Implement Two Factor Authentication
This commit is contained in:
parent
d9cc9daf4b
commit
141ff59f63
2
Gemfile
2
Gemfile
|
@ -24,6 +24,8 @@ gem 'sweetalert-rails'
|
|||
gem 'devise', '~> 4.0'
|
||||
gem 'devise-i18n'
|
||||
gem 'devise-async'
|
||||
gem 'active_model_otp'
|
||||
gem 'rqrcode'
|
||||
gem 'bootstrap_form'
|
||||
gem 'font-kit-rails'
|
||||
gem 'nprogress-rails'
|
||||
|
|
89
Gemfile.lock
89
Gemfile.lock
|
@ -59,6 +59,9 @@ GEM
|
|||
erubi (~> 1.4)
|
||||
rails-dom-testing (~> 2.0)
|
||||
rails-html-sanitizer (~> 1.0, >= 1.0.3)
|
||||
active_model_otp (2.0.1)
|
||||
activemodel
|
||||
rotp (~> 5.0.0)
|
||||
activejob (5.2.4.3)
|
||||
activesupport (= 5.2.4.3)
|
||||
globalid (>= 0.3.6)
|
||||
|
@ -84,8 +87,8 @@ GEM
|
|||
addressable (2.7.0)
|
||||
public_suffix (>= 2.0.2, < 5.0)
|
||||
arel (9.0.0)
|
||||
ast (2.4.0)
|
||||
autoprefixer-rails (9.7.6)
|
||||
ast (2.4.1)
|
||||
autoprefixer-rails (9.8.5)
|
||||
execjs
|
||||
bcrypt (3.1.13)
|
||||
better_errors (2.7.1)
|
||||
|
@ -110,7 +113,7 @@ GEM
|
|||
buftok (0.2.0)
|
||||
builder (3.2.4)
|
||||
byebug (11.1.3)
|
||||
capybara (3.32.2)
|
||||
capybara (3.33.0)
|
||||
addressable
|
||||
mini_mime (>= 0.1.3)
|
||||
nokogiri (~> 1.8)
|
||||
|
@ -125,8 +128,9 @@ GEM
|
|||
image_processing (~> 1.1)
|
||||
mimemagic (>= 0.3.0)
|
||||
mini_mime (>= 0.1.3)
|
||||
chunky_png (1.3.12)
|
||||
cliver (0.3.2)
|
||||
coderay (1.1.2)
|
||||
coderay (1.1.3)
|
||||
coffee-rails (4.2.2)
|
||||
coffee-script (>= 2.2.0)
|
||||
railties (>= 4.0.0)
|
||||
|
@ -140,7 +144,7 @@ GEM
|
|||
crass (1.0.6)
|
||||
database_cleaner (1.8.5)
|
||||
debug_inspector (0.0.3)
|
||||
devise (4.7.1)
|
||||
devise (4.7.2)
|
||||
bcrypt (~> 3.0)
|
||||
orm_adapter (~> 0.1)
|
||||
railties (>= 4.1.0)
|
||||
|
@ -151,19 +155,19 @@ GEM
|
|||
devise (>= 4.0)
|
||||
devise-i18n (1.9.1)
|
||||
devise (>= 4.7.1)
|
||||
diff-lcs (1.3)
|
||||
diff-lcs (1.4.4)
|
||||
docile (1.3.2)
|
||||
domain_name (0.5.20190701)
|
||||
unf (>= 0.0.5, < 1.0.0)
|
||||
equalizer (0.0.11)
|
||||
erubi (1.9.0)
|
||||
excon (0.73.0)
|
||||
excon (0.75.0)
|
||||
execjs (2.7.0)
|
||||
factory_bot (5.2.0)
|
||||
activesupport (>= 4.2.0)
|
||||
factory_bot_rails (5.2.0)
|
||||
factory_bot (~> 5.2.0)
|
||||
railties (>= 4.2.0)
|
||||
factory_bot (6.1.0)
|
||||
activesupport (>= 5.0.0)
|
||||
factory_bot_rails (6.1.0)
|
||||
factory_bot (~> 6.1.0)
|
||||
railties (>= 5.0.0)
|
||||
fake_email_validator (1.0.11)
|
||||
activemodel
|
||||
mail
|
||||
|
@ -173,11 +177,11 @@ GEM
|
|||
multipart-post (>= 1.2, < 3)
|
||||
faraday_middleware (1.0.0)
|
||||
faraday (~> 1.0)
|
||||
ffi (1.12.2)
|
||||
ffi (1.13.1)
|
||||
ffi-compiler (1.0.1)
|
||||
ffi (>= 1.0.0)
|
||||
rake
|
||||
fog-aws (3.6.5)
|
||||
fog-aws (3.6.6)
|
||||
fog-core (~> 2.1)
|
||||
fog-json (~> 1.1)
|
||||
fog-xml (~> 0.1)
|
||||
|
@ -236,7 +240,7 @@ GEM
|
|||
http-parser (1.2.1)
|
||||
ffi-compiler (>= 1.0, < 2.0)
|
||||
http_parser.rb (0.6.0)
|
||||
httparty (0.18.0)
|
||||
httparty (0.18.1)
|
||||
mime-types (~> 3.0)
|
||||
multi_xml (>= 0.5.2)
|
||||
i18n (0.9.5)
|
||||
|
@ -261,7 +265,7 @@ GEM
|
|||
turbolinks
|
||||
jquery-ui-rails (6.0.1)
|
||||
railties (>= 3.2.16)
|
||||
json (2.3.0)
|
||||
json (2.3.1)
|
||||
kaminari (1.2.1)
|
||||
activesupport (>= 4.1.0)
|
||||
kaminari-actionview (= 1.2.1)
|
||||
|
@ -281,10 +285,10 @@ GEM
|
|||
listen (3.2.1)
|
||||
rb-fsevent (~> 0.10, >= 0.10.3)
|
||||
rb-inotify (~> 0.9, >= 0.9.10)
|
||||
loofah (2.5.0)
|
||||
loofah (2.6.0)
|
||||
crass (~> 1.0.2)
|
||||
nokogiri (>= 1.5.9)
|
||||
lumberjack (1.2.4)
|
||||
lumberjack (1.2.6)
|
||||
mail (2.7.1)
|
||||
mini_mime (>= 0.1.1)
|
||||
marcel (0.3.3)
|
||||
|
@ -304,15 +308,15 @@ GEM
|
|||
momentjs-rails (>= 2.10.5, <= 3.0.0)
|
||||
momentjs-rails (2.20.1)
|
||||
railties (>= 3.1)
|
||||
multi_json (1.14.1)
|
||||
multi_json (1.15.0)
|
||||
multi_xml (0.6.0)
|
||||
multipart-post (2.1.1)
|
||||
naught (1.1.0)
|
||||
nenv (0.3.0)
|
||||
nested_form (0.3.2)
|
||||
newrelic_rpm (6.10.0.364)
|
||||
newrelic_rpm (6.11.0.365)
|
||||
nio4r (2.5.2)
|
||||
nokogiri (1.10.9)
|
||||
nokogiri (1.10.10)
|
||||
mini_portile2 (~> 2.4.0)
|
||||
nokogumbo (2.0.2)
|
||||
nokogiri (~> 1.8, >= 1.8.4)
|
||||
|
@ -334,9 +338,9 @@ GEM
|
|||
omniauth-oauth (~> 1.1)
|
||||
rack
|
||||
orm_adapter (0.5.0)
|
||||
parallel (1.19.1)
|
||||
parser (2.7.1.2)
|
||||
ast (~> 2.4.0)
|
||||
parallel (1.19.2)
|
||||
parser (2.7.1.4)
|
||||
ast (~> 2.4.1)
|
||||
pg (1.2.3)
|
||||
pghero (2.7.0)
|
||||
activerecord (>= 5)
|
||||
|
@ -375,10 +379,10 @@ GEM
|
|||
rails-assets-growl (1.3.5)
|
||||
rails-assets-jquery
|
||||
rails-assets-jquery (2.2.4)
|
||||
rails-controller-testing (1.0.4)
|
||||
actionpack (>= 5.0.1.x)
|
||||
actionview (>= 5.0.1.x)
|
||||
activesupport (>= 5.0.1.x)
|
||||
rails-controller-testing (1.0.5)
|
||||
actionpack (>= 5.0.1.rc1)
|
||||
actionview (>= 5.0.1.rc1)
|
||||
activesupport (>= 5.0.1.rc1)
|
||||
rails-dom-testing (2.0.3)
|
||||
activesupport (>= 4.2.0)
|
||||
nokogiri (>= 1.6)
|
||||
|
@ -412,13 +416,19 @@ GEM
|
|||
ffi (~> 1.0)
|
||||
redcarpet (3.5.0)
|
||||
redis (4.1.4)
|
||||
regexp_parser (1.7.0)
|
||||
regexp_parser (1.7.1)
|
||||
remotipart (1.4.4)
|
||||
responders (3.0.0)
|
||||
responders (3.0.1)
|
||||
actionpack (>= 5.0)
|
||||
railties (>= 5.0)
|
||||
rexml (3.2.4)
|
||||
rolify (5.2.0)
|
||||
rolify (5.3.0)
|
||||
rotp (5.0.0)
|
||||
addressable (~> 2.5)
|
||||
rqrcode (1.1.2)
|
||||
chunky_png (~> 1.0)
|
||||
rqrcode_core (~> 0.1)
|
||||
rqrcode_core (0.1.2)
|
||||
rspec-core (3.9.2)
|
||||
rspec-support (~> 3.9.3)
|
||||
rspec-expectations (3.9.2)
|
||||
|
@ -438,19 +448,20 @@ GEM
|
|||
rspec-expectations (~> 3.9.0)
|
||||
rspec-mocks (~> 3.9.0)
|
||||
rspec-support (~> 3.9.0)
|
||||
rspec-sidekiq (3.0.3)
|
||||
rspec-sidekiq (3.1.0)
|
||||
rspec-core (~> 3.0, >= 3.0.0)
|
||||
sidekiq (>= 2.4.0)
|
||||
rspec-support (3.9.3)
|
||||
rubocop (0.84.0)
|
||||
rubocop (0.88.0)
|
||||
parallel (~> 1.10)
|
||||
parser (>= 2.7.0.1)
|
||||
parser (>= 2.7.1.1)
|
||||
rainbow (>= 2.2.2, < 4.0)
|
||||
regexp_parser (>= 1.7)
|
||||
rexml
|
||||
rubocop-ast (>= 0.0.3)
|
||||
rubocop-ast (>= 0.1.0, < 1.0)
|
||||
ruby-progressbar (~> 1.7)
|
||||
unicode-display_width (>= 1.4.0, < 2.0)
|
||||
rubocop-ast (0.0.3)
|
||||
rubocop-ast (0.1.0)
|
||||
parser (>= 2.7.0.1)
|
||||
ruby-progressbar (1.10.1)
|
||||
ruby-vips (2.0.17)
|
||||
|
@ -470,7 +481,7 @@ GEM
|
|||
sprockets (>= 2.8, < 4.0)
|
||||
sprockets-rails (>= 2.0, < 4.0)
|
||||
tilt (>= 1.1, < 3)
|
||||
sassc (2.3.0)
|
||||
sassc (2.4.0)
|
||||
ffi (~> 1.9)
|
||||
sassc-rails (2.1.2)
|
||||
railties (>= 4.0.0)
|
||||
|
@ -540,7 +551,7 @@ GEM
|
|||
activemodel (>= 5.0)
|
||||
bindex (>= 0.4.0)
|
||||
railties (>= 5.0)
|
||||
websocket-driver (0.7.2)
|
||||
websocket-driver (0.7.3)
|
||||
websocket-extensions (>= 0.1.0)
|
||||
websocket-extensions (0.1.5)
|
||||
xpath (3.2.0)
|
||||
|
@ -550,6 +561,7 @@ PLATFORMS
|
|||
ruby
|
||||
|
||||
DEPENDENCIES
|
||||
active_model_otp
|
||||
bcrypt (~> 3.1.7)
|
||||
better_errors
|
||||
binding_of_caller
|
||||
|
@ -609,6 +621,7 @@ DEPENDENCIES
|
|||
redcarpet
|
||||
redis
|
||||
rolify (~> 5.2)
|
||||
rqrcode
|
||||
rspec-its (~> 1.3)
|
||||
rspec-mocks
|
||||
rspec-rails (~> 3.9)
|
||||
|
|
|
@ -0,0 +1,42 @@
|
|||
class User::SessionsController < Devise::SessionsController
|
||||
def create
|
||||
if session.has_key?(:user_sign_in_uid)
|
||||
self.resource = User.find(session[:user_sign_in_uid])
|
||||
session.delete(:user_sign_in_uid)
|
||||
else
|
||||
self.resource = warden.authenticate!(auth_options)
|
||||
end
|
||||
|
||||
if resource.active_for_authentication? && !resource.otp_secret_key.nil?
|
||||
if params[:user][:otp_attempt].blank?
|
||||
session[:user_sign_in_uid] = resource.id
|
||||
sign_out(resource)
|
||||
redirect_to user_two_factor_entry_url
|
||||
else
|
||||
if resource.authenticate_otp(params[:user][:otp_attempt])
|
||||
continue_sign_in(resource, resource_name)
|
||||
else
|
||||
sign_out(resource)
|
||||
flash[:error] = t('devise.failure.invalid')
|
||||
redirect_to root_url
|
||||
end
|
||||
end
|
||||
else
|
||||
continue_sign_in(resource, resource_name)
|
||||
end
|
||||
end
|
||||
|
||||
def two_factor_entry
|
||||
self.resource = User.find(session[:user_sign_in_uid])
|
||||
render 'auth/two_factor_authentication'
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def continue_sign_in(resource, resource_name)
|
||||
set_flash_message!(:notice, :signed_in)
|
||||
sign_in(resource_name, resource)
|
||||
yield resource if block_given?
|
||||
respond_with resource, location: after_sign_in_path_for(resource)
|
||||
end
|
||||
end
|
|
@ -172,4 +172,33 @@ class UserController < ApplicationController
|
|||
|
||||
redirect_to user_export_path
|
||||
end
|
||||
|
||||
def edit_security
|
||||
current_user.otp_secret_key = User.otp_random_secret
|
||||
|
||||
@provisioning_uri = current_user.provisioning_uri(nil, issuer: APP_CONFIG[:hostname])
|
||||
qr_code = RQRCode::QRCode.new(@provisioning_uri, :size => 12, :level => :h)
|
||||
@qr_svg = qr_code.as_svg(offset: 0, color: '000',
|
||||
shape_rendering: 'crispEdges',
|
||||
module_size: 4)
|
||||
end
|
||||
|
||||
def update_2fa
|
||||
req_params = params.require(:user).permit(:otp_secret_key, :otp_validation)
|
||||
|
||||
current_user.otp_secret_key = req_params[:otp_secret_key]
|
||||
|
||||
if current_user.authenticate_otp(req_params[:otp_validation])
|
||||
flash[:success] = 'yay'
|
||||
current_user.save!
|
||||
else
|
||||
flash[:error] = current_user.otp_code
|
||||
end
|
||||
|
||||
redirect_to edit_user_security_path
|
||||
end
|
||||
|
||||
def destroy_2fa
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
@ -4,6 +4,7 @@ class User < ApplicationRecord
|
|||
include User::QuestionMethods
|
||||
include User::RelationshipMethods
|
||||
include User::TimelineMethods
|
||||
include ActiveModel::OneTimePassword
|
||||
|
||||
# Include default devise modules. Others available are:
|
||||
# :confirmable, :lockable, :timeoutable and :omniauthable
|
||||
|
@ -11,6 +12,9 @@ class User < ApplicationRecord
|
|||
:recoverable, :rememberable, :trackable,
|
||||
:validatable, :confirmable, :authentication_keys => [:login]
|
||||
|
||||
has_one_time_password
|
||||
attr_accessor :otp_attempt, :otp_validation
|
||||
|
||||
rolify
|
||||
|
||||
# attr_accessor :login
|
||||
|
|
|
@ -0,0 +1,14 @@
|
|||
.container
|
||||
.row
|
||||
.col-sm-4.offset-sm-4
|
||||
= render 'layouts/messages'
|
||||
.card.mt-3
|
||||
.card-body
|
||||
%h1.mb-3.mt-0= t('views.auth.2fa.title')
|
||||
= bootstrap_form_for(resource, as: resource_name, url: session_path(resource_name), method: :post) do |f|
|
||||
|
||||
= f.text_field :otp_attempt, autofocus: true, label: t('views.auth.2fa.otp_field')
|
||||
|
||||
= f.submit t('views.sessions.create'), class: 'btn btn-primary mt-3 mb-3'
|
||||
|
||||
= render 'shared/links'
|
|
@ -0,0 +1,15 @@
|
|||
.card
|
||||
.card-body
|
||||
%h2= t('views.settings.security.2fa.title')
|
||||
- if current_user.otp_secret_key.nil?
|
||||
= bootstrap_form_for(current_user, url: { action: :update_2fa, method: :post }) do |f|
|
||||
%a{:href => "https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis"} Aegis Authenticator for Android
|
||||
%a{:href => "https://apps.apple.com/gb/app/strongbox-authenticator/id1023839880"} Strongbox Authenticator for iOS
|
||||
= RQRCode::QRCode.new(current_user.provisioning_uri("Retrospring:#{current_user.screen_name}", issuer: "Retrospring")).as_svg.html_safe
|
||||
%pre= current_user.otp_secret_key
|
||||
= f.text_field :otp_validation
|
||||
= f.hidden_field :otp_secret_key, value: current_user.otp_secret_key
|
||||
= f.submit t('views.actions.save'), class: 'btn btn-primary'
|
||||
- else
|
||||
%p= t('views.settings.security.2fa.enabled_hint')
|
||||
= link_to t('views.actions.remove'), destroy_user_2fa_path, :class => 'btn btn-primary', :method => 'delete'
|
|
@ -3,6 +3,7 @@
|
|||
= list_group_item t('views.settings.tabs.account'), edit_user_registration_path
|
||||
= list_group_item t('views.settings.tabs.profile'), edit_user_profile_path
|
||||
= list_group_item t('views.settings.tabs.privacy'), edit_user_privacy_path
|
||||
= list_group_item t('views.settings.tabs.security'), edit_user_security_path
|
||||
= list_group_item t('views.settings.tabs.sharing'), services_path
|
||||
= list_group_item 'Theme', edit_user_theme_path
|
||||
= list_group_item 'Your Data', user_data_path
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
= render 'settings/security'
|
||||
|
||||
- provide(:title, generate_title('Security Settings'))
|
||||
- parent_layout 'user/settings'
|
|
@ -377,6 +377,7 @@ en:
|
|||
profile: "Profile"
|
||||
privacy: "Privacy"
|
||||
sharing: "Sharing"
|
||||
security: "Security"
|
||||
account:
|
||||
modal:
|
||||
title: "Save account changes"
|
||||
|
@ -415,6 +416,9 @@ en:
|
|||
connect: "Connect to %{service}"
|
||||
disconnect: "Disconnect"
|
||||
confirm: "Really disconnect service %{service}?"
|
||||
security:
|
||||
2fa:
|
||||
title: "Two-factor authentication"
|
||||
modal:
|
||||
ask:
|
||||
title: "Ask your followers"
|
||||
|
@ -443,3 +447,7 @@ en:
|
|||
admin: "Admin"
|
||||
moderator: "Moderator"
|
||||
banned: "Banned"
|
||||
auth:
|
||||
2fa:
|
||||
title: "Two-factor authentication"
|
||||
otp_field: "One-time password"
|
||||
|
|
|
@ -48,7 +48,8 @@ Rails.application.routes.draw do
|
|||
as :user do
|
||||
# :sessions
|
||||
get 'sign_in' => 'devise/sessions#new', as: :new_user_session
|
||||
post 'sign_in' => 'devise/sessions#create', as: :user_session
|
||||
post 'sign_in' => 'user/sessions#create', as: :user_session
|
||||
get 'otp_auth' => 'user/sessions#two_factor_entry', as: :user_two_factor_entry
|
||||
delete 'sign_out' => 'devise/sessions#destroy', as: :destroy_user_session
|
||||
# :registrations
|
||||
get 'settings/delete_account' => 'devise/registrations#cancel', as: :cancel_user_registration
|
||||
|
@ -67,6 +68,10 @@ Rails.application.routes.draw do
|
|||
match '/settings/theme', to: 'user#update_theme', via: 'patch', as: :update_user_theme
|
||||
match '/settings/theme/delete', to: 'user#delete_theme', via: 'delete', as: :delete_user_theme
|
||||
|
||||
match '/settings/security', to: 'user#edit_security', via: :get, as: :edit_user_security
|
||||
match '/settings/security/2fa', to: 'user#update_2fa', via: :patch, as: :update_user_2fa
|
||||
match '/settings/security/2fa', to: 'user#destroy_2fa', via: :delete, as: :destroy_user_2fa
|
||||
|
||||
# resources :services, only: [:index, :destroy]
|
||||
match '/settings/services', to: 'services#index', via: 'get', as: :services
|
||||
match '/settings/services/:id', to: 'services#destroy', via: 'delete', as: :service
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
class AddOtpSecretKeyToUsers < ActiveRecord::Migration[5.2]
|
||||
def change
|
||||
add_column :users, :otp_secret_key, :string
|
||||
end
|
||||
end
|
|
@ -10,7 +10,7 @@
|
|||
#
|
||||
# It's strongly recommended that you check this file into your version control system.
|
||||
|
||||
ActiveRecord::Schema.define(version: 2020_07_04_163504) do
|
||||
ActiveRecord::Schema.define(version: 2020_10_01_172537) do
|
||||
|
||||
# These are extensions that must be enabled in order to support this database
|
||||
enable_extension "plpgsql"
|
||||
|
@ -273,6 +273,7 @@ ActiveRecord::Schema.define(version: 2020_07_04_163504) do
|
|||
t.string "export_url"
|
||||
t.boolean "export_processing", default: false, null: false
|
||||
t.datetime "export_created_at"
|
||||
t.string "otp_secret_key"
|
||||
t.index ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true
|
||||
t.index ["email"], name: "index_users_on_email", unique: true
|
||||
t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
|
||||
|
|
Loading…
Reference in New Issue