Allow recovery codes to be used to sign in in place of a OTP

This commit is contained in:
Dominik Kwiatek 2020-11-01 18:29:11 +01:00
parent b4f479a00f
commit 5dd920eba2
1 changed files with 9 additions and 1 deletions

View File

@ -18,7 +18,15 @@ class User::SessionsController < Devise::SessionsController
warden.lock!
render 'auth/two_factor_authentication'
else
if resource.authenticate_otp(params[:user][:otp_attempt], drift: APP_CONFIG.fetch(:otp_drift_period, 30).to_i)
if params[:user][:otp_attempt].length == 8
found = TotpRecoveryCode.where(user_id: resource.id, code: params[:user][:otp_attempt].downcase).delete_all
if found == 1
continue_sign_in(resource, resource_name)
else
flash[:error] = t('views.auth.2fa.errors.invalid_code')
redirect_to new_user_session_url
end
elsif resource.authenticate_otp(params[:user][:otp_attempt], drift: APP_CONFIG.fetch(:otp_drift_period, 30).to_i)
continue_sign_in(resource, resource_name)
else
sign_out(resource)