Add 2FA/TOTP option to User accounts (#4286)

* Add 2FA/TOTP option to User accounts

* Add CLI to disable 2FA for an account

* Copilot suggested fixes

* More secure sign_in_after_reset_password

* more totp tests

* Fix bad en-GB strings

* Test updates & improvements

Author: pglombardo

Gemfile

@@ -113,6 +113,7 @@ end
 gem "rollbar"
 gem "version", git: "https://github.com/pglombardo/version.git", branch: "master"
 gem "madmin"
+gem "rotp", "~> 6.2"
 gem "rqrcode", "~> 3.2"
 gem "turnout2024", require: "turnout"
 gem "mission_control-jobs", "~> 1.1.0"

Gemfile.lock

@@ -583,6 +583,7 @@ GEM
     retriable (3.4.1)
     rexml (3.4.4)
     rollbar (3.7.0)
+    rotp (6.3.0)
     rqrcode (3.2.0)
       chunky_png (~> 1.0)
       rqrcode_core (~> 2.0)
@@ -830,6 +831,7 @@ DEPENDENCIES
   rails (~> 8.1.1)
   rails-i18n (~> 8.1.0)
   rollbar
+  rotp (~> 6.2)
   rqrcode (~> 3.2)
   rubocop-rails-omakase
   ruby-debug-ide

app/controllers/concerns/pwpush/first_run.rb

@@ -14,7 +14,7 @@ def ensure_user_exists
 
         if FirstRunBootCode.needed?
           unless Rails.env.test?
-            if request.path.start_with?(first_run_path)
+            if controller_path == "users/first_runs"
               boot_code = FirstRunBootCode.code
               puts <<~MESSAGE
                 =======================================================================================
@@ -31,7 +31,9 @@ def ensure_user_exists
               MESSAGE
             end
           end
-          return if request.path.start_with?(first_run_path)
+          # Use controller_path, not request.path vs first_run_path: SetLocale default_url_options
+          # (e.g. ?locale=en) can change generated paths and break start_with?, causing a redirect loop.
+          return if controller_path == "users/first_runs"
 
           redirect_to first_run_url
         end

app/controllers/users/passwords_controller.rb

@@ -33,4 +33,12 @@ class Users::PasswordsController < Devise::PasswordsController
   # def after_sending_reset_password_instructions_path_for(resource_name)
   #   super(resource_name)
   # end
+
+  protected
+
+  def sign_in_after_reset_password?
+    return false unless Devise.sign_in_after_reset_password
+
+    !resource.otp_required_for_login?
+  end
 end

app/controllers/users/sessions_controller.rb

@@ -1,9 +1,15 @@
 # frozen_string_literal: true
 
 class Users::SessionsController < Devise::SessionsController
+  include Devise::Controllers::Rememberable
+
   layout "login"
 
-  before_action :reject_when_logins_disabled, only: [:new, :create]
+  # Prepend so this runs before Devise::SessionsController#create (warden.authenticate! would
+  # otherwise sign in with password only and bypass the OTP step).
+  # Register reject last so it runs first (prepended callbacks run in reverse order).
+  prepend_before_action :authenticate_with_two_factor, only: [:create]
+  prepend_before_action :reject_when_logins_disabled, only: [:new, :create]
 
   # before_action :configure_sign_in_params, only: [:create]
 
@@ -22,6 +28,52 @@ class Users::SessionsController < Devise::SessionsController
   #   super
   # end
 
+  def authenticate_with_two_factor
+    if sign_in_params[:email].present?
+      self.resource = resource_class.find_for_database_authentication(
+        email: sign_in_params[:email]
+      )
+      clear_otp_user_from_session
+      start_two_factor_if_required if resource&.otp_required_for_login?
+    elsif session[:otp_user_id].present?
+      complete_two_factor_sign_in
+    end
+  end
+
+  def start_two_factor_if_required
+    return unless resource.valid_password?(sign_in_params[:password])
+
+    session[:remember_me] = Devise::TRUE_VALUES.include?(sign_in_params[:remember_me])
+    session[:otp_user_id] = resource.id
+    render :otp, status: :unprocessable_content
+  end
+
+  def complete_two_factor_sign_in
+    self.resource = resource_class.find_by(id: session[:otp_user_id])
+    unless resource
+      clear_otp_user_from_session
+      redirect_to new_user_session_path, alert: _("Session expired. Please sign in again.")
+      return
+    end
+
+    if resource.verify_and_consume_otp!(params[:otp_attempt])
+      want_remember_me = session.delete(:remember_me)
+      clear_otp_user_from_session
+      remember_me(resource) if want_remember_me
+      set_flash_message!(:notice, :signed_in)
+      sign_in(resource, event: :authentication)
+      respond_with resource, location: after_sign_in_path_for(resource)
+    else
+      flash.now[:alert] = _("Incorrect verification code.")
+      render :otp, status: :unprocessable_content
+    end
+  end
+
+  def clear_otp_user_from_session
+    session.delete(:otp_user_id)
+    session.delete(:remember_me)
+  end
+
   # after_sign_out_path_for
   #
   # This method is called after the user has signed out.

app/controllers/users/two_factor_controller.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+class Users::TwoFactorController < ApplicationController
+  before_action :authenticate_user!
+  # show only redirects; do not generate secrets/codes on that hit.
+  before_action :ensure_otp_secret, except: %i[destroy show]
+  before_action :ensure_backup_codes, except: %i[destroy show]
+
+  def show
+    redirect_to edit_user_registration_path
+  end
+
+  def backup_codes
+  end
+
+  def verify
+  end
+
+  def create
+    if current_user.verify_and_consume_otp!(params[:code])
+      current_user.enable_totp!
+      session.delete(:otp_backup_codes_plaintext)
+      redirect_to edit_user_registration_path, notice: _("Two-factor authentication is now enabled.")
+    else
+      flash.now[:alert] = _("Incorrect verification code.")
+      render :verify, status: :unprocessable_content
+    end
+  end
+
+  def destroy
+    current_user.disable_totp!
+    session.delete(:otp_backup_codes_plaintext)
+    redirect_to edit_user_registration_path, status: :see_other, notice: _("Two-factor authentication has been disabled.")
+  end
+
+  private
+
+  def ensure_otp_secret
+    current_user.ensure_otp_secret!
+  end
+
+  def ensure_backup_codes
+    if Array(current_user.otp_backup_code_digests).empty?
+      plaintexts = current_user.generate_otp_backup_codes!
+      session[:otp_backup_codes_plaintext] = plaintexts
+    end
+    @otp_backup_codes_display = session[:otp_backup_codes_plaintext]
+  end
+end

app/helpers/application_helper.rb

@@ -51,12 +51,14 @@ def secret_url(push, with_retrieval_step: true, locale: nil)
   # @param [String] url - The URL to generate the QR code for
   # @return [String] - The SVG QR code
   def qr_code(url)
-    RQRCode::QRCode.new(url).as_svg(
+    svg = RQRCode::QRCode.new(url).as_svg(
       offset: 0,
       color: :currentColor,
       shape_rendering: "crispEdges",
       module_size: 6,
       standalone: true
-    ).html_safe
+    )
+    # Strip XML declaration so the SVG is valid when embedded in HTML.
+    svg.sub(/\A<\?xml[^>]*\?>\s*/, "").html_safe
   end
 end

app/madmin/resources/user_resource.rb

@@ -23,6 +23,7 @@ class UserResource < Madmin::Resource
   # attribute :unconfirmed_email, index: false
   attribute :authentication_token, index: false, form: false
   attribute :preferred_language, index: false
+  attribute :otp_required_for_login, index: true, form: false
 
   # Associations
   attribute :pushes

app/models/concerns/user/totp_authentication.rb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+# Time-based one-time passwords (TOTP) for web sign-in, with backup recovery codes.
+# `last_otp_timestep` stores the Unix timestamp returned by ROTP on the last successful
+# TOTP verification (used as ROTP's `after:` to prevent token reuse).
+# `otp_secret` is encrypted at rest (Lockbox). Backup codes are stored as HMAC digests only;
+# plaintext codes are shown once via session (see Users::TwoFactorController).
+module User::TotpAuthentication
+  extend ActiveSupport::Concern
+
+  included do
+    has_encrypted :otp_secret
+
+    serialize :otp_backup_code_digests, coder: ActiveRecord::Coders::JSON.new, type: Array
+  end
+
+  class_methods do
+    # Used by tests and to build digests; same algorithm as instance digesting.
+    def digest_otp_backup_code(user_id, code)
+      OpenSSL::HMAC.hexdigest(
+        "SHA256",
+        Rails.application.secret_key_base,
+        "#{user_id}:#{code.to_s.strip.downcase}"
+      )
+    end
+  end
+
+  def totp_issuer
+    Settings.brand&.title.presence || "Password Pusher"
+  end
+
+  def ensure_otp_secret!
+    return if otp_secret.present?
+
+    update!(otp_secret: ROTP::Base32.random)
+  end
+
+  def enable_totp!
+    update!(otp_required_for_login: true)
+  end
+
+  def disable_totp!
+    update!(
+      otp_required_for_login: false,
+      otp_secret: nil,
+      otp_backup_code_digests: [],
+      last_otp_timestep: nil
+    )
+  end
+
+  def totp
+    raise ArgumentError, "otp_secret is blank" if otp_secret.blank?
+
+    ROTP::TOTP.new(otp_secret, issuer: totp_issuer)
+  end
+
+  def totp_provisioning_uri
+    totp.provisioning_uri(email)
+  end
+
+  def totp_manual_entry_secret
+    otp_secret
+  end
+
+  # Verifies a 6-digit TOTP or a backup code, then consumes it (single-use).
+  def verify_and_consume_otp!(code)
+    return false if code.blank?
+
+    normalized = code.to_s.strip
+
+    if otp_secret.present?
+      with_lock do
+        reload # fresh last_otp_timestep; lock prevents concurrent TOTP replays
+        token_time = totp.verify(normalized, after: last_otp_timestep, drift_behind: 15)
+        if token_time
+          update!(last_otp_timestep: token_time.to_i)
+          return true
+        end
+      end
+    end
+
+    consume_backup_code!(normalized)
+  end
+
+  # Returns plaintext codes once; persists only digests. Caller should stash plaintext in session for display.
+  def generate_otp_backup_codes!
+    plaintexts = 16.times.map { SecureRandom.hex(5) }
+    digests = plaintexts.map { |p| self.class.digest_otp_backup_code(id, p) }
+    update!(otp_backup_code_digests: digests)
+    plaintexts
+  end
+
+  private
+
+  def consume_backup_code!(code)
+    normalized = code.to_s.strip.downcase
+    candidate = self.class.digest_otp_backup_code(id, normalized)
+    digests = Array(otp_backup_code_digests)
+    match_index = nil
+    digests.each_with_index do |stored, i|
+      next unless stored.bytesize == candidate.bytesize
+
+      if ActiveSupport::SecurityUtils.secure_compare(stored, candidate)
+        match_index = i
+        break
+      end
+    end
+    return false unless match_index
+
+    digests.delete_at(match_index)
+    update!(otp_backup_code_digests: digests)
+    true
+  end
+end

app/models/user.rb

@@ -2,6 +2,7 @@
 
 class User < ApplicationRecord
   include Pwpush::TokenAuthentication
+  include User::TotpAuthentication
 
   # Include default devise modules. Others available are:
   # :timeoutable and :omniauthable