Build(deps): Bump rotp from 3.3.1 to 5.1.0 (#8477)

* Build(deps): Bump rotp from 3.3.1 to 5.1.0

Bumps [rotp](https://github.com/mdp/rotp) from 3.3.1 to 5.1.0.
- [Release notes](https://github.com/mdp/rotp/releases)
- [Changelog](https://github.com/mdp/rotp/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mdp/rotp/compare/v3.3.1...v5.1.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>

* Fix breaking ROTP changes
This commit is contained in:
dependabot-preview[bot] 2019-12-09 14:29:48 +10:00 committed by Martin Brennan
parent 5cef71e885
commit 9b30922109
3 changed files with 18 additions and 5 deletions

View File

@ -315,7 +315,8 @@ GEM
request_store (1.4.1) request_store (1.4.1)
rack (>= 1.4) rack (>= 1.4)
rinku (2.0.6) rinku (2.0.6)
rotp (3.3.1) rotp (5.1.0)
addressable (~> 2.5)
rqrcode (0.10.1) rqrcode (0.10.1)
chunky_png (~> 1.0) chunky_png (~> 1.0)
rspec (3.8.0) rspec (3.8.0)

View File

@ -1219,7 +1219,7 @@ class UsersController < ApplicationController
end end
def create_second_factor_totp def create_second_factor_totp
totp_data = ROTP::Base32.random_base32 totp_data = ROTP::Base32.random
secure_session["staged-totp-#{current_user.id}"] = totp_data secure_session["staged-totp-#{current_user.id}"] = totp_data
qrcode_svg = RQRCode::QRCode.new(current_user.totp_provisioning_uri(totp_data)).as_svg( qrcode_svg = RQRCode::QRCode.new(current_user.totp_provisioning_uri(totp_data)).as_svg(
offset: 0, offset: 0,
@ -1295,7 +1295,11 @@ class UsersController < ApplicationController
RateLimiter.new(nil, "second-factor-min-#{key}", 3, 1.minute).performed! RateLimiter.new(nil, "second-factor-min-#{key}", 3, 1.minute).performed!
end end
authenticated = !auth_token.blank? && totp_object.verify_with_drift(auth_token, 30) authenticated = !auth_token.blank? && totp_object.verify(
auth_token,
drift_ahead: SecondFactorManager::TOTP_ALLOWED_DRIFT_SECONDS,
drift_behind: SecondFactorManager::TOTP_ALLOWED_DRIFT_SECONDS
)
unless authenticated unless authenticated
return render json: failed_json.merge( return render json: failed_json.merge(
error: I18n.t("login.invalid_second_factor_code") error: I18n.t("login.invalid_second_factor_code")

View File

@ -1,13 +1,15 @@
# frozen_string_literal: true # frozen_string_literal: true
module SecondFactorManager module SecondFactorManager
TOTP_ALLOWED_DRIFT_SECONDS = 30
extend ActiveSupport::Concern extend ActiveSupport::Concern
def create_totp(opts = {}) def create_totp(opts = {})
UserSecondFactor.create!({ UserSecondFactor.create!({
user_id: self.id, user_id: self.id,
method: UserSecondFactor.methods[:totp], method: UserSecondFactor.methods[:totp],
data: ROTP::Base32.random_base32 data: ROTP::Base32.random
}.merge(opts)) }.merge(opts))
end end
@ -30,7 +32,13 @@ module SecondFactorManager
last_used = totp.last_used.to_i last_used = totp.last_used.to_i
end end
authenticated = !token.blank? && totp.get_totp_object.verify_with_drift_and_prior(token, 30, last_used) authenticated = !token.blank? && totp.get_totp_object.verify(
token,
drift_ahead: TOTP_ALLOWED_DRIFT_SECONDS,
drift_behind: TOTP_ALLOWED_DRIFT_SECONDS,
after: last_used
)
if authenticated if authenticated
totp.update!(last_used: DateTime.now) totp.update!(last_used: DateTime.now)
break break