FEATURE: Implement 2factor login TOTP

implemented review items. Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds. I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail. Translatable texts. Move second factor logic to a helper class. Move second factor specific controller endpoints to its own controller. Move serialization logic for 2-factor details in admin user views. Add a login ember component for de-duplication Fix up code formatting Change verbiage of google authenticator add controller tests: second factor controller tests change email tests change password tests admin login tests add qunit tests - password reset, preferences fix: check for 2factor on change email controller fix: email controller - only show second factor errors on attempt fix: check against 'true' to enable second factor. Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP add two factor to email signin link rate limit if second factor token present add rate limiter test for second factor attempts
2025-05-21 18:12:32 +08:00 · 2017-12-21 17:18:12 -08:00
parent b6e82815bd
commit f4f8a293e7
52 changed files with 1005 additions and 45 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -470,12 +470,21 @@ class UsersController < ApplicationController
      end
    end

+    if @user && (!SecondFactorHelper.totp_enabled?(@user) || SecondFactorHelper.authenticate(@user, params[:second_factor_token]))
+      secure_session["second-factor-#{token}"] = "true"
+    end
+    @valid_second_factor = secure_session["second-factor-#{token}"] == "true"
+
    if !@user
      @error = I18n.t('password_reset.no_token')
    elsif request.put?
      @invalid_password = params[:password].blank? || params[:password].length > User.max_password_length

-      if @invalid_password
+      if !@valid_second_factor
+        RateLimiter.new(nil, "second-factor-min-#{request.remote_ip}", 3, 1.minute).performed!
+        @user.errors.add(:second_factor, :invalid)
+        @error = I18n.t('login.invalid_second_factor_code')
+      elsif @invalid_password
        @user.errors.add(:password, :invalid)
      else
        @user.password = params[:password]
@ -484,6 +493,7 @@ class UsersController < ApplicationController
        if @user.save
          Invite.invalidate_for_email(@user.email) # invite link can't be used to log in anymore
          secure_session["password-#{token}"] = nil
+          secure_session["second-factor-#{token}"] = nil
          logon_after_password_reset
        end
      end
@ -496,7 +506,7 @@ class UsersController < ApplicationController
        else
          store_preloaded(
            "password_reset",
-            MultiJson.dump(is_developer: UsernameCheckerService.is_developer?(@user.email), admin: @user.admin?)
+            MultiJson.dump(is_developer: UsernameCheckerService.is_developer?(@user.email), admin: @user.admin?, second_factor_required: !@valid_second_factor)
          )
        end
        return redirect_to(wizard_path) if request.put? && Wizard.user_requires_completion?(@user)
@ -521,7 +531,7 @@ class UsersController < ApplicationController
            }
          end
        else
-          render json: { is_developer: UsernameCheckerService.is_developer?(@user.email), admin: @user.admin? }
+          render json: { is_developer: UsernameCheckerService.is_developer?(@user.email), admin: @user.admin?, second_factor_required: !@valid_second_factor }
        end
      end
    end
@ -550,7 +560,7 @@ class UsersController < ApplicationController
  def admin_login
    return redirect_to(path("/")) if current_user

-    if request.put?
+    if request.put? && params[:email].present?
      RateLimiter.new(nil, "admin-login-hr-#{request.remote_ip}", 6, 1.hour).performed!
      RateLimiter.new(nil, "admin-login-min-#{request.remote_ip}", 3, 1.minute).performed!

@ -563,13 +573,20 @@ class UsersController < ApplicationController
      end
    elsif params[:token].present?
      if EmailToken.valid_token_format?(params[:token])
-        @user = EmailToken.confirm(params[:token])
-
-        if @user&.admin?
-          log_on_user(@user)
-          return redirect_to path("/")
+        if params[:second_factor_token].present?
+          RateLimiter.new(nil, "second-factor-min-#{request.remote_ip}", 3, 1.minute).performed!
+        end
+        if EmailToken.second_factor_valid(params[:token], params[:second_factor_token])
+          @user = EmailToken.confirm(params[:token])
+          if @user && @user.admin?
+            log_on_user(@user)
+            return redirect_to path("/")
+          else
+            @message = I18n.t("admin_login.errors.unknown_email_address")
+          end
        else
-          @message = I18n.t("admin_login.errors.unknown_email_address")
+          @second_factor_required = true
+          @message = I18n.t("login.second_factor_title")
        end
      else
        @message = I18n.t("admin_login.errors.invalid_token")