app/controllers/auth/sessions_controller.rb

   1 # frozen_string_literal: true
   2
   3 class Auth::SessionsController < Devise::SessionsController
   4   include Devise::Controllers::Rememberable
   5
   6   layout 'auth'
   7
   8   skip_before_action :require_no_authentication, only: [:create]
   9   prepend_before_action :authenticate_with_two_factor, if: :two_factor_enabled?, only: [:create]
  10
  11   def create
  12     super do |resource|
  13       remember_me(resource)
  14       flash[:notice] = nil
  15     end
  16   end
  17
  18   def destroy
  19     super
  20     flash[:notice] = nil
  21   end
  22
  23   protected
  24
  25   def find_user
  26     if session[:otp_user_id]
  27       User.find(session[:otp_user_id])
  28     elsif user_params[:email]
  29       User.find_by(email: user_params[:email])
  30     end
  31   end
  32
  33   def user_params
  34     params.require(:user).permit(:email, :password, :otp_attempt)
  35   end
  36
  37   def after_sign_in_path_for(_resource)
  38     last_url = stored_location_for(:user)
  39
  40     if [about_path].include?(last_url)
  41       root_path
  42     else
  43       last_url || root_path
  44     end
  45   end
  46
  47   def two_factor_enabled?
  48     find_user.try(:otp_required_for_login?)
  49   end
  50
  51   def valid_otp_attempt?(user)
  52     user.validate_and_consume_otp!(user_params[:otp_attempt]) ||
  53       user.invalidate_otp_backup_code!(user_params[:otp_attempt])
  54   rescue OpenSSL::Cipher::CipherError => _error
  55     false
  56   end
  57
  58   def authenticate_with_two_factor
  59     user = self.resource = find_user
  60
  61     if user_params[:otp_attempt].present? && session[:otp_user_id]
  62       authenticate_with_two_factor_via_otp(user)
  63     elsif user && user.valid_password?(user_params[:password])
  64       prompt_for_two_factor(user)
  65     end
  66   end
  67
  68   def authenticate_with_two_factor_via_otp(user)
  69     if valid_otp_attempt?(user)
  70       session.delete(:otp_user_id)
  71       remember_me(user)
  72       sign_in(user)
  73     else
  74       flash.now[:alert] = I18n.t('users.invalid_otp_token')
  75       prompt_for_two_factor(user)
  76     end
  77   end
  78
  79   def prompt_for_two_factor(user)
  80     session[:otp_user_id] = user.id
  81     render :two_factor
  82   end
  83 end