SECURITY: Add confirmation screen when logging in via user-api OTP

2025-05-21 18:12:32 +08:00 · 2019-06-12 18:32:13 +01:00
parent 52387be4a4
commit e6e47f2fb2
5 changed files with 54 additions and 5 deletions
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@ -365,12 +365,19 @@ class SessionController < ApplicationController
  end

  def one_time_password
-    otp_username = $redis.get "otp_#{params[:token]}"
+    @otp_username = otp_username = $redis.get "otp_#{params[:token]}"

    if otp_username && user = User.find_by_username(otp_username)
-      log_on_user(user)
-      $redis.del "otp_#{params[:token]}"
-      return redirect_to path("/")
+      if current_user&.username == otp_username
+        $redis.del "otp_#{params[:token]}"
+        return redirect_to path("/")
+      elsif request.post?
+        log_on_user(user)
+        $redis.del "otp_#{params[:token]}"
+        return redirect_to path("/")
+      else
+        # Display the form
+      end
    else
      @error = I18n.t('user_api_key.invalid_token')
    end