Multi-factor authentication (#1817)

* Initial pass * Tests for MFA and locale cleanup * Brakeman * Update two-factor authentication status styling * Update app/models/user.rb Co-authored-by: Zach Gollwitzer <zach@maybe.co> Signed-off-by: Josh Pigford <josh@joshpigford.com> * Refactor MFA verification and session handling in tests --------- Signed-off-by: Josh Pigford <josh@joshpigford.com> Co-authored-by: Zach Gollwitzer <zach@maybe.co>
2025-08-05 05:25:24 +02:00 · 2025-02-06 14:16:53 -06:00 · 2025-02-06 14:16:53 -06:00 · 842e37658c
commit 842e37658c
parent 7ba9063e04
29 changed files with 598 additions and 33 deletions
--- a/config/locales/views/accounts/en.yml
+++ b/config/locales/views/accounts/en.yml
@ -76,5 +76,6 @@ en:
      success: "%{type} account updated"
  email_confirmations:
    new:
-      success_login: "Your email has been confirmed. Please log in with your new email address."
-      invalid_token: "Invalid or expired confirmation link."
+      invalid_token: Invalid or expired confirmation link.
+      success_login: Your email has been confirmed. Please log in with your new email
+        address.
--- a/config/locales/views/email_confirmation_mailer/en.yml
+++ b/config/locales/views/email_confirmation_mailer/en.yml
@ -2,8 +2,9 @@
 en:
  email_confirmation_mailer:
    confirmation_email:
-      subject: "Maybe: Confirm your email change"
-      greeting: "Hello!"
-      body: "You recently requested to change your email address. Click the button below to confirm this change."
-      cta: "Confirm email change"
-      expiry_notice: "This link will expire in %{hours} hours." 
+      body: You recently requested to change your email address. Click the button
+        below to confirm this change.
+      cta: Confirm email change
+      expiry_notice: This link will expire in %{hours} hours.
+      greeting: Hello!
+      subject: 'Maybe: Confirm your email change'
--- a/config/locales/views/imports/en.yml
+++ b/config/locales/views/imports/en.yml
@ -8,15 +8,15 @@ en:
          details.
        title: Clean your data
    configurations:
-      trade_import:
-        date_format_label: Date format
      mint_import:
        date_format_label: Date format
-      transaction_import:
-        date_format_label: Date format
      show:
        description: Select the columns that correspond to each field in your CSV.
        title: Configure your import
+      trade_import:
+        date_format_label: Date format
+      transaction_import:
+        date_format_label: Date format
    confirms:
      mappings:
        create_account: Create account
--- a/config/locales/views/invitations/en.yml
+++ b/config/locales/views/invitations/en.yml
@ -5,9 +5,9 @@ en:
      failure: Could not send invitation
      success: Invitation sent successfully
    destroy:
+      failure: There was a problem removing the invitation.
      not_authorized: You are not authorized to manage invitations.
      success: Invitation was successfully removed.
-      failure: There was a problem removing the invitation.
    new:
      email_label: Email Address
      email_placeholder: Enter email address
--- a/config/locales/views/mfa/en.yml
+++ b/config/locales/views/mfa/en.yml
@ -0,0 +1,35 @@
+---
+en:
+  mfa:
+    backup_codes:
+      backup_codes_description: Each code can only be used once. Keep these codes
+        safe and secure.
+      backup_codes_title: Your Backup Codes
+      continue: Continue to Security Settings
+      description: Store these backup codes in a safe place - you'll need them if
+        you lose access to your authenticator app
+      page_title: Backup Codes
+      title: Save Your Backup Codes
+    create:
+      invalid_code: Invalid verification code. Please try again.
+    disable:
+      success: Two-factor authentication has been disabled
+    new:
+      code_label: Verification Code
+      code_placeholder: Enter 6-digit code
+      description: Enhance your account security by setting up two-factor authentication
+      page_title: Two-Factor Authentication Setup
+      scan_description: Use an authenticator app like Google Authenticator or 1Password
+        to scan this QR code
+      scan_title: 1. Scan QR Code
+      title: Set Up Two-Factor Authentication
+      verify_button: Verify and Enable 2FA
+      verify_description: Enter the 6-digit code from your authenticator app
+      verify_title: 2. Enter Verification Code
+    verify:
+      description: Enter the code from your authenticator app to continue
+      page_title: Verify Two-Factor Authentication
+      title: Two-Factor Authentication
+      verify_button: Verify
+    verify_code:
+      invalid_code: Invalid authentication code. Please try again.
--- a/config/locales/views/settings/en.yml
+++ b/config/locales/views/settings/en.yml
@ -18,6 +18,7 @@ en:
      other_section_title: More
      preferences_label: Preferences
      profile_label: Account
+      security_label: Security
      self_hosting_label: Self hosting
      tags_label: Tags
      transactions_section_title: Transactions
@ -49,27 +50,26 @@ en:
        timezone: Timezone
    profiles:
      destroy:
-        not_authorized: You are not authorized to remove members.
        cannot_remove_self: You cannot remove yourself from the account.
-        member_removed: Member was successfully removed.
        member_removal_failed: There was a problem removing the member.
+        member_removed: Member was successfully removed.
+        not_authorized: You are not authorized to remove members.
      show:
        confirm_delete:
          body: Are you sure you want to permanently delete your account? This action
            is irreversible.
          title: Delete account?
-        confirm_remove_member:
-          title: Remove Member
-          body: Are you sure you want to remove %{name} from your account?
-        remove_member: Remove Member
        confirm_remove_invitation:
-          title: Remove Invitation
          body: Are you sure you want to remove the invitation for %{email}?
-        remove_invitation: Remove Invitation
+          title: Remove Invitation
+        confirm_remove_member:
+          body: Are you sure you want to remove %{name} from your account?
+          title: Remove Member
        danger_zone_title: Danger Zone
        delete_account: Delete account
        delete_account_warning: Deleting your account will permanently remove all
          your data and cannot be undone.
+        email: Email
        first_name: First Name
        household_form_input_placeholder: Enter household name
        household_form_label: Household name
@ -79,15 +79,16 @@ en:
        invitation_link: Invitation link
        invite_member: Add member
        last_name: Last Name
-        email: Email
        page_title: Account
        pending: Pending
        profile_subtitle: Customize how you appear on Maybe
        profile_title: Profile
+        remove_invitation: Remove Invitation
+        remove_member: Remove Member
        save: Save
+    securities:
+      show:
+        page_title: Security
    user_avatar_field:
      accepted_formats: JPG or PNG. 5MB max.
      choose: Choose
-  users:
-    update:
-      success: Profile updated successfully
--- a/config/locales/views/settings/hostings/en.yml
+++ b/config/locales/views/settings/hostings/en.yml
@ -5,11 +5,12 @@ en:
      invite_code_settings:
        description: Every new user that joins your instance of Maybe can only do
          so via an invite code
+        email_confirmation_description: When enabled, users must confirm their email
+          address when changing it.
+        email_confirmation_title: Require email confirmation
        generate_tokens: Generate new code
        generated_tokens: Generated codes
        title: Require invite code for signup
-        email_confirmation_title: Require email confirmation
-        email_confirmation_description: When enabled, users must confirm their email address when changing it.
      provider_settings:
        description: Configure settings for your hosting provider
        render_deploy_hook_label: Render Deploy Hook URL
--- a/config/locales/views/settings/securities/en.yml
+++ b/config/locales/views/settings/securities/en.yml
@ -0,0 +1,12 @@
+---
+en:
+  settings:
+    securities:
+      show:
+        disable_mfa: Disable 2FA
+        disable_mfa_confirm: Are you sure you want to disable two-factor authentication?
+          This will make your account less secure.
+        enable_mfa: Enable 2FA
+        mfa_description: Add an extra layer of security to your account by requiring
+          a code from your authenticator app when signing in
+        mfa_title: Two-Factor Authentication
--- a/config/locales/views/users/en.yml
+++ b/config/locales/views/users/en.yml
@ -4,6 +4,7 @@ en:
    destroy:
      success: Your account has been deleted.
    update:
-      success: "Your profile has been updated."
-      email_change_initiated: "Please check your new email address for confirmation instructions."
-      email_change_failed: "Failed to change email address."
+      email_change_failed: Failed to change email address.
+      email_change_initiated: Please check your new email address for confirmation
+        instructions.
+      success: Your profile has been updated.
--- a/config/routes.rb
+++ b/config/routes.rb
@ -1,4 +1,11 @@
 Rails.application.routes.draw do
+  # MFA routes
+  resource :mfa, controller: "mfa", only: [ :new, :create ] do
+    get :verify
+    post :verify, to: "mfa#verify_code"
+    delete :disable
+  end
+
  mount GoodJob::Engine => "good_job"

  get "changelog", to: "pages#changelog"
@ -25,6 +32,7 @@ Rails.application.routes.draw do
    resource :preferences, only: :show
    resource :hosting, only: %i[show update]
    resource :billing, only: :show
+    resource :security, only: :show
  end

  resource :subscription, only: %i[new show] do