Module: TwoFactorAuth

Defined in:

app/models/two_factor_auth/registration_response.rb,
lib/two_factor_auth.rb,
lib/two_factor_auth/engine.rb,
lib/two_factor_auth/version.rb,
app/models/two_factor_auth/client_data.rb,
app/models/two_factor_auth/registration.rb,
app/models/two_factor_auth/registration_request.rb,
app/helpers/two_factor_auth/registrations_helper.rb,
app/models/two_factor_auth/registration_verifier.rb,
lib/generators/two_factor_auth/install_generator.rb,
app/models/two_factor_auth/authentication_request.rb,
app/helpers/two_factor_auth/authentications_helper.rb,
app/models/two_factor_auth/authentication_response.rb,
app/models/two_factor_auth/authentication_verifier.rb,
app/models/two_factor_auth/authentication_client_data.rb,
app/controllers/two_factor_auth/registrations_controller.rb,
app/controllers/two_factor_auth/trusted_facets_controller.rb,
app/controllers/two_factor_auth/authentications_controller.rb,
app/controllers/two_factor_auth/two_factor_auth_controller.rb

Overview

See FIDO U2F “Raw Message Formats” documentation, section 4.3 “Registration Response Message: Success”

Defined Under Namespace

Modules: AuthenticationsHelper, Generators, RegistrationsHelper Classes: AuthenticationClientData, AuthenticationRequest, AuthenticationResponse, AuthenticationVerifier, AuthenticationsController, CantGenerateRandomNumbers, ClientData, Engine, InvalidFacetDomain, InvalidFacetListDomain, InvalidPublicKey, InvalidTrustedFacetListUrl, Registration, RegistrationRequest, RegistrationResponse, RegistrationVerifier, RegistrationsController, TrustedFacetsController, TwoFactorAuthController, TwoFactorAuthError

Constant Summary

U2F_VERSION =

'U2F_V2'

VERSION =

"0.2.0"

Class Method Summary

• .app_id_or_facet_list ⇒ Object

  We send clients the facet domain (web origin) if there are no facets, (typical for local dev), otherwise the full facet list (prohibits http).

• .decode_pubkey(raw) ⇒ Object
• .facet_domain ⇒ Object
• .facet_domain=(facet_domain) ⇒ Object
• .facets ⇒ Object
• .facets=(facets) ⇒ Object
• .pubkey_valid?(raw) ⇒ Boolean
• .random_encoded_challenge ⇒ Object
• .trusted_facet_list_url ⇒ Object
• .trusted_facet_list_url=(url) ⇒ Object
• .websafe_base64_decode(encoded) ⇒ Object
• .websafe_base64_encode(str) ⇒ Object

Class Method Details

.app_id_or_facet_list ⇒ Object

We send clients the facet domain (web origin) if there are no facets, (typical for local dev), otherwise the full facet list (prohibits http)

# File 'lib/two_factor_auth.rb', line 48

def self.app_id_or_facet_list
  if facets.empty?
    facet_domain
  else
    "#{facet_domain}/two_factor_auth/trusted_facets"
  end
end

.decode_pubkey(raw) ⇒ Object

# File 'lib/two_factor_auth.rb', line 89

def self.decode_pubkey raw
  bn = OpenSSL::BN.new(raw, 2)
  group = OpenSSL::PKey::EC::Group.new('prime256v1')
  point = OpenSSL::PKey::EC::Point.new(group, bn)
rescue OpenSSL::PKey::EC::Point::Error => e
  raise InvalidPublicKey, "Invalid public key: #{e.message}"
end

.facet_domain ⇒ Object

# File 'lib/two_factor_auth.rb', line 31

def self.facet_domain
  @facet_domain
end

.facet_domain=(facet_domain) ⇒ Object

# File 'lib/two_factor_auth.rb', line 20

def self.facet_domain= facet_domain
  if facet_domain =~ /\.dev(:\d+)?\/?$/
    raise InvalidFacetDomain, "Facet domain needs a real TLD, not .dev. Edit /etc/hosts to make a custom hostname"
  end
  if facet_domain == "https://www.example.com"
    raise InvalidFacetDomain, "You need to cusomize the facet_domain in config/initializers/two_factor_auth.rb"
  end

  @facet_domain = facet_domain.sub(/\/$/, '')
end

.facets ⇒ Object

# File 'lib/two_factor_auth.rb', line 67

def self.facets
  @facets ||= []
end

.facets=(facets) ⇒ Object

# File 'lib/two_factor_auth.rb', line 56

def self.facets= facets
  facets ||= []
  if !facets.empty? and facet_domain !~ /\Ahttps:/
    raise InvalidFacetDomain, "U2F requires HTTPS to use facet lists"
  end
  if facets.any? { |f| f !~ /\Ahttps:/ }
    raise InvalidFacetListDomain, "URLs in the facet list must all be HTTPS"
  end
  @facets = facets
end

.pubkey_valid?(raw) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/two_factor_auth.rb', line 97

def self.pubkey_valid? raw
  pk = decode_pubkey raw
  pk.on_curve?
rescue InvalidPublicKey
  false
end

.random_encoded_challenge ⇒ Object

# File 'lib/two_factor_auth.rb', line 82

def self.random_encoded_challenge
  random = OpenSSL::Random.pseudo_bytes(32)
  TwoFactorAuth::websafe_base64_encode(random)
rescue OpenSSL::Random::RandomError
  raise CantGenerateRandomNumbers, "Not enough entropy to generate secure challenges"
end

.trusted_facet_list_url ⇒ Object

# File 'lib/two_factor_auth.rb', line 42

def self.trusted_facet_list_url
  @trusted_facet_list_url or app_id_or_facet_list
end

.trusted_facet_list_url=(url) ⇒ Object

# File 'lib/two_factor_auth.rb', line 35

def self.trusted_facet_list_url= url
  if url !~ /\Ahttps:/
    raise InvalidTrustedFacetListUrl, "U2F requires HTTPS for facet urls"
  end
  @trusted_facet_list_url = url
end

.websafe_base64_decode(encoded) ⇒ Object

# File 'lib/two_factor_auth.rb', line 76

def self.websafe_base64_decode encoded
  # pad back out to decode
  padded = encoded.ljust((encoded.length/4.0).ceil * 4, '=')
  Base64.urlsafe_decode64(padded)
end

.websafe_base64_encode(str) ⇒ Object

# File 'lib/two_factor_auth.rb', line 71

def self.websafe_base64_encode str
  # PHP code removes trailing =s, don't know why
  Base64.urlsafe_encode64(str).sub(/=+$/,'')
end