config.layout_brand = config.issuer
+
+  # The controller is passed as the third argument when you need route helpers
+  # or `reset_session` for session fixation protection.
+  config.on_authentication_success = ->(resource, session, _controller) {
+    session.delete(:two_step_pending_<%= model.underscore %>_id)
+    session[:<%= model.underscore %>_id] = resource.id
+  }
+end

data/lib/generators/two_step/templates/migration.rb.erb

@@ -0,0 +1,8 @@
+class AddTwoStepTo<%= table_name.camelize %> < ActiveRecord::Migration<%= migration_version %>
+  def change
+    add_column :<%= table_name %>, :otp_secret, :string
+    add_column :<%= table_name %>, :otp_required_for_login, :boolean, default: false, null: false
+    add_column :<%= table_name %>, :otp_backup_codes, :text
+    add_column :<%= table_name %>, :last_otp_at, :integer
+  end
+end

data/lib/two_step/backup_codes.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require "securerandom"
+
+module TwoStep
+  module BackupCodes
+    extend self
+
+    CHARSET = (("A".."Z").to_a + ("2".."9").to_a - %w[I L O]).freeze
+
+    # 5 segments (15 chars total) to provide ~74 bits of entropy.
+    SEGMENT_COUNT = 5
+    SEGMENT_LENGTH = 3
+
+    def generate_one
+      SEGMENT_COUNT.times.map { random_segment }.join("-")
+    end
+
+    def generate(count: TwoStep.configuration.backup_code_count)
+      Array.new(count) { generate_one }
+    end
+
+    def normalize(code)
+      code.to_s.strip.upcase.gsub(/[^A-Z2-9]/, "")
+    end
+
+    private
+
+    def random_segment
+      SEGMENT_LENGTH.times.map { CHARSET.sample(random: SecureRandom) }.join
+    end
+  end
+end

data/lib/two_step/configuration.rb

@@ -0,0 +1,129 @@
+# frozen_string_literal: true
+
+require "digest"
+
+module TwoStep
+  class Configuration
+    attr_accessor :issuer,
+      :backup_code_count,
+      :qr_code_module_size,
+      :otp_drift_behind,
+      :otp_drift_ahead,
+      :resource_finder,
+      :current_resource_finder,
+      :login_path,
+      :after_two_step_login_path,
+      :on_authentication_success,
+      :backup_code_digest_method,
+      :backup_code_verify_method,
+      :layout_title,
+      :layout_stylesheets,
+      :layout_html_attributes,
+      :layout_body_attributes,
+      :layout_brand
+
+    def initialize
+      @issuer = "Rails App"
+      @backup_code_count = 10
+      @qr_code_module_size = 4
+      @otp_drift_behind = 30
+      @otp_drift_ahead = 30
+      @resource_finder = ->(*) {}
+      @current_resource_finder = ->(*) {}
+      @login_path = "/"
+      @after_two_step_login_path = "/"
+      @on_authentication_success = ->(*) {}
+      @layout_title = -> { "#{issuer} Security" }
+      @layout_stylesheets = ["two_step/application"]
+      @layout_html_attributes = -> { {lang: I18n.locale} }
+      @layout_body_attributes = {class: "two_step-shell"}
+      @layout_brand = -> { issuer }
+
+      # Switched to SHA256 for O(1) performance during generation.
+      # Because the backup codes are 15 characters of high-entropy randomness,
+      # a slow-hash like BCrypt is unnecessary and harms user experience.
+      @backup_code_digest_method = ->(normalized_code) {
+        Digest::SHA256.hexdigest(normalized_code)
+      }
+      @backup_code_verify_method = ->(normalized_code, hashed) {
+        Rack::Utils.secure_compare(Digest::SHA256.hexdigest(normalized_code), hashed)
+      }
+    end
+
+    def find_pending_resource(session, controller: nil)
+      resolve_callable(resource_finder, session, controller)
+    end
+
+    def find_current_resource(session, controller: nil)
+      resolve_callable(current_resource_finder, session, controller)
+    end
+
+    def resolve_login_path(controller: nil)
+      resolve_callable(login_path, controller)
+    end
+
+    def resolve_after_two_step_login_path(resource = nil, controller: nil)
+      resolve_callable(after_two_step_login_path, resource, controller)
+    end
+
+    def run_authentication_success(resource, session, controller: nil)
+      resolve_callable(on_authentication_success, resource, session, controller)
+    end
+
+    def resolve_layout_title(controller: nil)
+      resolve_callable(layout_title, controller)
+    end
+
+    def resolve_layout_stylesheets(controller: nil)
+      Array(resolve_callable(layout_stylesheets, controller)).flatten.compact
+    end
+
+    def resolve_layout_html_attributes(controller: nil)
+      resolve_hash(resolve_callable(layout_html_attributes, controller))
+    end
+
+    def resolve_layout_body_attributes(controller: nil)
+      resolve_hash(resolve_callable(layout_body_attributes, controller))
+    end
+
+    def resolve_layout_brand(controller: nil)
+      resolve_callable(layout_brand, controller)
+    end
+
+    private
+
+    def resolve_callable(value, *args)
+      return value unless value.respond_to?(:call)
+
+      # Simplified and safer arity handling
+      arity = value.arity
+      if arity >= 0
+        value.call(*args.take(arity))
+      else
+        # For variable length (*args) or unspecified blocks, pass everything
+        value.call(*args)
+      end
+    end
+
+    def resolve_hash(value)
+      value.to_h
+    rescue
+      {}
+    end
+  end
+
+  class << self
+    def configuration
+      @configuration ||= Configuration.new
+    end
+
+    def configure
+      yield(configuration) if block_given?
+      configuration
+    end
+
+    def reset_configuration!
+      @configuration = Configuration.new
+    end
+  end
+end

data/lib/two_step/engine.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module TwoStep
+  class Engine < ::Rails::Engine
+    isolate_namespace TwoStep
+
+    config.generators do |g|
+      g.test_framework :test_unit
+    end
+
+    initializer "two_step.load_configuration", before: :load_config_initializers do
+      # Host app configures via config/initializers/two_step.rb
+    end
+  end
+end

data/lib/two_step/models/authenticatable.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+require "rotp"
+
+module TwoStep
+  module Models
+    module Authenticatable
+      extend ActiveSupport::Concern
+
+      included do
+        serialize :otp_backup_codes, coder: JSON
+      end
+
+      def otp_enabled?
+        otp_required_for_login? && otp_secret.present?
+      end
+
+      def generate_otp_secret!
+        # update_columns avoids instantiation overhead and bypasses unrelated model validations
+        update_columns(otp_secret: ROTP::Base32.random, last_otp_at: nil)
+      end
+
+      def ensure_otp_secret!
+        return otp_secret if otp_secret.present?
+
+        generate_otp_secret!
+        otp_secret
+      end
+
+      def otp_provisioning_uri(account_label = nil)
+        raise ArgumentError, "otp_secret is blank" if otp_secret.blank?
+
+        label = (account_label || (respond_to?(:email) ? email : id)).to_s
+        build_totp.provisioning_uri(label)
+      end
+
+      def current_otp
+        build_totp.now if otp_secret.present?
+      end
+
+      def verify_otp(code)
+        return false if otp_secret.blank? || code.blank?
+
+        timestamp = verified_otp_timestamp(code)
+        return false unless timestamp
+        return false if last_otp_at.present? && last_otp_at >= timestamp
+
+        update_column(:last_otp_at, timestamp)
+        true
+      end
+
+      def generate_backup_codes!
+        codes = BackupCodes.generate
+        hashed_codes = codes.map { |plain| digest_backup_code(plain) }
+
+        update_columns(otp_backup_codes: hashed_codes)
+        codes
+      end
+
+      def consume_backup_code(code)
+        normalized = BackupCodes.normalize(code)
+        return false if normalized.blank?
+
+        # Stored codes are automatically parsed as an Array via `serialize`
+        stored = Array(otp_backup_codes)
+        return false if stored.empty?
+
+        index = stored.index { |hashed| backup_code_matches?(normalized, hashed) }
+        return false unless index
+
+        stored.delete_at(index)
+        update_columns(otp_backup_codes: stored.empty? ? nil : stored)
+        true
+      end
+
+      def disable_otp!
+        update_columns(
+          otp_secret: nil,
+          otp_required_for_login: false,
+          otp_backup_codes: nil,
+          last_otp_at: nil
+        )
+      end
+
+      private
+
+      def build_totp
+        ROTP::TOTP.new(otp_secret, issuer: TwoStep.configuration.issuer)
+      end
+
+      def verified_otp_timestamp(code)
+        build_totp.verify(
+          code.to_s.strip,
+          drift_behind: TwoStep.configuration.otp_drift_behind,
+          drift_ahead: TwoStep.configuration.otp_drift_ahead
+        )
+      end
+
+      def digest_backup_code(code)
+        TwoStep.configuration.backup_code_digest_method.call(BackupCodes.normalize(code))
+      end
+
+      def backup_code_matches?(normalized_code, hashed_code)
+        TwoStep.configuration.backup_code_verify_method.call(normalized_code, hashed_code)
+      end
+    end
+  end
+end

data/lib/two_step/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module TwoStep
+  VERSION = "1.0.0"
+end

data/lib/two_step.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require "rails/engine"
+require "rotp"
+require "rqrcode"
+require "bcrypt"
+require "two_step/version"
+require "two_step/configuration"
+require "two_step/backup_codes"
+require "two_step/engine"
+require "two_step/models/authenticatable"
+
+module TwoStep
+end