Commit 88e35d3f authored by Benjamin Neff's avatar Benjamin Neff

Use :database_authenticatable strategy to check password for OTP user

This:
* makes sure that after_database_authentication is called for users with
enabled 2fa.
* handles paranoid mode correctly
parent ef31ea6b
......@@ -19,14 +19,14 @@ class SessionsController < Devise::SessionsController
def authenticate_with_2fa
self.resource = find_user
u = find_user
return true unless u&.otp_required_for_login?
return true unless resource&.otp_required_for_login?
if params[:user][:otp_attempt].present? && session[:otp_user_id]
authenticate_with_two_factor_via_otp(u)
elsif u&.valid_password?(params[:user][:password])
prompt_for_two_factor(u)
authenticate_with_two_factor_via_otp(resource)
else
strategy = Warden::Strategies[:database_authenticatable].new(warden.env, :user)
prompt_for_two_factor(strategy.user) if strategy.valid? && strategy._run!.successful?
end
end
......
......@@ -15,11 +15,6 @@ end
# Use this hook to configure devise mailer, warden hooks and so forth.
# Many of these configuration options can be set straight in your model.
Devise.setup do |config|
config.warden do |manager|
manager.default_strategies(scope: :user).unshift :two_factor_authenticatable
manager.default_strategies(scope: :user).unshift :two_factor_backupable
end
# The secret key used by Devise. Devise uses this key to generate
# random tokens. Changing this key will render invalid all existing
# confirmation, reset password and unlock tokens in the database.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment