Add 2FA to admin panel sign in

4 years ago · ce9e09741b
11 changed files with 156 additions and 2 deletions
--- a/.env.example
+++ b/.env.example
@ -1,3 +1,5 @@
 DB_USERNAME=postgres-user
 DB_PASSWORD=postgres-password
-GOVUK_NOTIFY_API_KEY=<notify-key-here-if-testing-emails>
+
 GOVUK_NOTIFY_API_KEY=<notify-key-here-if-testing-emails-or-admin-users>
 OTP_SECRET_ENCRYPTION_KEY="<Generate this using bundle exec rake secret>"
--- a/3
+++ b/3
@ -37,6 +37,9 @@ gem "json-schema"
 # Authentication
 # Point at branch until devise is compatible with Turbo, see https://github.com/heartcombo/devise/pull/5340
 gem "devise", github: "baarkerlounger/devise", branch: "dluhc-fixes"
 # Two-factor Authentication for devise models. Pointing at fork until this is merged for Rails 6 compatibility
 # https://github.com/Houdini/two_factor_authentication/pull/204
 gem "two_factor_authentication", github: "baarkerlounger/two_factor_authentication"
 # UK postcode parsing and validation
 gem "uk_postcode"
 # Get rich data from postcode lookups. Wraps postcodes.io
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -18,6 +18,17 @@ GIT
      responders
      warden (~> 1.2.3)
 GIT
  remote: https://github.com/baarkerlounger/two_factor_authentication.git
  revision: a7522becd7222f1aa4ddf73d7caf19f05bdb4dac
  specs:
    two_factor_authentication (2.2.0)
      devise
      encryptor
      rails (>= 3.1.1)
      randexp
      rotp (>= 4.0.0)
 GIT
  remote: https://github.com/tagliala/activeadmin.git
  revision: d1492c54e76871d95f3a7ff20e445b48f455d4cb
@ -157,6 +168,7 @@ GEM
    dotenv-rails (2.7.6)
      dotenv (= 2.7.6)
      railties (>= 3.2)
    encryptor (3.0.0)
    erubi (1.10.0)
    excon (0.90.0)
    factory_bot (6.2.0)
@ -310,6 +322,7 @@ GEM
      zeitwerk (~> 2.5)
    rainbow (3.1.1)
    rake (13.0.6)
    randexp (0.1.7)
    ransack (2.5.0)
      activerecord (>= 5.2.4)
      activesupport (>= 5.2.4)
@ -325,6 +338,7 @@ GEM
    roo (2.8.3)
      nokogiri (~> 1)
      rubyzip (>= 1.3.0, < 3.0.0)
    rotp (6.2.0)
    rspec-core (3.10.2)
      rspec-support (~> 3.10.0)
    rspec-expectations (3.10.2)
@ -472,6 +486,7 @@ DEPENDENCIES
  scss_lint-govuk
  selenium-webdriver
  simplecov
  two_factor_authentication!
  tzinfo-data
  uk_postcode
  view_component
--- a/app/models/admin_user.rb
+++ b/app/models/admin_user.rb
@ -1,5 +1,16 @@
 class AdminUser < ApplicationRecord
  # Include default devise modules. Others available are:
  # :confirmable, :lockable, :timeoutable, :trackable and :omniauthable
-  devise :database_authenticatable, :recoverable, :rememberable, :validatable
+  devise :two_factor_authenticatable, :database_authenticatable, :recoverable,
         :rememberable, :validatable
  has_one_time_password(encrypted: true)
  MFA_SMS_TEMPLATE_ID = "bf309d93-804e-4f95-b1f4-bd513c48ecb0".freeze
  def send_two_factor_authentication_code(code)
    template_id = MFA_SMS_TEMPLATE_ID
    personalisation = { otp: code }
    Sms.send(phone, template_id, personalisation)
  end
 end
--- a/app/services/sms.rb
+++ b/app/services/sms.rb
@ -0,0 +1,15 @@
 require "notifications/client"
 class Sms
  def self.notify_client
    Notifications::Client.new(ENV["GOVUK_NOTIFY_API_KEY"])
  end
  def self.send(phone_number, template_id, args)
    notify_client.send_sms(
      phone_number: phone_number,
      template_id: template_id,
      personalisation: args,
    )
  end
 end
--- a/app/views/devise/two_factor_authentication/show.html.erb
+++ b/app/views/devise/two_factor_authentication/show.html.erb
@ -0,0 +1,26 @@
 <% content_for :title, "Check your phone" %>
 <%= form_with(url: "/admin/two_factor_authentication", html: { method: :put }) do |f| %>
  <div class="govuk-grid-row">
    <div class="govuk-grid-column-two-thirds">
      <h1 class="govuk-heading-l">
        <%= content_for(:title) %>
      </h1>
      <p class="govuk-body">We’ve sent you a text message with a security code.</p>
      <%= f.govuk_number_field :code,
          label: { text: "Security code" },
          width: 5,
          autofocus: true
      %>
      <%= f.govuk_submit "Submit" %>
    </div>
  </div>
 <% end %>
 <p class="govuk-body">
  <%= govuk_link_to "Not received a text message?", "#" %>
 </p>
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@ -309,4 +309,15 @@ Devise.setup do |config|
  # When set to false, does not sign a user in automatically after their password is
  # changed. Defaults to true, so a user is signed in automatically after changing a password.
  # config.sign_in_after_change_password = true
  # 2FA
  config.max_login_attempts = 3 # Maximum second factor attempts count.
  config.allowed_otp_drift_seconds = 30 # Allowed TOTP time drift between client and server.
  config.otp_length = 6 # TOTP code length
  config.direct_otp_valid_for = 5.minutes # Time before direct OTP becomes invalid
  config.direct_otp_length = 6 # Direct OTP code length
  config.remember_otp_session_for_seconds = 1.day # Time before browser has to perform 2fA again. Default is 0.
  config.otp_secret_encryption_key = ENV["OTP_SECRET_ENCRYPTION_KEY"]
  config.second_factor_resource_id = "id" # Field or method name used to set value for 2fA remember cookie
  config.delete_cookie_on_logout = false # Delete cookie when user signs out, to force 2fA again on login
 end
--- a/db/migrate/20211203135623_two_factor_authentication_add_to_admin_users.rb
+++ b/db/migrate/20211203135623_two_factor_authentication_add_to_admin_users.rb
@ -0,0 +1,16 @@
 class TwoFactorAuthenticationAddToAdminUsers < ActiveRecord::Migration[6.1]
  def change
    change_table :admin_users, bulk: true do |t|
      t.column :second_factor_attempts_count, :integer, default: 0
      t.column :encrypted_otp_secret_key, :string
      t.column :encrypted_otp_secret_key_iv, :string
      t.column :encrypted_otp_secret_key_salt, :string
      t.column :direct_otp, :string
      t.column :direct_otp_sent_at, :datetime
      t.column :totp_timestamp, :timestamp
      t.column :phone, :string
      t.index :encrypted_otp_secret_key, unique: true
    end
  end
 end
--- a/db/schema.rb
+++ b/db/schema.rb
@ -23,6 +23,15 @@ ActiveRecord::Schema.define(version: 2022_01_31_123638) do
    t.datetime "remember_created_at"
    t.datetime "created_at", precision: 6, null: false
    t.datetime "updated_at", precision: 6, null: false
    t.integer "second_factor_attempts_count", default: 0
    t.string "encrypted_otp_secret_key"
    t.string "encrypted_otp_secret_key_iv"
    t.string "encrypted_otp_secret_key_salt"
    t.string "direct_otp"
    t.datetime "direct_otp_sent_at"
    t.datetime "totp_timestamp"
    t.string "phone"
    t.index ["encrypted_otp_secret_key"], name: "index_admin_users_on_encrypted_otp_secret_key", unique: true
  end
  create_table "case_logs", force: :cascade do |t|
--- a/spec/factories/admin_user.rb
+++ b/spec/factories/admin_user.rb
@ -2,6 +2,7 @@ FactoryBot.define do
  factory :admin_user do
    sequence(:email) { |i| "admin#{i}@example.com" }
    password { "pAssword1" }
    phone { "07563867654" }
    created_at { Time.zone.now }
    updated_at { Time.zone.now }
  end
--- a/spec/features/admin_panel_spec.rb
+++ b/spec/features/admin_panel_spec.rb
@ -0,0 +1,45 @@
 require "rails_helper"
 RSpec.describe "Admin Panel" do
  let!(:admin) { FactoryBot.create(:admin_user) }
  let(:notify_client) { instance_double(Notifications::Client) }
  let(:mfa_template_id) { AdminUser::MFA_SMS_TEMPLATE_ID }
  let(:otp) { "999111" }
  before do
    allow(Sms).to receive(:notify_client).and_return(notify_client)
    allow(notify_client).to receive(:send_sms).and_return(true)
  end
  context "with a valid 2FA code" do
    before do
      allow(SecureRandom).to receive(:random_number).and_return(otp)
    end
    it "authenticates successfully" do
      expect(notify_client).to receive(:send_sms).with(
        hash_including(phone_number: admin.phone, template_id: mfa_template_id),
      )
      visit("/admin")
      fill_in("admin_user[email]", with: admin.email)
      fill_in("admin_user[password]", with: admin.password)
      click_button("Login")
      fill_in("code", with: otp)
      click_button("Submit")
      expect(page).to have_content("Dashboard")
      expect(page).to have_content("Two factor authentication successful.")
    end
  end
  context "with an invalid 2FA code" do
    it "does not authenticate successfully" do
      visit("/admin")
      fill_in("admin_user[email]", with: admin.email)
      fill_in("admin_user[password]", with: admin.password)
      click_button("Login")
      fill_in("code", with: otp)
      click_button("Submit")
      expect(page).to have_content("Check your phone")
    end
  end
 end