Unverified Commit 88e35d3f authored by Benjamin Neff's avatar Benjamin Neff
Browse files

Use :database_authenticatable strategy to check password for OTP user 

This:
* makes sure that after_database_authentication is called for users with
enabled 2fa.
* handles paranoid mode correctly
parent ef31ea6b

app/controllers/sessions_controller.rb

+5 −5
Original line number Diff line number Diff line
@@ -19,14 +19,14 @@ class SessionsController < Devise::SessionsController 


  def authenticate_with_2fa

    self.resource = find_user

    u = find_user



    return true unless u&.otp_required_for_login?

    return true unless resource&.otp_required_for_login?



    if params[:user][:otp_attempt].present? && session[:otp_user_id]

      authenticate_with_two_factor_via_otp(u)

    elsif u&.valid_password?(params[:user][:password])

      prompt_for_two_factor(u)

      authenticate_with_two_factor_via_otp(resource)

    else

      strategy = Warden::Strategies[:database_authenticatable].new(warden.env, :user)

      prompt_for_two_factor(strategy.user) if strategy.valid? && strategy._run!.successful?

    end

  end

config/initializers/devise.rb

+0 −5
Original line number Diff line number Diff line
@@ -15,11 +15,6 @@ end 
# Use this hook to configure devise mailer, warden hooks and so forth.

# Many of these configuration options can be set straight in your model.

Devise.setup do |config|

  config.warden do |manager|

    manager.default_strategies(scope: :user).unshift :two_factor_authenticatable

    manager.default_strategies(scope: :user).unshift :two_factor_backupable

  end



  # The secret key used by Devise. Devise uses this key to generate

  # random tokens. Changing this key will render invalid all existing

  # confirmation, reset password and unlock tokens in the database.