diff options
| author | Patrick Figel <patrick@figel.email> | 2017-04-15 13:26:03 +0200 |
|---|---|---|
| committer | Eugen <eugen@zeonfederated.com> | 2017-04-15 13:26:03 +0200 |
| commit | df4ff9a8e13d776e1670c232655db0275a353a0f (patch) | |
| tree | a7bdb4c0240e169bac01bf67b76f685e9a9b4a67 /app | |
| parent | 67ad84b7ebf080d6a6cbcb7d299e02c2a51d955e (diff) | |
Add recovery code support for two-factor auth (#1773)
* Add recovery code support for two-factor auth
When users enable two-factor auth, the app now generates ten
single-use recovery codes. Users are encouraged to print the codes
and store them in a safe place.
The two-factor prompt during login now accepts both OTP codes and
recovery codes.
The two-factor settings UI allows users to regenerated lost
recovery codes. Users who have set up two-factor auth prior to
this feature being added can use it to generate recovery codes
for the first time.
Fixes #563 and fixes #987
* Set OTP_SECRET in test enviroment
* add missing .html to view file names
Diffstat (limited to 'app')
| -rw-r--r-- | app/assets/stylesheets/lists.scss | 9 | ||||
| -rw-r--r-- | app/controllers/auth/sessions_controller.rb | 3 | ||||
| -rw-r--r-- | app/controllers/settings/two_factor_auths_controller.rb | 10 | ||||
| -rw-r--r-- | app/models/user.rb | 4 | ||||
| -rw-r--r-- | app/views/auth/sessions/two_factor.html.haml | 4 | ||||
| -rw-r--r-- | app/views/settings/two_factor_auths/_recovery_codes.html.haml | 7 | ||||
| -rw-r--r-- | app/views/settings/two_factor_auths/create.html.haml | 4 | ||||
| -rw-r--r-- | app/views/settings/two_factor_auths/recovery_codes.html.haml | 4 | ||||
| -rw-r--r-- | app/views/settings/two_factor_auths/show.html.haml | 5 |
9 files changed, 45 insertions, 5 deletions
diff --git a/app/assets/stylesheets/lists.scss b/app/assets/stylesheets/lists.scss index eac9f5a2ca7..13243aae5cd 100644 --- a/app/assets/stylesheets/lists.scss +++ b/app/assets/stylesheets/lists.scss @@ -6,3 +6,12 @@ margin: 0 5px; } } + +.recovery-codes { + column-count: 2; + height: 100px; + li { + list-style: decimal; + margin-left: 20px; + } +} diff --git a/app/controllers/auth/sessions_controller.rb b/app/controllers/auth/sessions_controller.rb index 4184750f339..a187ae6daa1 100644 --- a/app/controllers/auth/sessions_controller.rb +++ b/app/controllers/auth/sessions_controller.rb @@ -49,7 +49,8 @@ class Auth::SessionsController < Devise::SessionsController end def valid_otp_attempt?(user) - user.validate_and_consume_otp!(user_params[:otp_attempt]) + user.validate_and_consume_otp!(user_params[:otp_attempt]) || + user.invalidate_otp_backup_code!(user_params[:otp_attempt]) end def authenticate_with_two_factor diff --git a/app/controllers/settings/two_factor_auths_controller.rb b/app/controllers/settings/two_factor_auths_controller.rb index 203d1fc46bb..bfe3868f3b7 100644 --- a/app/controllers/settings/two_factor_auths_controller.rb +++ b/app/controllers/settings/two_factor_auths_controller.rb @@ -19,9 +19,9 @@ class Settings::TwoFactorAuthsController < ApplicationController def create if current_user.validate_and_consume_otp!(confirmation_params[:code]) current_user.otp_required_for_login = true + @codes = current_user.generate_otp_backup_codes! current_user.save! - - redirect_to settings_two_factor_auth_path, notice: I18n.t('two_factor_auth.enabled_success') + flash[:notice] = I18n.t('two_factor_auth.enabled_success') else @confirmation = Form::TwoFactorConfirmation.new set_qr_code @@ -30,6 +30,12 @@ class Settings::TwoFactorAuthsController < ApplicationController end end + def recovery_codes + @codes = current_user.generate_otp_backup_codes! + current_user.save! + flash[:notice] = I18n.t('two_factor_auth.recovery_codes_regenerated') + end + def disable current_user.otp_required_for_login = false current_user.save! diff --git a/app/models/user.rb b/app/models/user.rb index d2aa5d809f8..27a38674e44 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -5,7 +5,9 @@ class User < ApplicationRecord devise :registerable, :recoverable, :rememberable, :trackable, :validatable, :confirmable, - :two_factor_authenticatable, otp_secret_encryption_key: ENV['OTP_SECRET'] + :two_factor_authenticatable, :two_factor_backupable, + otp_secret_encryption_key: ENV['OTP_SECRET'], + otp_number_of_backup_codes: 10 belongs_to :account, inverse_of: :user accepts_nested_attributes_for :account diff --git a/app/views/auth/sessions/two_factor.html.haml b/app/views/auth/sessions/two_factor.html.haml index 1deff82b2e3..3dec40c44ca 100644 --- a/app/views/auth/sessions/two_factor.html.haml +++ b/app/views/auth/sessions/two_factor.html.haml @@ -2,7 +2,9 @@ = t('auth.login') = simple_form_for(resource, as: resource_name, url: session_path(resource_name), method: :post) do |f| - = f.input :otp_attempt, type: :number, placeholder: t('simple_form.labels.defaults.otp_attempt'), input_html: { 'aria-label' => t('simple_form.labels.defaults.otp_attempt') }, required: true, autofocus: true, autocomplete: 'off' + = f.input :otp_attempt, type: :number, placeholder: t('simple_form.labels.defaults.otp_attempt'), + input_html: { 'aria-label' => t('simple_form.labels.defaults.otp_attempt') }, required: true, autofocus: true, autocomplete: 'off', + hint: t('simple_form.hints.sessions.otp') .actions = f.button :button, t('auth.login'), type: :submit diff --git a/app/views/settings/two_factor_auths/_recovery_codes.html.haml b/app/views/settings/two_factor_auths/_recovery_codes.html.haml new file mode 100644 index 00000000000..c23311e2a04 --- /dev/null +++ b/app/views/settings/two_factor_auths/_recovery_codes.html.haml @@ -0,0 +1,7 @@ +%p.hint= t('two_factor_auth.recovery_instructions') + +%h3= t('two_factor_auth.recovery_codes') +%ol.recovery-codes + - @codes.each do |code| + %li + %samp= code diff --git a/app/views/settings/two_factor_auths/create.html.haml b/app/views/settings/two_factor_auths/create.html.haml new file mode 100644 index 00000000000..8710b6e020f --- /dev/null +++ b/app/views/settings/two_factor_auths/create.html.haml @@ -0,0 +1,4 @@ +- content_for :page_title do + = t('settings.two_factor_auth') + += render 'recovery_codes' diff --git a/app/views/settings/two_factor_auths/recovery_codes.html.haml b/app/views/settings/two_factor_auths/recovery_codes.html.haml new file mode 100644 index 00000000000..8710b6e020f --- /dev/null +++ b/app/views/settings/two_factor_auths/recovery_codes.html.haml @@ -0,0 +1,4 @@ +- content_for :page_title do + = t('settings.two_factor_auth') + += render 'recovery_codes' diff --git a/app/views/settings/two_factor_auths/show.html.haml b/app/views/settings/two_factor_auths/show.html.haml index 047fe0c544e..bf19d24f134 100644 --- a/app/views/settings/two_factor_auths/show.html.haml +++ b/app/views/settings/two_factor_auths/show.html.haml @@ -8,3 +8,8 @@ = link_to t('two_factor_auth.disable'), disable_settings_two_factor_auth_path, data: { method: 'POST' }, class: 'block-button' - else = link_to t('two_factor_auth.setup'), new_settings_two_factor_auth_path, class: 'block-button' + +- if current_user.otp_required_for_login + .simple_form + %p.hint= t('two_factor_auth.lost_recovery_codes') + = link_to t('two_factor_auth.generate_recovery_codes'), recovery_codes_settings_two_factor_auth_path, data: { method: 'POST' }, class: 'block-button' |