diff --git a/config/initializers/constants.rb b/config/initializers/constants.rb
index f2fa01f64..fd31a3dcf 100644
--- a/config/initializers/constants.rb
+++ b/config/initializers/constants.rb
@@ -205,6 +205,23 @@ class Constants
ACADEMY_BL_LINK = 'https://scinote.net/academy/?utm_source=SciNote%20software%20BL&utm_medium=SciNote%20software%20BL'.freeze
+ TWO_FACTOR_URL = {
+ google: {
+ android: 'https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2',
+ ios: 'https://apps.apple.com/us/app/google-authenticator/id388497605'
+ },
+ microsoft: {
+ android: 'https://play.google.com/store/apps/details?id=com.azure.authenticator',
+ ios: 'https://apps.apple.com/us/app/microsoft-authenticator/id983156458'
+ },
+ two_fa: {
+ android: 'https://play.google.com/store/apps/details?id=com.twofasapp',
+ ios: 'https://apps.apple.com/us/app/2fa-authenticator-2fas/id1217793794'
+ },
+ }
+ TWO_FACTOR_RECOVERY_CODE_COUNT = 6
+ TWO_FACTOR_RECOVERY_CODE_LENGTH = 12
+
#=============================================================================
# Protocol importers
#=============================================================================
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 817e26dab..61dd502f2 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -33,6 +33,20 @@ en:
password_placeholder: "Enter password"
remember_me: "Remember me"
submit: "Log in"
+ 2fa:
+ title: "Two-factor authentication"
+ description: "Enter the one-time code found in your authenticator app to log in to SciNote."
+ field: "Authenticator code"
+ error_message: "One time code is not correct."
+ no_user_error: "Cannot find user!"
+ enter: "Enter"
+ bypass_code_link: "I have a bypass code"
+ 2fa_recovery:
+ title: "2FA Bypass"
+ description: "Enter one of the bypass codes provided when you creted 2FA authentication. The code will no longer be valid after use."
+ bypass_code: "Bypass code"
+ enter: "Enter"
+ not_correct_code: "Not correct recovery code"
create:
team_name: "%{user}'s projects"
auth_token_create:
@@ -1636,7 +1650,7 @@ en:
head_title: "My profile"
title: "My profile"
avatar_label: "Profile photo"
- avatar_btn: "Edit photo"
+ avatar_btn: "Edit"
avatar_modal:
title: 'Change your profile photo'
upload_button: 'Upload a photo'
@@ -1655,6 +1669,43 @@ en:
password_title: "Change password"
new_password_label: "New password"
new_password_2_label: "New password confirmation"
+ 2fa_title: "Two-factor authentication"
+ 2fa_description: "Two-factor authentication (2FA) is a way of verifying a user’s identity by using a combination of two different verification methods. It adds an extra layer of security to your account and protects from potential remote attacs or other threats."
+ 2fa_enabled: "Enabled"
+ 2fa_button: "Enable authentication"
+ 2fa_button_disable: "Disable authentication"
+ 2fa_modal:
+ step_1:
+ title: "1. Install an Authenticator App on your mobile device"
+ description: "Use your phone to download an authenticator app. It is needed to enable the 2FA in SciNote. Bellow you can see the most commonly used ones."
+ google_auth: "Google authenticator"
+ microsoft_auth: "Microsoft authenticator"
+ 2fa_auth: "2FA authenticator"
+ android: "Android"
+ ios: "iOS"
+ start: "Start"
+ step_2:
+ title: "2. Scan the QR code with your app"
+ description: "Open your authenticator app and use it to scan this code to add 2FA."
+ next: "Next"
+ step_3:
+ title: "3. Enter the code given by your authenticator app"
+ description: "Enter the generated code into the fields bellow to finalize the setup of the two-factor authorisation."
+ enter_code: "Enter authenticator code"
+ verify: "Verify"
+ step_4:
+ title: "4. Save your bypass codes"
+ verified: "2FA Verified"
+ description: "Your 2FA is now verified. Save these one-time codes bellow to access your account in case you lose your device. This way you will be able to reset the authorization."
+ download_codes: "Download codes"
+ disable:
+ title: "Disable two-factor authentication"
+ description: "Enter your password bellow to confirm disableing 2FA. This will remove authentication, from your account and make you more vulnerable to potential attacks."
+ password_label: "Enter password"
+ disable_2fa: "Disable 2FA"
+ 2fa_errors:
+ wrong_submit_code: "Not correct code"
+ wrong_password: "Not correct password"
new:
head_title: "Sign up"
team_name_label: "Team name"
diff --git a/config/routes.rb b/config/routes.rb
index 063c5da22..c1ca98d4c 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -648,8 +648,14 @@ Rails.application.routes.draw do
get 'avatar/:id/:style' => 'users/registrations#avatar', as: 'avatar'
get 'users/auth_token_sign_in' => 'users/sessions#auth_token_create'
get 'users/sign_up_provider' => 'users/registrations#new_with_provider'
- post 'users/complete_sign_up_provider' =>
- 'users/registrations#create_with_provider'
+ get 'users/two_factor_recovery' => 'users/sessions#two_factor_recovery'
+ post 'users/authenticate_with_two_factor' => 'users/sessions#authenticate_with_two_factor'
+ post 'users/authenticate_with_recovery_code' => 'users/sessions#authenticate_with_recovery_code'
+ post 'users/complete_sign_up_provider' => 'users/registrations#create_with_provider'
+
+ post 'users/2fa_enable' => 'users/registrations#two_factor_enable'
+ post 'users/2fa_disable' => 'users/registrations#two_factor_disable'
+ get 'users/2fa_qr_code' => 'users/registrations#two_factor_qr_code'
end
namespace :api, defaults: { format: 'json' } do
diff --git a/db/migrate/20200622140843_add2fa_to_users.rb b/db/migrate/20200622140843_add2fa_to_users.rb
new file mode 100644
index 000000000..88494cc52
--- /dev/null
+++ b/db/migrate/20200622140843_add2fa_to_users.rb
@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+class Add2faToUsers < ActiveRecord::Migration[6.0]
+ def change
+ change_table :users, bulk: true do |t|
+ t.boolean :two_factor_auth_enabled, default: false, null: false
+ t.string :otp_secret
+ end
+ end
+end
diff --git a/db/migrate/20200709142830_add_otp_recovery_codes_to_users.rb b/db/migrate/20200709142830_add_otp_recovery_codes_to_users.rb
new file mode 100644
index 000000000..62a58aa60
--- /dev/null
+++ b/db/migrate/20200709142830_add_otp_recovery_codes_to_users.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class AddOtpRecoveryCodesToUsers < ActiveRecord::Migration[6.0]
+ def change
+ change_table :users, bulk: true do |t|
+ t.jsonb :otp_recovery_codes
+ end
+ end
+end
diff --git a/db/structure.sql b/db/structure.sql
index be09c7d37..9a5c8218b 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -2658,9 +2658,15 @@ CREATE TABLE public.users (
authentication_token character varying(30),
settings jsonb DEFAULT '{}'::jsonb NOT NULL,
variables jsonb DEFAULT '{}'::jsonb NOT NULL,
+<<<<<<< HEAD
failed_attempts integer DEFAULT 0 NOT NULL,
locked_at timestamp without time zone,
unlock_token character varying
+=======
+ two_factor_auth_enabled boolean DEFAULT false NOT NULL,
+ otp_secret character varying,
+ otp_recovery_codes jsonb
+>>>>>>> features/2fa
);
@@ -7277,5 +7283,8 @@ INSERT INTO "schema_migrations" (version) VALUES
('20200331183640'),
('20200603125407'),
('20200604210943'),
+('20200622140843'),
('20200622155632'),
+('20200709142830'),
('20200714082503');
+
diff --git a/features/settings_page/profile.feature b/features/settings_page/profile.feature
index cdba4735e..91428e553 100644
--- a/features/settings_page/profile.feature
+++ b/features/settings_page/profile.feature
@@ -58,7 +58,7 @@ Scenario: Successfully changes user email
And I change "nonadmin@myorg.com" with "user@myorg.com" email
And I fill in "mypassword1234" in "#edit-email-current-password" field of ".settings-page-email" form
Then I click "Save" button
- And I should see "user@myorg.com" in ".settings-page-email" input field
+ And I should see "user@myorg.com"
@javascript
Scenario: Unsuccessful Password Change, password is too short
diff --git a/spec/controllers/users/sessions_controller_spec.rb b/spec/controllers/users/sessions_controller_spec.rb
new file mode 100644
index 000000000..f7fa1adf8
--- /dev/null
+++ b/spec/controllers/users/sessions_controller_spec.rb
@@ -0,0 +1,107 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe Users::SessionsController, type: :controller do
+ describe 'POST #create' do
+ before do
+ @request.env['devise.mapping'] = Devise.mappings[:user]
+ end
+
+ let(:user) { create :user }
+ let(:password) { 'asdf1243' }
+ let(:params) do
+ { user: {
+ email: user.email,
+ password: password
+ } }
+ end
+
+ let(:action) do
+ post :create, params: params
+ end
+
+ context 'when have invalid email or password' do
+ let(:password) { '123' }
+
+ it 'returns error message' do
+ action
+
+ expect(flash[:alert]).to eq('Invalid Email or password.')
+ end
+
+ it 'does not set current user' do
+ expect { action }.not_to(change { subject.current_user })
+ end
+ end
+
+ context 'when have valid email and password' do
+ context 'when user has 2FA disabled' do
+ it 'returns successfully log in' do
+ action
+
+ expect(flash[:notice]).to eq('Logged in successfully.')
+ end
+
+ it 'sets current user' do
+ expect { action }.to(change { subject.current_user }.from(nil).to(User))
+ end
+ end
+
+ context 'when user has 2FA enabled' do
+ it 'renders 2FA page' do
+ user.two_factor_auth_enabled = true
+ user.save!
+
+ expect(action).to render_template('users/sessions/two_factor_auth')
+ end
+ end
+ end
+ end
+
+ describe 'POST #authenticate_with_two_factor' do
+ before do
+ @request.env['devise.mapping'] = Devise.mappings[:user]
+ end
+
+ let(:user) { create :user }
+ let(:params) { { otp: '123123' } }
+ let(:otp_user_id) { user.id }
+ let(:action) do
+ post :authenticate_with_two_factor, params: params, session: { otp_user_id: otp_user_id }
+ end
+
+ context 'when have valid otp' do
+ it 'sets current user' do
+ allow_any_instance_of(User).to receive(:valid_otp?).and_return(true)
+
+ expect { action }.to(change { subject.current_user }.from(nil).to(User))
+ end
+ end
+
+ context 'when have invalid valid otp' do
+ it 'returns error message' do
+ allow_any_instance_of(User).to receive(:valid_otp?).and_return(nil)
+ action
+
+ expect(flash[:alert]).to eq(I18n.t('devise.sessions.2fa.error_message'))
+ end
+
+ it 'does not set current user' do
+ allow_any_instance_of(User).to receive(:valid_otp?).and_return(nil)
+
+ expect { action }.not_to(change { subject.current_user })
+ end
+ end
+
+ context 'when user is not found' do
+ let(:otp_user_id) { -1 }
+
+ it 'returns error message' do
+ action
+
+ expect(flash[:alert]).to eq('Cannot find user!')
+ end
+ end
+ end
+end
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 8c6ff65ff..376050d13 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -331,4 +331,26 @@ describe User, type: :model do
describe 'Associations' do
it { is_expected.to have_many(:system_notifications) }
end
+
+ describe 'valid_otp?' do
+ let(:user) { create :user }
+ before do
+ user.assign_2fa_token!
+ allow_any_instance_of(ROTP::TOTP).to receive(:verify).and_return(nil)
+ end
+
+ context 'when user has set otp_secret' do
+ it 'returns nil' do
+ expect(user.valid_otp?('someString')).to be_nil
+ end
+ end
+
+ context 'when user does not have otp_secret' do
+ it 'raises an error' do
+ user.update_column(:otp_secret, nil)
+
+ expect { user.valid_otp?('someString') }.to raise_error(StandardError, 'Missing otp_secret')
+ end
+ end
+ end
end