Fix TOTP codes not being filtered from logs during enabling/disabling (#11877)
Not a serious issue because they are meaningless past single use
This commit is contained in:
parent
3919571c39
commit
a4b60e9ba4
@ -15,7 +15,7 @@ module Settings
|
|||||||
end
|
end
|
||||||
|
|
||||||
def create
|
def create
|
||||||
if current_user.validate_and_consume_otp!(confirmation_params[:code])
|
if current_user.validate_and_consume_otp!(confirmation_params[:otp_attempt])
|
||||||
flash.now[:notice] = I18n.t('two_factor_authentication.enabled_success')
|
flash.now[:notice] = I18n.t('two_factor_authentication.enabled_success')
|
||||||
|
|
||||||
current_user.otp_required_for_login = true
|
current_user.otp_required_for_login = true
|
||||||
@ -33,7 +33,7 @@ module Settings
|
|||||||
private
|
private
|
||||||
|
|
||||||
def confirmation_params
|
def confirmation_params
|
||||||
params.require(:form_two_factor_confirmation).permit(:code)
|
params.require(:form_two_factor_confirmation).permit(:otp_attempt)
|
||||||
end
|
end
|
||||||
|
|
||||||
def prepare_two_factor_form
|
def prepare_two_factor_form
|
||||||
|
@ -34,7 +34,7 @@ module Settings
|
|||||||
private
|
private
|
||||||
|
|
||||||
def confirmation_params
|
def confirmation_params
|
||||||
params.require(:form_two_factor_confirmation).permit(:code)
|
params.require(:form_two_factor_confirmation).permit(:otp_attempt)
|
||||||
end
|
end
|
||||||
|
|
||||||
def verify_otp_required
|
def verify_otp_required
|
||||||
@ -42,8 +42,8 @@ module Settings
|
|||||||
end
|
end
|
||||||
|
|
||||||
def acceptable_code?
|
def acceptable_code?
|
||||||
current_user.validate_and_consume_otp!(confirmation_params[:code]) ||
|
current_user.validate_and_consume_otp!(confirmation_params[:otp_attempt]) ||
|
||||||
current_user.invalidate_otp_backup_code!(confirmation_params[:code])
|
current_user.invalidate_otp_backup_code!(confirmation_params[:otp_attempt])
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -3,5 +3,5 @@
|
|||||||
class Form::TwoFactorConfirmation
|
class Form::TwoFactorConfirmation
|
||||||
include ActiveModel::Model
|
include ActiveModel::Model
|
||||||
|
|
||||||
attr_accessor :code
|
attr_accessor :otp_attempt
|
||||||
end
|
end
|
||||||
|
@ -12,7 +12,7 @@
|
|||||||
%samp.qr-alternative__code= current_user.otp_secret.scan(/.{4}/).join(' ')
|
%samp.qr-alternative__code= current_user.otp_secret.scan(/.{4}/).join(' ')
|
||||||
|
|
||||||
.fields-group
|
.fields-group
|
||||||
= f.input :code, wrapper: :with_label, hint: t('two_factor_authentication.code_hint'), label: t('simple_form.labels.defaults.otp_attempt'), input_html: { :autocomplete => 'off' }, required: true
|
= f.input :otp_attempt, wrapper: :with_label, hint: t('two_factor_authentication.code_hint'), label: t('simple_form.labels.defaults.otp_attempt'), input_html: { :autocomplete => 'off' }, required: true
|
||||||
|
|
||||||
.actions
|
.actions
|
||||||
= f.button :button, t('two_factor_authentication.enable'), type: :submit
|
= f.button :button, t('two_factor_authentication.enable'), type: :submit
|
||||||
|
@ -10,7 +10,7 @@
|
|||||||
%hr/
|
%hr/
|
||||||
|
|
||||||
= simple_form_for @confirmation, url: settings_two_factor_authentication_path, method: :delete do |f|
|
= simple_form_for @confirmation, url: settings_two_factor_authentication_path, method: :delete do |f|
|
||||||
= f.input :code, wrapper: :with_label, hint: t('two_factor_authentication.code_hint'), label: t('simple_form.labels.defaults.otp_attempt'), input_html: { :autocomplete => 'off' }, required: true
|
= f.input :otp_attempt, wrapper: :with_label, hint: t('two_factor_authentication.code_hint'), label: t('simple_form.labels.defaults.otp_attempt'), input_html: { :autocomplete => 'off' }, required: true
|
||||||
|
|
||||||
.actions
|
.actions
|
||||||
= f.button :button, t('two_factor_authentication.disable'), type: :submit
|
= f.button :button, t('two_factor_authentication.disable'), type: :submit
|
||||||
|
@ -68,7 +68,7 @@ describe Settings::TwoFactorAuthentication::ConfirmationsController do
|
|||||||
true
|
true
|
||||||
end
|
end
|
||||||
|
|
||||||
post :create, params: { form_two_factor_confirmation: { code: '123456' } }
|
post :create, params: { form_two_factor_confirmation: { otp_attempt: '123456' } }
|
||||||
|
|
||||||
expect(assigns(:recovery_codes)).to eq otp_backup_codes
|
expect(assigns(:recovery_codes)).to eq otp_backup_codes
|
||||||
expect(flash[:notice]).to eq 'Two-factor authentication successfully enabled'
|
expect(flash[:notice]).to eq 'Two-factor authentication successfully enabled'
|
||||||
@ -85,7 +85,7 @@ describe Settings::TwoFactorAuthentication::ConfirmationsController do
|
|||||||
false
|
false
|
||||||
end
|
end
|
||||||
|
|
||||||
post :create, params: { form_two_factor_confirmation: { code: '123456' } }
|
post :create, params: { form_two_factor_confirmation: { otp_attempt: '123456' } }
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'renders the new view' do
|
it 'renders the new view' do
|
||||||
@ -99,7 +99,7 @@ describe Settings::TwoFactorAuthentication::ConfirmationsController do
|
|||||||
|
|
||||||
context 'when not signed in' do
|
context 'when not signed in' do
|
||||||
it 'redirects if not signed in' do
|
it 'redirects if not signed in' do
|
||||||
post :create, params: { form_two_factor_confirmation: { code: '123456' } }
|
post :create, params: { form_two_factor_confirmation: { otp_attempt: '123456' } }
|
||||||
expect(response).to redirect_to('/auth/sign_in')
|
expect(response).to redirect_to('/auth/sign_in')
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -91,7 +91,7 @@ describe Settings::TwoFactorAuthenticationsController do
|
|||||||
true
|
true
|
||||||
end
|
end
|
||||||
|
|
||||||
post :destroy, params: { form_two_factor_confirmation: { code: '123456' } }
|
post :destroy, params: { form_two_factor_confirmation: { otp_attempt: '123456' } }
|
||||||
|
|
||||||
expect(response).to redirect_to(settings_two_factor_authentication_path)
|
expect(response).to redirect_to(settings_two_factor_authentication_path)
|
||||||
user.reload
|
user.reload
|
||||||
@ -105,7 +105,7 @@ describe Settings::TwoFactorAuthenticationsController do
|
|||||||
false
|
false
|
||||||
end
|
end
|
||||||
|
|
||||||
post :destroy, params: { form_two_factor_confirmation: { code: '057772' } }
|
post :destroy, params: { form_two_factor_confirmation: { otp_attempt: '057772' } }
|
||||||
|
|
||||||
user.reload
|
user.reload
|
||||||
expect(user.otp_required_for_login).to eq(true)
|
expect(user.otp_required_for_login).to eq(true)
|
||||||
|
Loading…
Reference in New Issue
Block a user