FEATURE: Implement 2factor login TOTP

implemented review items. Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds. I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail. Translatable texts. Move second factor logic to a helper class. Move second factor specific controller endpoints to its own controller. Move serialization logic for 2-factor details in admin user views. Add a login ember component for de-duplication Fix up code formatting Change verbiage of google authenticator add controller tests: second factor controller tests change email tests change password tests admin login tests add qunit tests - password reset, preferences fix: check for 2factor on change email controller fix: email controller - only show second factor errors on attempt fix: check against 'true' to enable second factor. Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP add two factor to email signin link rate limit if second factor token present add rate limiter test for second factor attempts
2025-05-31 11:37:19 +08:00 · 2017-12-21 17:18:12 -08:00
parent b6e82815bd
commit f4f8a293e7
52 changed files with 1005 additions and 45 deletions
--- a/app/serializers/admin_detailed_user_serializer.rb
+++ b/app/serializers/admin_detailed_user_serializer.rb
@ -25,7 +25,9 @@ class AdminDetailedUserSerializer < AdminUserSerializer
             :user_fields,
             :bounce_score,
             :reset_bounce_score_after,
-             :can_view_action_logs
+             :can_view_action_logs,
+             :second_factor_enabled,
+             :can_disable_second_factor

  has_one :approved_by, serializer: BasicUserSerializer, embed: :objects
  has_one :api_key, serializer: ApiKeySerializer, embed: :objects
@ -34,6 +36,19 @@ class AdminDetailedUserSerializer < AdminUserSerializer
  has_one :tl3_requirements, serializer: TrustLevel3RequirementsSerializer, embed: :objects
  has_many :groups, embed: :object, serializer: BasicGroupSerializer

+  def include_second_factor_enabled?
+    scope.is_staff?
+  end
+
+  def can_disable_second_factor
+    (object.id && object.id != scope.user.try(:id)) &&
+      scope.is_staff?
+  end
+
+  def second_factor_enabled
+    SecondFactorHelper.totp_enabled?(object)
+  end
+
  def can_revoke_admin
    scope.can_revoke_admin?(object)
  end
--- a/app/serializers/user_serializer.rb
+++ b/app/serializers/user_serializer.rb
@ -1,3 +1,5 @@
+require 'rqrcode'
+
 class UserSerializer < BasicUserSerializer

  attr_accessor :omit_stats,
@ -72,7 +74,8 @@ class UserSerializer < BasicUserSerializer
             :primary_group_flair_url,
             :primary_group_flair_bg_color,
             :primary_group_flair_color,
-             :staged
+             :staged,
+             :second_factor_enabled

  has_one :invited_by, embed: :object, serializer: BasicUserSerializer
  has_many :groups, embed: :object, serializer: BasicGroupSerializer
@ -145,6 +148,15 @@ class UserSerializer < BasicUserSerializer
      (scope.is_staff? && object.staged?)
  end

+  def include_second_factor_enabled?
+    (object.id && object.id == scope.user.try(:id)) ||
+      scope.is_staff?
+  end
+
+  def second_factor_enabled
+    SecondFactorHelper.totp_enabled?(object)
+  end
+
  def can_change_bio
    !(SiteSetting.enable_sso && SiteSetting.sso_overrides_bio)
  end