Fix OTP auth triggering for users who haven't set it up
I thought I could be clever by using a null secret key as an indicator of it being disabled
This commit is contained in:
parent
141ff59f63
commit
25410e111d
|
@ -7,7 +7,7 @@ class User::SessionsController < Devise::SessionsController
|
|||
self.resource = warden.authenticate!(auth_options)
|
||||
end
|
||||
|
||||
if resource.active_for_authentication? && !resource.otp_secret_key.nil?
|
||||
if resource.active_for_authentication? && resource.otp_module_enabled?
|
||||
if params[:user][:otp_attempt].blank?
|
||||
session[:user_sign_in_uid] = resource.id
|
||||
sign_out(resource)
|
||||
|
|
|
@ -185,8 +185,6 @@ class UserController < ApplicationController
|
|||
|
||||
def update_2fa
|
||||
req_params = params.require(:user).permit(:otp_secret_key, :otp_validation)
|
||||
|
||||
current_user.otp_secret_key = req_params[:otp_secret_key]
|
||||
|
||||
if current_user.authenticate_otp(req_params[:otp_validation])
|
||||
flash[:success] = 'yay'
|
||||
|
|
|
@ -13,6 +13,7 @@ class User < ApplicationRecord
|
|||
:validatable, :confirmable, :authentication_keys => [:login]
|
||||
|
||||
has_one_time_password
|
||||
enum otp_module: { disabled: 0, enabled: 1 }, _prefix: true
|
||||
attr_accessor :otp_attempt, :otp_validation
|
||||
|
||||
rolify
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
class AddOtpSecretKeyToUsers < ActiveRecord::Migration[5.2]
|
||||
def change
|
||||
add_column :users, :otp_secret_key, :string
|
||||
add_column :users, :otp_module, :integer
|
||||
|
||||
User.find_each do |user|
|
||||
user.update_attribute(:otp_secret_key, User.otp_random_secret)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -10,7 +10,7 @@
|
|||
#
|
||||
# It's strongly recommended that you check this file into your version control system.
|
||||
|
||||
ActiveRecord::Schema.define(version: 2020_10_01_172537) do
|
||||
ActiveRecord::Schema.define(version: 2020_10_18_090453) do
|
||||
|
||||
# These are extensions that must be enabled in order to support this database
|
||||
enable_extension "plpgsql"
|
||||
|
@ -274,6 +274,7 @@ ActiveRecord::Schema.define(version: 2020_10_01_172537) do
|
|||
t.boolean "export_processing", default: false, null: false
|
||||
t.datetime "export_created_at"
|
||||
t.string "otp_secret_key"
|
||||
t.integer "otp_module"
|
||||
t.index ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true
|
||||
t.index ["email"], name: "index_users_on_email", unique: true
|
||||
t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
|
||||
|
|
Loading…
Reference in New Issue