Multi-factor authentication (#1817)

* Initial pass * Tests for MFA and locale cleanup * Brakeman * Update two-factor authentication status styling * Update app/models/user.rb Co-authored-by: Zach Gollwitzer <zach@maybe.co> Signed-off-by: Josh Pigford <josh@joshpigford.com> * Refactor MFA verification and session handling in tests --------- Signed-off-by: Josh Pigford <josh@joshpigford.com> Co-authored-by: Zach Gollwitzer <zach@maybe.co>
2025-07-23 15:19:38 +02:00 · 2025-02-06 14:16:53 -06:00 · 2025-02-06 14:16:53 -06:00 · 842e37658c
commit 842e37658c
parent 7ba9063e04
29 changed files with 598 additions and 33 deletions
--- a/app/controllers/mfa_controller.rb
+++ b/app/controllers/mfa_controller.rb
@ -0,0 +1,53 @@
+class MfaController < ApplicationController
+  layout :determine_layout
+  skip_authentication only: [ :verify, :verify_code ]
+
+  def new
+    redirect_to root_path if Current.user.otp_required?
+    Current.user.setup_mfa! unless Current.user.otp_secret.present?
+  end
+
+  def create
+    if Current.user.verify_otp?(params[:code])
+      Current.user.enable_mfa!
+      @backup_codes = Current.user.otp_backup_codes
+      render :backup_codes
+    else
+      Current.user.disable_mfa!
+      redirect_to new_mfa_path, alert: t(".invalid_code")
+    end
+  end
+
+  def verify
+    @user = User.find_by(id: session[:mfa_user_id])
+    redirect_to new_session_path unless @user
+  end
+
+  def verify_code
+    @user = User.find_by(id: session[:mfa_user_id])
+
+    if @user&.verify_otp?(params[:code])
+      session.delete(:mfa_user_id)
+      @session = create_session_for(@user)
+      redirect_to root_path
+    else
+      flash.now[:alert] = t(".invalid_code")
+      render :verify, status: :unprocessable_entity
+    end
+  end
+
+  def disable
+    Current.user.disable_mfa!
+    redirect_to settings_security_path, notice: t(".success")
+  end
+
+  private
+
+    def determine_layout
+      if action_name.in?(%w[verify verify_code])
+        "auth"
+      else
+        "with_sidebar"
+      end
+    end
+end