Fix OTP auth triggering for users who haven't set it up

I thought I could be clever by using a null secret key as an indicator of it being disabled
2020-10-18 11:39:28 +02:00 · 2020-10-18 11:39:28 +02:00 · 25410e111d
parent 141ff59f63
commit 25410e111d
5 changed files with 9 additions and 4 deletions
--- a/app/controllers/user/sessions_controller.rb
+++ b/app/controllers/user/sessions_controller.rb
@ -7,7 +7,7 @@ class User::SessionsController < Devise::SessionsController
      self.resource = warden.authenticate!(auth_options)
    end

-    if resource.active_for_authentication? && !resource.otp_secret_key.nil?
+    if resource.active_for_authentication? && resource.otp_module_enabled?
      if params[:user][:otp_attempt].blank?
        session[:user_sign_in_uid] = resource.id
        sign_out(resource)
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@ -185,8 +185,6 @@ class UserController < ApplicationController

  def update_2fa
    req_params = params.require(:user).permit(:otp_secret_key, :otp_validation)
-    
-    current_user.otp_secret_key = req_params[:otp_secret_key]

    if current_user.authenticate_otp(req_params[:otp_validation])
      flash[:success] = 'yay'
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -13,6 +13,7 @@ class User < ApplicationRecord
         :validatable, :confirmable, :authentication_keys => [:login]

  has_one_time_password
+  enum otp_module: { disabled: 0, enabled: 1 }, _prefix: true
  attr_accessor :otp_attempt, :otp_validation

  rolify
--- a/db/migrate/20201001172537_add_otp_secret_key_to_users.rb
+++ b/db/migrate/20201001172537_add_otp_secret_key_to_users.rb
@ -1,5 +1,10 @@
 class AddOtpSecretKeyToUsers < ActiveRecord::Migration[5.2]
  def change
    add_column :users, :otp_secret_key, :string
+    add_column :users, :otp_module, :integer
+
+    User.find_each do |user|
+      user.update_attribute(:otp_secret_key, User.otp_random_secret)
+    end
  end
 end
--- a/db/schema.rb
+++ b/db/schema.rb
@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema.define(version: 2020_10_01_172537) do
+ActiveRecord::Schema.define(version: 2020_10_18_090453) do

  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"
@ -274,6 +274,7 @@ ActiveRecord::Schema.define(version: 2020_10_01_172537) do
    t.boolean "export_processing", default: false, null: false
    t.datetime "export_created_at"
    t.string "otp_secret_key"
+    t.integer "otp_module"
    t.index ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true
    t.index ["email"], name: "index_users_on_email", unique: true
    t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true