FreakU
/
Retrospring
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Allow recovery codes to be used to sign in in place of a OTP

This commit is contained in:
Dominik Kwiatek 2020-11-01 18:29:11 +01:00
parent b4f479a00f
commit 5dd920eba2
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
app/controllers/user/sessions_controller.rb
View File

@ -18,7 +18,15 @@ class User::SessionsController < Devise::SessionsController
warden.lock! warden.lock!
render 'auth/two_factor_authentication' render 'auth/two_factor_authentication'
else else
if resource.authenticate_otp(params[:user][:otp_attempt], drift: APP_CONFIG.fetch(:otp_drift_period, 30).to_i) if params[:user][:otp_attempt].length == 8
found = TotpRecoveryCode.where(user_id: resource.id, code: params[:user][:otp_attempt].downcase).delete_all
if found == 1
continue_sign_in(resource, resource_name)
else
flash[:error] = t('views.auth.2fa.errors.invalid_code')
redirect_to new_user_session_url
end
elsif resource.authenticate_otp(params[:user][:otp_attempt], drift: APP_CONFIG.fetch(:otp_drift_period, 30).to_i)
continue_sign_in(resource, resource_name) continue_sign_in(resource, resource_name)
else else
sign_out(resource) sign_out(resource)