1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
|
# frozen-string-literal: true
module Rodauth
Feature.define(:recovery_codes, :RecoveryCodes) do
depends :two_factor_base
additional_form_tags 'recovery_auth'
additional_form_tags 'recovery_codes'
before 'add_recovery_codes'
before 'view_recovery_codes'
before 'recovery_auth'
after 'add_recovery_codes'
button 'Add Authentication Recovery Codes', 'add_recovery_codes'
button 'Authenticate via Recovery Code', 'recovery_auth'
button 'View Authentication Recovery Codes', 'view_recovery_codes'
error_flash "Error authenticating via recovery code", 'invalid_recovery_code'
error_flash "Unable to add recovery codes", 'add_recovery_codes'
error_flash "Unable to view recovery codes", 'view_recovery_codes'
notice_flash "Additional authentication recovery codes have been added", 'recovery_codes_added'
redirect(:recovery_auth){recovery_auth_path}
redirect(:add_recovery_codes){recovery_codes_path}
loaded_templates %w'add-recovery-codes recovery-auth recovery-codes password-field'
view 'add-recovery-codes', 'Authentication Recovery Codes', 'add_recovery_codes'
view 'recovery-auth', 'Enter Authentication Recovery Code', 'recovery_auth'
view 'recovery-codes', 'View Authentication Recovery Codes', 'recovery_codes'
auth_value_method :add_recovery_codes_param, 'add'
translatable_method :add_recovery_codes_heading, '<h2>Add Additional Recovery Codes</h2>'
auth_value_method :auto_add_recovery_codes?, false
auth_value_method :auto_remove_recovery_codes?, false
translatable_method :invalid_recovery_code_message, "Invalid recovery code"
auth_value_method :recovery_codes_limit, 16
auth_value_method :recovery_codes_column, :code
auth_value_method :recovery_codes_id_column, :id
translatable_method :recovery_codes_label, 'Recovery Code'
auth_value_method :recovery_codes_param, 'recovery-code'
auth_value_method :recovery_codes_table, :account_recovery_codes
translatable_method :recovery_auth_link_text, "Authenticate Using Recovery Code"
translatable_method :recovery_codes_link_text, "View Authentication Recovery Codes"
auth_cached_method :recovery_codes
auth_value_methods(
:recovery_codes_primary?
)
auth_methods(
:add_recovery_code,
:can_add_recovery_codes?,
:new_recovery_code,
:recovery_code_match?,
:recovery_codes_available?,
)
internal_request_method :recovery_codes
internal_request_method :recovery_auth
internal_request_method :valid_recovery_auth?
route(:recovery_auth) do |r|
require_login
require_account_session
require_two_factor_setup
require_two_factor_not_authenticated('recovery_code')
before_recovery_auth_route
r.get do
recovery_auth_view
end
r.post do
if recovery_code_match?(param(recovery_codes_param))
before_recovery_auth
two_factor_authenticate('recovery_code')
end
set_response_error_reason_status(:invalid_recovery_code, invalid_key_error_status)
set_field_error(recovery_codes_param, invalid_recovery_code_message)
set_error_flash invalid_recovery_code_error_flash
recovery_auth_view
end
end
route(:recovery_codes) do |r|
require_account
unless recovery_codes_primary?
require_two_factor_setup
require_two_factor_authenticated
end
before_recovery_codes_route
r.get do
recovery_codes_view
end
r.post do
if two_factor_password_match?(param(password_param))
if can_add_recovery_codes?
if param_or_nil(add_recovery_codes_param)
transaction do
before_add_recovery_codes
add_recovery_codes(recovery_codes_limit - recovery_codes.length)
after_add_recovery_codes
end
set_notice_now_flash recovery_codes_added_notice_flash
end
self.recovery_codes_button = add_recovery_codes_button
end
before_view_recovery_codes
add_recovery_codes_view
else
if param_or_nil(add_recovery_codes_param)
set_error_flash add_recovery_codes_error_flash
else
set_error_flash view_recovery_codes_error_flash
end
set_response_error_reason_status(:invalid_password, invalid_password_error_status)
set_field_error(password_param, invalid_password_message)
recovery_codes_view
end
end
end
attr_accessor :recovery_codes_button
def two_factor_remove
super
recovery_codes_remove
end
def otp_add_key
super if defined?(super)
auto_add_missing_recovery_codes
end
def sms_confirm
super if defined?(super)
auto_add_missing_recovery_codes
end
def add_webauthn_credential(_)
super if defined?(super)
auto_add_missing_recovery_codes
end
def recovery_codes_remove
recovery_codes_ds.delete
end
def recovery_code_match?(code)
recovery_codes.each do |s|
if timing_safe_eql?(code, s)
recovery_codes_ds.where(recovery_codes_column=>code).delete
if recovery_codes_primary?
add_recovery_code
end
return true
end
end
false
end
def can_add_recovery_codes?
recovery_codes.length < recovery_codes_limit
end
def add_recovery_codes(number)
return if number <= 0
transaction do
number.times do
add_recovery_code
end
end
remove_instance_variable(:@recovery_codes)
end
def add_recovery_code
# This should never raise uniqueness violations unless the recovery code is the same, and the odds of that
# are 1/256**32 assuming a good random number generator. Still, attempt to handle that case by retrying
# on such a uniqueness violation.
retry_on_uniqueness_violation do
recovery_codes_ds.insert(recovery_codes_id_column=>session_value, recovery_codes_column=>new_recovery_code)
end
end
def recovery_codes_available?
!recovery_codes_ds.empty?
end
def possible_authentication_methods
methods = super
methods << 'recovery_code' unless recovery_codes_ds.empty?
methods
end
private
def _two_factor_auth_links
links = super
links << [40, recovery_auth_path, recovery_auth_link_text] if recovery_codes_available?
links
end
def _two_factor_setup_links
links = super
links << [40, recovery_codes_path, recovery_codes_link_text] if (recovery_codes_primary? || uses_two_factor_authentication?)
links
end
def _two_factor_remove_all_from_session
two_factor_remove_session('recovery_code')
super
end
def after_otp_disable
super if defined?(super)
auto_remove_recovery_codes
end
def after_sms_disable
super if defined?(super)
auto_remove_recovery_codes
end
def after_webauthn_remove
super if defined?(super)
auto_remove_recovery_codes
end
def new_recovery_code
random_key
end
def recovery_codes_primary?
(features & [:otp, :sms_codes, :webauthn]).empty?
end
def auto_add_missing_recovery_codes
if auto_add_recovery_codes?
add_recovery_codes(recovery_codes_limit - recovery_codes.length)
end
end
def auto_remove_recovery_codes
if auto_remove_recovery_codes? && (%w'totp webauthn sms_code' & possible_authentication_methods).empty?
recovery_codes_remove
end
end
def _recovery_codes
recovery_codes_ds.select_map(recovery_codes_column)
end
def recovery_codes_ds
db[recovery_codes_table].where(recovery_codes_id_column=>session_value)
end
end
end
|
