two_factor_cookies

TwoFactorCookies

Simple two factor logon using Twilio SMS for code delivery and ROTP fpr code generation and verification. The aim is to be configurable and work with as many kinds of authentication as possible. All information needed is placed in encrypted cookies.

Installation

Add this line to your application's Gemfile:

gem 'two_factor_cookies', '0.1.1'

And then execute:

$ bundle

The gem is a rails engine, so it needs to be mounted to a location in routes.rb:

# two factor cookies
mount TwoFactorCookies::Engine, at: '/two_factor_cookies'

The gem needs to be configured. The example below can be copied and placed in an initializer, eg. config/initializers/2fa_setup.rb

TwoFactorCookies.configure do |config|
  # One time password (otp) generation and verification
  # Must be a 160 bit (32 character) base32 secret. The rotp gem included in the project can generate such a key by typing this in the console: ROTP::Base32.random
  config.otp_generation_secret_key =  MUST BE FILLED

  # Cookie expiry
  # The values need to be an amount of seconds, for instance `30.minutes`. The gem adds this amount to the Time.zone.now and uses this to set the cookie's expiry
  # When a user will need to perform 2fa again
  # config.two_factor_authentication_expiry = 30.days
  # How much time a user has to type in the otp sent to his phone
  # config.otp_expiry = 30.minutes

  # Twilio API credentials
  config.twilio_account_sid = MUST BE FILLED
  # phone number is the number, that will be shown on the receiving phone. It can also be a string, for example the name of your company
  config.twilio_phone_number = MUST BE FILLED
  config.twilio_auth_token = MUST BE FILLED

  # User model
  # user_model_name is used as the permit option in toggle_two_factor_controller
  # config.user_model_name = :user
  # config.phone_number_field_name = :phone_number
  # config.username_field_name = :username

  # Controllers
  # The route you want two_factor_authentication_controller to redirect to. Would typically be where, your user is redirected to after logging in.
  config.two_factor_authentication_success_route = MUST BE FILLED
  # The route you want toggle_two_factor_controller to route to after a user has toggled two factor
  config.toggle_two_factor_success_route = MUST BE FILLED
  # The route you want toggle_two_factor_controller to route to after a user has confirmed their phone number
  config.confirm_phone_number_success_route = MUST BE FILLED

  # If you need or want to replace the layout in the two_factor_authentication_controller, add a path here, eg. 'two_factor_cookies/two_factor_authentication'
  #config.layout_path = nil

  # In order to know which user is attempting to login, the two factor authentication controller checks current_user. It
  # looks at its parent for this method. The default parent is ApplicationController. If you use devise or have
  # implemented current_user elsewhere, you need to supply the parent constant here
  # config.two_factor_authentication_controller_parent = '::ApplicationController'

  # If you check for additional values when determining if a user is authenticated, you need to tell the controller how
  # to determine these values. Add a hash of key-value pairs here, where the key is the name, you want in the cookie,
  # the value is the method used to find whatever value you want as a string. Example:
  # { customer_no: 'current_company.customer_no' }
  # config.additional_authentication_values = nil

  # any params sent along when enabling 2fa that needs to be updated on the user model, for example a phone number
  # config.update_params = nil

  # If another engine than main_app contains the routes you want the 2fa controllers to redirect to, write the engine
  # name here as a string
  #config.engine_name = 'main_app'
end

In your ApplicationController you must include TwoFactorAuthenticate

class ApplicationController < ActionController::Base
  include TwoFactorAuthenticate

Using your own template for submitting otps

The gem includes a template for submitting one time passwords. To override it, a partial named 'show' must be placed under two_factor_cookies/two_factor_authentication

Necessary methods on your user model

TwoFactorCookies relies on a number of methods being present on your user model: enabled_two_factor?, confirmed_phone_number?, disable_two_factor!, enable_two_factor!, confirm_phone_number! and disaffirm_phone_number!.

If using ActiveRecord or Mongoid, enabled_two_factor? and confirmed_phone_number? will be automatically added, if your user model has fields named enabled_two_factor and confirmed_phone_number

Example implementations

def disable_two_factor!
  self.enabled_two_factor = false
  save
end

If for example you want to delete the phone number, when disabling 2fa, it could be done here

def disaffirm_phone_number!
  self.confirmed_phone_number = false
  self.phone_number = nil
  save
end

When disabling two factor authentication, disaffirm_phone_number! is also called and a new confirmation of the phone number is required, if 2fa is enabled again.

ToggleTwoFactorController

Toggling two factor on and off

Toggling two factor on and off is handled by the ToggleTwoFactorController in the action also named toggle_two_factor. It requires whatever form is used for this to supply parameters in the format

{ user: { enabled_two_factor: '1' } }

user in the param is the name of the user model in the app, taken from the configuration. If enabled_two_factor is '1', two factor is toggled on. If enabled_two_factor is anything else, two factor will be toggled off

Logging

The gem can be configured to log, when 2fa is toggled on or off. To do this you must configure logging_method_name with the name of a method, you implement, that logs in whatever way makes sense in your project. The method will be passed a message consisting of a translation with a user id.

def log(message)
  Rails.logger.info message
end

Using the gem in development

When using the gem in development, Twilio is never hit. Instead the generated OTP is written to tmp/otp.txt

License

The gem is available as open source under the terms of the MIT License.