Fix OTP auth triggering for users who haven't set it up
I thought I could be clever by using a null secret key as an indicator of it being disabled
This commit is contained in:
parent
141ff59f63
commit
25410e111d
|
@ -7,7 +7,7 @@ class User::SessionsController < Devise::SessionsController
|
||||||
self.resource = warden.authenticate!(auth_options)
|
self.resource = warden.authenticate!(auth_options)
|
||||||
end
|
end
|
||||||
|
|
||||||
if resource.active_for_authentication? && !resource.otp_secret_key.nil?
|
if resource.active_for_authentication? && resource.otp_module_enabled?
|
||||||
if params[:user][:otp_attempt].blank?
|
if params[:user][:otp_attempt].blank?
|
||||||
session[:user_sign_in_uid] = resource.id
|
session[:user_sign_in_uid] = resource.id
|
||||||
sign_out(resource)
|
sign_out(resource)
|
||||||
|
|
|
@ -185,8 +185,6 @@ class UserController < ApplicationController
|
||||||
|
|
||||||
def update_2fa
|
def update_2fa
|
||||||
req_params = params.require(:user).permit(:otp_secret_key, :otp_validation)
|
req_params = params.require(:user).permit(:otp_secret_key, :otp_validation)
|
||||||
|
|
||||||
current_user.otp_secret_key = req_params[:otp_secret_key]
|
|
||||||
|
|
||||||
if current_user.authenticate_otp(req_params[:otp_validation])
|
if current_user.authenticate_otp(req_params[:otp_validation])
|
||||||
flash[:success] = 'yay'
|
flash[:success] = 'yay'
|
||||||
|
|
|
@ -13,6 +13,7 @@ class User < ApplicationRecord
|
||||||
:validatable, :confirmable, :authentication_keys => [:login]
|
:validatable, :confirmable, :authentication_keys => [:login]
|
||||||
|
|
||||||
has_one_time_password
|
has_one_time_password
|
||||||
|
enum otp_module: { disabled: 0, enabled: 1 }, _prefix: true
|
||||||
attr_accessor :otp_attempt, :otp_validation
|
attr_accessor :otp_attempt, :otp_validation
|
||||||
|
|
||||||
rolify
|
rolify
|
||||||
|
|
|
@ -1,5 +1,10 @@
|
||||||
class AddOtpSecretKeyToUsers < ActiveRecord::Migration[5.2]
|
class AddOtpSecretKeyToUsers < ActiveRecord::Migration[5.2]
|
||||||
def change
|
def change
|
||||||
add_column :users, :otp_secret_key, :string
|
add_column :users, :otp_secret_key, :string
|
||||||
|
add_column :users, :otp_module, :integer
|
||||||
|
|
||||||
|
User.find_each do |user|
|
||||||
|
user.update_attribute(:otp_secret_key, User.otp_random_secret)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -10,7 +10,7 @@
|
||||||
#
|
#
|
||||||
# It's strongly recommended that you check this file into your version control system.
|
# It's strongly recommended that you check this file into your version control system.
|
||||||
|
|
||||||
ActiveRecord::Schema.define(version: 2020_10_01_172537) do
|
ActiveRecord::Schema.define(version: 2020_10_18_090453) do
|
||||||
|
|
||||||
# These are extensions that must be enabled in order to support this database
|
# These are extensions that must be enabled in order to support this database
|
||||||
enable_extension "plpgsql"
|
enable_extension "plpgsql"
|
||||||
|
@ -274,6 +274,7 @@ ActiveRecord::Schema.define(version: 2020_10_01_172537) do
|
||||||
t.boolean "export_processing", default: false, null: false
|
t.boolean "export_processing", default: false, null: false
|
||||||
t.datetime "export_created_at"
|
t.datetime "export_created_at"
|
||||||
t.string "otp_secret_key"
|
t.string "otp_secret_key"
|
||||||
|
t.integer "otp_module"
|
||||||
t.index ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true
|
t.index ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true
|
||||||
t.index ["email"], name: "index_users_on_email", unique: true
|
t.index ["email"], name: "index_users_on_email", unique: true
|
||||||
t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
|
t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
|
||||||
|
|
Loading…
Reference in New Issue