Fix OTP auth triggering for users who haven't set it up

I thought I could be clever by using a null secret key as an indicator of it being disabled
This commit is contained in:
Dominik Kwiatek 2020-10-18 11:39:28 +02:00
parent 141ff59f63
commit 25410e111d
5 changed files with 9 additions and 4 deletions

View File

@ -7,7 +7,7 @@ class User::SessionsController < Devise::SessionsController
self.resource = warden.authenticate!(auth_options)
end
if resource.active_for_authentication? && !resource.otp_secret_key.nil?
if resource.active_for_authentication? && resource.otp_module_enabled?
if params[:user][:otp_attempt].blank?
session[:user_sign_in_uid] = resource.id
sign_out(resource)

View File

@ -185,8 +185,6 @@ class UserController < ApplicationController
def update_2fa
req_params = params.require(:user).permit(:otp_secret_key, :otp_validation)
current_user.otp_secret_key = req_params[:otp_secret_key]
if current_user.authenticate_otp(req_params[:otp_validation])
flash[:success] = 'yay'

View File

@ -13,6 +13,7 @@ class User < ApplicationRecord
:validatable, :confirmable, :authentication_keys => [:login]
has_one_time_password
enum otp_module: { disabled: 0, enabled: 1 }, _prefix: true
attr_accessor :otp_attempt, :otp_validation
rolify

View File

@ -1,5 +1,10 @@
class AddOtpSecretKeyToUsers < ActiveRecord::Migration[5.2]
def change
add_column :users, :otp_secret_key, :string
add_column :users, :otp_module, :integer
User.find_each do |user|
user.update_attribute(:otp_secret_key, User.otp_random_secret)
end
end
end

View File

@ -10,7 +10,7 @@
#
# It's strongly recommended that you check this file into your version control system.
ActiveRecord::Schema.define(version: 2020_10_01_172537) do
ActiveRecord::Schema.define(version: 2020_10_18_090453) do
# These are extensions that must be enabled in order to support this database
enable_extension "plpgsql"
@ -274,6 +274,7 @@ ActiveRecord::Schema.define(version: 2020_10_01_172537) do
t.boolean "export_processing", default: false, null: false
t.datetime "export_created_at"
t.string "otp_secret_key"
t.integer "otp_module"
t.index ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true
t.index ["email"], name: "index_users_on_email", unique: true
t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true