Multi-factor authentication (#1817)

* Initial pass * Tests for MFA and locale cleanup * Brakeman * Update two-factor authentication status styling * Update app/models/user.rb Co-authored-by: Zach Gollwitzer <zach@maybe.co> Signed-off-by: Josh Pigford <josh@joshpigford.com> * Refactor MFA verification and session handling in tests --------- Signed-off-by: Josh Pigford <josh@joshpigford.com> Co-authored-by: Zach Gollwitzer <zach@maybe.co>
2025-08-05 05:25:24 +02:00 · 2025-02-06 14:16:53 -06:00 · 2025-02-06 14:16:53 -06:00 · 842e37658c
commit 842e37658c
parent 7ba9063e04
29 changed files with 598 additions and 33 deletions
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@ -19,6 +19,10 @@ module ApplicationHelper
    content_for(:header_title) { page_title }
  end

+  def header_description(page_description)
+    content_for(:header_description) { page_description }
+  end
+
  def family_notifications_stream
    turbo_stream_from [ Current.family, :notifications ] if Current.family
  end
--- a/app/helpers/mfa_helper.rb
+++ b/app/helpers/mfa_helper.rb
@ -0,0 +1,20 @@
+module MfaHelper
+  def generate_mfa_qr_code(provisioning_uri)
+    qr_code = RQRCode::QRCode.new(provisioning_uri).as_svg(
+      color: "141414",
+      module_size: 4,
+      standalone: true,
+      use_path: true,
+      svg_attributes: {
+        width: "228",
+        height: "228",
+        viewBox: "0 0 57 57"
+      }
+    )
+
+    # Whitelist specific SVG attributes and elements that we know are safe
+    sanitize qr_code,
+      tags: %w[svg g path rect],
+      attributes: %w[viewBox height width fill stroke stroke-width d x y class]
+  end
+end
--- a/app/helpers/settings_helper.rb
+++ b/app/helpers/settings_helper.rb
@ -3,6 +3,7 @@ module SettingsHelper
    { name: I18n.t("settings.nav.profile_label"), path: :settings_profile_path },
    { name: I18n.t("settings.nav.preferences_label"), path: :settings_preferences_path },
    { name: I18n.t("settings.nav.self_hosting_label"), path: :settings_hosting_path, condition: :self_hosted? },
+    { name: I18n.t("settings.nav.security_label"), path: :settings_security_path },
    { name: I18n.t("settings.nav.billing_label"), path: :settings_billing_path },
    { name: I18n.t("settings.nav.accounts_label"), path: :accounts_path },
    { name: I18n.t("settings.nav.imports_label"), path: :imports_path },