This feature was added so enable and unconfirmed mobile
phone number to be used for OTP purposes and have that
number removed at the start or end of a new session.
However, a simpler way do this would be to simply store
the unconfirmed mobile in the #user_session. Indeed
that is what we are now doing in 18F identity project
which uses this gem:
https://github.com/18F/identity-idp/pull/220
Direct OTP codes are ones that are delivered directly to
the user (e.g. SMS) via send_two_factor_authentication_code.
These are randomly generated, short lived, and stored
directly in the database.
TOTP (and the rotp gem) is now only enabled for those user
that have a shared secret (user.create_otp_secret).
**Why**: `bundler-audit` requires `Gemfile.lock` to be checked in, but it is gitignored on purpose in this repo. Enabling bundler-audit causes the Code Climate check to fail, but then seems to also prevent the rest of the engines from running.
**Why**: To be able to support Rails 5 without deprecation warnings,
we need to replace `before_filter` with `before_action`.
`before_action` is not supported in Rails 3.2, so we need to bump the
major version number since this will be a breaking change for people
who can't upgrade Rails.
**Why**:
When looking up a class with `Object.const_defined?`, `false` will be
returned the first time it is called, even when the class exists in the
Rails app. I think this might be due to the way Rails loads classes.
**How**:
Use `ActiveSupport::Inflector#constantize`, which returns the class all
the time when the class exists, and throws a `NameError` when it
doesn't.
The only way I was able to properly test this was to create the
`UserOtpSender` class as a real file in the test Rails app, and create
a Devise Admin user to test the scenario where `AdminOtpSender` does
not exist.
I verified that with the old code, `reset_otp_state` was not being
called when it should be, and that the new code makes the tests pass.
**Why**:
The `encryptor` gem, which is used for the new OTP encryption feature,
requires Ruby 2.0 or later.
Also, Rails 5.0 requires Ruby 2.2.2 or greater, so we need to ignore
1.9.3, 2.0, and 2.1 when running RAILS_VERSION=master on Travis.