Update `devise-two-factor` to version 5.0.0 (#28325)

Co-authored-by: Claire <claire.github-309c@sitedethib.com>

1 files changed, 39 insertions, 0 deletions

diff --git a/db/post_migrate/20240307180905_migrate_devise_two_factor_secrets.rb b/db/post_migrate/20240307180905_migrate_devise_two_factor_secrets.rb
new file mode 100644
index 00000000000..360e4806da2
--- /dev/null
+++ b/db/post_migrate/20240307180905_migrate_devise_two_factor_secrets.rb
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+class MigrateDeviseTwoFactorSecrets < ActiveRecord::Migration[7.1]
+  disable_ddl_transaction!
+
+  class MigrationUser < ApplicationRecord
+    self.table_name = :users
+
+    devise :two_factor_authenticatable,
+           otp_secret_encryption_key: Rails.configuration.x.otp_secret
+
+    include LegacyOtpSecret # Must be after the above `devise` line in order to override the legacy method
+  end
+
+  def up
+    MigrationUser.reset_column_information
+
+    users_with_otp_enabled.find_each do |user|
+      # Gets the new value on already-updated users
+      # Falls back to legacy value on not-yet-migrated users
+      otp_secret = user.otp_secret
+
+      Rails.logger.debug { "Processing #{user.email}" }
+
+      # This is a no-op for migrated users and updates format for not migrated
+      user.update!(otp_secret: otp_secret)
+    end
+  end
+
+  def down
+    raise ActiveRecord::IrreversibleMigration
+  end
+
+  private
+
+  def users_with_otp_enabled
+    MigrationUser.where(otp_required_for_login: true, otp_secret: nil)
+  end
+end