app/controllers/auth/sessions_controller.rb

   1 # frozen_string_literal: true
   2
   3 class Auth::SessionsController < Devise::SessionsController
   4   include Devise::Controllers::Rememberable
   5
   6   layout 'auth'
   7
   8   skip_before_action :require_no_authentication, only: [:create]
   9   skip_before_action :check_suspension, only: [:destroy]
  10   prepend_before_action :authenticate_with_two_factor, if: :two_factor_enabled?, only: [:create]
  11
  12   def create
  13     super do |resource|
  14       remember_me(resource)
  15       flash[:notice] = nil
  16     end
  17   end
  18
  19   def destroy
  20     super
  21     flash[:notice] = nil
  22   end
  23
  24   protected
  25
  26   def find_user
  27     if session[:otp_user_id]
  28       User.find(session[:otp_user_id])
  29     elsif user_params[:email]
  30       User.find_by(email: user_params[:email])
  31     end
  32   end
  33
  34   def user_params
  35     params.require(:user).permit(:email, :password, :otp_attempt)
  36   end
  37
  38   def after_sign_in_path_for(_resource)
  39     last_url = stored_location_for(:user)
  40
  41     if [about_path].include?(last_url)
  42       root_path
  43     else
  44       last_url || root_path
  45     end
  46   end
  47
  48   def two_factor_enabled?
  49     find_user.try(:otp_required_for_login?)
  50   end
  51
  52   def valid_otp_attempt?(user)
  53     user.validate_and_consume_otp!(user_params[:otp_attempt]) ||
  54       user.invalidate_otp_backup_code!(user_params[:otp_attempt])
  55   rescue OpenSSL::Cipher::CipherError => _error
  56     false
  57   end
  58
  59   def authenticate_with_two_factor
  60     user = self.resource = find_user
  61
  62     if user_params[:otp_attempt].present? && session[:otp_user_id]
  63       authenticate_with_two_factor_via_otp(user)
  64     elsif user && user.valid_password?(user_params[:password])
  65       prompt_for_two_factor(user)
  66     end
  67   end
  68
  69   def authenticate_with_two_factor_via_otp(user)
  70     if valid_otp_attempt?(user)
  71       session.delete(:otp_user_id)
  72       remember_me(user)
  73       sign_in(user)
  74     else
  75       flash.now[:alert] = I18n.t('users.invalid_otp_token')
  76       prompt_for_two_factor(user)
  77     end
  78   end
  79
  80   def prompt_for_two_factor(user)
  81     session[:otp_user_id] = user.id
  82     render :two_factor
  83   end
  84 end