Use :database_authenticatable strategy to check password for OTP user

This: * makes sure that after_database_authentication is called for users with enabled 2fa. * handles paranoid mode correctly
2019-06-16 04:46:42 +02:00 · 2019-06-16 04:46:42 +02:00 · 88e35d3f3a
commit 88e35d3f3a
parent ef31ea6b96
2 changed files with 5 additions and 10 deletions
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@ -19,14 +19,14 @@ class SessionsController < Devise::SessionsController
  def authenticate_with_2fa
    self.resource = find_user
    u = find_user
-    return true unless u&.otp_required_for_login?
+    return true unless resource&.otp_required_for_login?
    if params[:user][:otp_attempt].present? && session[:otp_user_id]
-      authenticate_with_two_factor_via_otp(u)
+      authenticate_with_two_factor_via_otp(resource)
-    elsif u&.valid_password?(params[:user][:password])
+    else
-      prompt_for_two_factor(u)
+      strategy = Warden::Strategies[:database_authenticatable].new(warden.env, :user)
      prompt_for_two_factor(strategy.user) if strategy.valid? && strategy._run!.successful?
    end
  end
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@ -15,11 +15,6 @@ end
 # Use this hook to configure devise mailer, warden hooks and so forth.
 # Many of these configuration options can be set straight in your model.
 Devise.setup do |config|
  config.warden do |manager|
    manager.default_strategies(scope: :user).unshift :two_factor_authenticatable
    manager.default_strategies(scope: :user).unshift :two_factor_backupable
  end
  # The secret key used by Devise. Devise uses this key to generate
  # random tokens. Changing this key will render invalid all existing
  # confirmation, reset password and unlock tokens in the database.