module Devise::Models::TwoFactorAuthenticatable

Attributes

otp_attempt[RW]

Public Class Methods

required_fields(klass) click to toggle source
# File lib/devise_two_factor/models/two_factor_authenticatable.rb, line 30
def self.required_fields(klass)
  [:otp_secret, :consumed_timestep]
end

Public Instance Methods

clean_up_passwords() click to toggle source
Calls superclass method
# File lib/devise_two_factor/models/two_factor_authenticatable.rb, line 72
def clean_up_passwords
  super
  self.otp_attempt = nil
end
current_otp() click to toggle source
# File lib/devise_two_factor/models/two_factor_authenticatable.rb, line 58
def current_otp
  otp.at(Time.now)
end
current_otp_timestep() click to toggle source

ROTP’s TOTP#timecode is private, so we duplicate it here

# File lib/devise_two_factor/models/two_factor_authenticatable.rb, line 63
def current_otp_timestep
   Time.now.utc.to_i / otp.interval
end
legacy_otp_secret() click to toggle source

Decrypt and return the ‘encrypted_otp_secret` attribute which was used in prior versions of devise-two-factor See: # github.com/tinfoil/devise-two-factor/blob/main/UPGRADING.md

# File lib/devise_two_factor/models/two_factor_authenticatable.rb, line 26
def legacy_otp_secret
  nil
end
otp(otp_secret = self.otp_secret) click to toggle source
# File lib/devise_two_factor/models/two_factor_authenticatable.rb, line 54
def otp(otp_secret = self.otp_secret)
  ROTP::TOTP.new(otp_secret)
end
otp_provisioning_uri(account, options = {}) click to toggle source
# File lib/devise_two_factor/models/two_factor_authenticatable.rb, line 67
def otp_provisioning_uri(account, options = {})
  otp_secret = options[:otp_secret] || self.otp_secret
  ROTP::TOTP.new(otp_secret, options).provisioning_uri(account)
end
otp_secret() click to toggle source
# File lib/devise_two_factor/models/two_factor_authenticatable.rb, line 14
def otp_secret
  # return the OTP secret stored as a Rails encrypted attribute if it
  # exists. Otherwise return OTP secret stored by the `attr_encrypted` gem
  return self[:otp_secret] if self[:otp_secret]

  legacy_otp_secret
end
validate_and_consume_otp!(code, options = {}) click to toggle source

This defaults to the model’s otp_secret If this hasn’t been generated yet, pass a secret as an option

# File lib/devise_two_factor/models/two_factor_authenticatable.rb, line 36
def validate_and_consume_otp!(code, options = {})
  otp_secret = options[:otp_secret] || self.otp_secret
  return false unless code.present? && otp_secret.present?

  totp = otp(otp_secret)

  if self.consumed_timestep
    # reconstruct the timestamp of the last consumed timestep
    after_timestamp = self.consumed_timestep * otp.interval
  end

  if totp.verify(code.gsub(/\s+/, ""), drift_behind: self.class.otp_allowed_drift, drift_ahead: self.class.otp_allowed_drift, after: after_timestamp)
    return consume_otp!
  end

  false
end

Protected Instance Methods

consume_otp!() click to toggle source

An OTP cannot be used more than once in a given timestep Storing timestep of last valid OTP is sufficient to satisfy this requirement

# File lib/devise_two_factor/models/two_factor_authenticatable.rb, line 81
def consume_otp!
  if self.consumed_timestep != current_otp_timestep
    self.consumed_timestep = current_otp_timestep
    save!(validate: false)
    return true
  end

  false
end