closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6442 Commits
4 Branches
567 MiB
Tree: 3281df0df1
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '3281df0df1'
${ noResults }
mastodon/app/controllers/settings/two_factor_authentications_...

47 lines
1.3 KiB
Raw Normal View History

2FA controller cleanup (#2296) * Add spec coverage for settings/two_factor_auth area * extract setup method for qr code * Move otp required check to before action * Merge method only used once * Remove duplicate view * Consolidate creation of @codes for backup * Move settings/2fq#recovery_codes to settings/recovery_codes#create * Rename settings/two_factor_auth#disable to #destroy * Add coverage for the otp required path on 2fa#show * Clean up the recovery codes list styles * Move settings/two_factor_auth to settings/two_factor_authentication * Reorganize the settings two factor auth area Updated to use a flow like: - settings/two_factor_authentication goes to a #show view which has a button either enable or disable 2fa on the account - the disable button turns off the otp requirement for the user - the enable button cycles the user secret and redirects to a confirmation page - the confirmation page is a #new view which shows the QR code for user - that page posts to #create which verifies the code, and creates the recovery codes - that create action shares a view with a recovery codes controller which can be used separately to reset codes if needed
7 years ago
Create Settings::BaseController (#9507) Define `Settings::BaseController#set_body_classes` so that sub classes inherit `Settings::BaseController` don't need to define `#set_body_classes` agein.
5 years ago
2FA controller cleanup (#2296) * Add spec coverage for settings/two_factor_auth area * extract setup method for qr code * Move otp required check to before action * Merge method only used once * Remove duplicate view * Consolidate creation of @codes for backup * Move settings/2fq#recovery_codes to settings/recovery_codes#create * Rename settings/two_factor_auth#disable to #destroy * Add coverage for the otp required path on 2fa#show * Clean up the recovery codes list styles * Move settings/two_factor_auth to settings/two_factor_authentication * Reorganize the settings two factor auth area Updated to use a flow like: - settings/two_factor_authentication goes to a #show view which has a button either enable or disable 2fa on the account - the disable button turns off the otp requirement for the user - the enable button cycles the user secret and redirects to a confirmation page - the confirmation page is a #new view which shows the QR code for user - that page posts to #create which verifies the code, and creates the recovery codes - that create action shares a view with a recovery codes controller which can be used separately to reset codes if needed
7 years ago
Fix #3910 - Require OTP authentication to disable 2FA (#3935) * Fix #3910 - Require OTP authentication to disable 2FA. Also, remove ability to generate new OTP backup codes *after* initial backup codes were handed out during activation * Restore recovery code re-generation * Improve display of some 2FA elements
7 years ago
2FA controller cleanup (#2296) * Add spec coverage for settings/two_factor_auth area * extract setup method for qr code * Move otp required check to before action * Merge method only used once * Remove duplicate view * Consolidate creation of @codes for backup * Move settings/2fq#recovery_codes to settings/recovery_codes#create * Rename settings/two_factor_auth#disable to #destroy * Add coverage for the otp required path on 2fa#show * Clean up the recovery codes list styles * Move settings/two_factor_auth to settings/two_factor_authentication * Reorganize the settings two factor auth area Updated to use a flow like: - settings/two_factor_authentication goes to a #show view which has a button either enable or disable 2fa on the account - the disable button turns off the otp requirement for the user - the enable button cycles the user secret and redirects to a confirmation page - the confirmation page is a #new view which shows the QR code for user - that page posts to #create which verifies the code, and creates the recovery codes - that create action shares a view with a recovery codes controller which can be used separately to reset codes if needed
7 years ago
Fix #4026 - Accept backup codes for disabling 2FA (#4382)
7 years ago
Fix #3910 - Require OTP authentication to disable 2FA (#3935) * Fix #3910 - Require OTP authentication to disable 2FA. Also, remove ability to generate new OTP backup codes *after* initial backup codes were handed out during activation * Restore recovery code re-generation * Improve display of some 2FA elements
7 years ago
2FA controller cleanup (#2296) * Add spec coverage for settings/two_factor_auth area * extract setup method for qr code * Move otp required check to before action * Merge method only used once * Remove duplicate view * Consolidate creation of @codes for backup * Move settings/2fq#recovery_codes to settings/recovery_codes#create * Rename settings/two_factor_auth#disable to #destroy * Add coverage for the otp required path on 2fa#show * Clean up the recovery codes list styles * Move settings/two_factor_auth to settings/two_factor_authentication * Reorganize the settings two factor auth area Updated to use a flow like: - settings/two_factor_authentication goes to a #show view which has a button either enable or disable 2fa on the account - the disable button turns off the otp requirement for the user - the enable button cycles the user secret and redirects to a confirmation page - the confirmation page is a #new view which shows the QR code for user - that page posts to #create which verifies the code, and creates the recovery codes - that create action shares a view with a recovery codes controller which can be used separately to reset codes if needed
7 years ago
Fix #3910 - Require OTP authentication to disable 2FA (#3935) * Fix #3910 - Require OTP authentication to disable 2FA. Also, remove ability to generate new OTP backup codes *after* initial backup codes were handed out during activation * Restore recovery code re-generation * Improve display of some 2FA elements
7 years ago
2FA controller cleanup (#2296) * Add spec coverage for settings/two_factor_auth area * extract setup method for qr code * Move otp required check to before action * Merge method only used once * Remove duplicate view * Consolidate creation of @codes for backup * Move settings/2fq#recovery_codes to settings/recovery_codes#create * Rename settings/two_factor_auth#disable to #destroy * Add coverage for the otp required path on 2fa#show * Clean up the recovery codes list styles * Move settings/two_factor_auth to settings/two_factor_authentication * Reorganize the settings two factor auth area Updated to use a flow like: - settings/two_factor_authentication goes to a #show view which has a button either enable or disable 2fa on the account - the disable button turns off the otp requirement for the user - the enable button cycles the user secret and redirects to a confirmation page - the confirmation page is a #new view which shows the QR code for user - that page posts to #create which verifies the code, and creates the recovery codes - that create action shares a view with a recovery codes controller which can be used separately to reset codes if needed
7 years ago
Fix #4026 - Accept backup codes for disabling 2FA (#4382)
7 years ago
2FA controller cleanup (#2296) * Add spec coverage for settings/two_factor_auth area * extract setup method for qr code * Move otp required check to before action * Merge method only used once * Remove duplicate view * Consolidate creation of @codes for backup * Move settings/2fq#recovery_codes to settings/recovery_codes#create * Rename settings/two_factor_auth#disable to #destroy * Add coverage for the otp required path on 2fa#show * Clean up the recovery codes list styles * Move settings/two_factor_auth to settings/two_factor_authentication * Reorganize the settings two factor auth area Updated to use a flow like: - settings/two_factor_authentication goes to a #show view which has a button either enable or disable 2fa on the account - the disable button turns off the otp requirement for the user - the enable button cycles the user secret and redirects to a confirmation page - the confirmation page is a #new view which shows the QR code for user - that page posts to #create which verifies the code, and creates the recovery codes - that create action shares a view with a recovery codes controller which can be used separately to reset codes if needed
7 years ago
 
  1. # frozen_string_literal: true
  2. 

  3. module Settings
  4.   class TwoFactorAuthenticationsController < BaseController
  5.     layout 'admin'
  6. 

  7.     before_action :authenticate_user!
  8.     before_action :verify_otp_required, only: [:create]
  9. 

  10.     def show
  11.       @confirmation = Form::TwoFactorConfirmation.new
  12.     end
  13. 

  14.     def create
  15.       current_user.otp_secret = User.generate_otp_secret(32)
  16.       current_user.save!
  17.       redirect_to new_settings_two_factor_authentication_confirmation_path
  18.     end
  19. 

  20.     def destroy
  21.       if acceptable_code?
  22.         current_user.otp_required_for_login = false
  23.         current_user.save!
  24.         redirect_to settings_two_factor_authentication_path
  25.       else
  26.         flash.now[:alert] = I18n.t('two_factor_authentication.wrong_code')
  27.         @confirmation = Form::TwoFactorConfirmation.new
  28.         render :show
  29.       end
  30.     end
  31. 

  32.     private
  33. 

  34.     def confirmation_params
  35.       params.require(:form_two_factor_confirmation).permit(:code)
  36.     end
  37. 

  38.     def verify_otp_required
  39.       redirect_to settings_two_factor_authentication_path if current_user.otp_required_for_login?
  40.     end
  41. 

  42.     def acceptable_code?
  43.       current_user.validate_and_consume_otp!(confirmation_params[:code]) ||
  44.         current_user.invalidate_otp_backup_code!(confirmation_params[:code])
  45.     end
  46.   end
  47. end