Comments (7)
I'm running into the same issue, and in my case, I'm overriding after_resetting_password_path_for(resource)
in the Devise passwords_controller
to take the user to the show
action of the two_factor_authentication_controller
. However, I have modified the show
action to check if the user is already fully authenticated, and if so, they get redirected somewhere else.
The problem is that after the user resets their password is_fully_authenticated?
is returning true
. I don't understand why. That seems like a bug, no? When a user signs in via the Devise sessions_controller
, is_fully_authenticated?
is returning false
as expected, and the user is prompted to enter their OTP. Why is the same behavior not happening after Devise signs the user in after they reset their password?
I don't understand the code enough to know what I need to modify to make this work.
Thanks for any help anyone can provide.
from two_factor_authentication.
To force a user to enter his tfa code after recovering account, you have to add the following line the password_controller update method:
warden.session(resource_name)[TwoFactorAuthentication::NEED_AUTHENTICATION] = true
This cookie in the warden session is used in is_fully_authenticated?
to determine if the user needs to enter his tfa code
from two_factor_authentication.
Hello,
you showed nice user case.
As for now we never ask code during password recovery. It make sense, if user forgot his password, he lost his shared secret for sure. Separate email is like second_factor_authentication.
On other hand it would be useful to have separate option to tune this.
What is the right behaviour? What do you think?
from two_factor_authentication.
So I should explain a bit more. I am running 0.2 because trying to upgrade to 1.0 was not a simple task for me. For now, I'm stuck on 0.2.
I have my ApplicationController with the following method:
def after_sign_in_path_for(resource)
if resource.valid_mfa_cookie?(request)
request.cookie_jar.signed[:_return_to] if request and request.cookie_jar
super
else
flash.clear
two_factor_authentication_path_for(resource)
end
end
I did this to be able to store an encrypted version of the two factor auth token on the client side cookies so they could use the same location to login for however long I set the cookie expiration. The issue is that this relies on lib/two_factor_authentication/hooks/two_factor_authenticatable.rb running the appropriate callback for:
Warden::Manager.after_authentication do |user, auth, options|
Since this callback doesn't get fired when a user logs in through the password recovery (see my original post for a detailed explanation on why that doesn't happen), the code in the user model is never executed and the password is never sent. As far as I can see with 1.0, this is still the same case. In my case, with my "after_sign_in_path_for" override, I am getting redirected to the two_factor_authentication page after a successful password recovery, but since the Warden::Manager.after_authentication callback does not get run, no auth code is generated and sent.
In my opinion, I would assume one of two things happened after a successful password recovery.
- If a user needs two factor authentication, they should get the two factor auth code entry page and a code is sent to them.
- The user is not auto-logged in to the application, but is instead kept logged out and forwarded to a log in page that would then properly trigger the two factor code generation callback.
I can see positives and negatives to both approaches.
from two_factor_authentication.
Wrong button. Definitely want to keep this open for now.
from two_factor_authentication.
I think the 2fa callback should be triggered also when the user enters a new password in passwords#update. 2fa is a mechanism to also prevent social engineering attacks and should also protect the user account when the email account is compromised. Any plans to add this?
from two_factor_authentication.
What we ended up doing is setting config.sign_in_after_reset_password = false
in the Devise config. This means the user does not get automatically signed in after resetting their password. They have to sign in again manually, and when they do, they will be prompted for their 2FA code.
from two_factor_authentication.
Related Issues (20)
- TOTP Codes Entered With Spaces Break Authentication
- Need to upgrade or lock rotp at v3.x HOT 6
- Rails 5.2 Support??
- Manual setup and generator setup are different HOT 1
- Followed guidelines but can't use it.
- Use activeadmin layout
- rotp breaking changes
- Rails 6.1 deprecation warning
- How to turn off two-factor for non password logins i.e. token?
- Add to existing project
- How to encrypt direct otp?
- Upgrading from v1.1.5 to v2.x issues - encrypted_otp_secret_key is nil
- Request for support for backup codes
- Use with Pundit HOT 3
- is_fully_authenticated? returns true when the user model is not called user HOT 2
- 500 error on invalid 2fa code, if user has never authenticated successfully before.
- Is this project dead? HOT 19
- Support for Encryptor 3 - AKA ArgumentError (must specify a key) HOT 1
- Run tests
- Do we need uniqueness index for encrypted_otp_secret_key?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from two_factor_authentication.