FEATURE: Implement 2factor login TOTP

implemented review items. Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds. I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail. Translatable texts. Move second factor logic to a helper class. Move second factor specific controller endpoints to its own controller. Move serialization logic for 2-factor details in admin user views. Add a login ember component for de-duplication Fix up code formatting Change verbiage of google authenticator add controller tests: second factor controller tests change email tests change password tests admin login tests add qunit tests - password reset, preferences fix: check for 2factor on change email controller fix: email controller - only show second factor errors on attempt fix: check against 'true' to enable second factor. Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP add two factor to email signin link rate limit if second factor token present add rate limiter test for second factor attempts
2025-05-24 13:51:09 +08:00 · 2017-12-21 17:18:12 -08:00
parent b6e82815bd
commit f4f8a293e7
52 changed files with 1005 additions and 45 deletions
--- a/app/controllers/users_email_controller.rb
+++ b/app/controllers/users_email_controller.rb
@ -33,6 +33,21 @@ class UsersEmailController < ApplicationController

  def confirm
    expires_now
+    token = EmailToken.confirmable params[:token]
+    change_req = token&.user&.email_change_requests
+      &.where('new_email_token_id = :token_id', token_id: token.id)
+      &.first
+    if change_req.try(:change_state) == EmailChangeRequest.states[:authorizing_new] &&
+       !EmailToken.second_factor_valid(params[:token], params[:second_factor_token])
+      @update_result = :invalid_second_factor
+      if params[:second_factor_token].present?
+        RateLimiter.new(nil, "second-factor-min-#{request.remote_ip}", 3, 1.minute).performed!
+        @show_invalid_second_factor_error = true
+      end
+      render layout: 'no_ember'
+      return
+    end
+
    updater = EmailUpdater.new
    @update_result = updater.confirm(params[:token])