Add recovery code support for two-factor auth (#1773)

* Add recovery code support for two-factor auth When users enable two-factor auth, the app now generates ten single-use recovery codes. Users are encouraged to print the codes and store them in a safe place. The two-factor prompt during login now accepts both OTP codes and recovery codes. The two-factor settings UI allows users to regenerated lost recovery codes. Users who have set up two-factor auth prior to this feature being added can use it to generate recovery codes for the first time. Fixes #563 and fixes #987 * Set OTP_SECRET in test enviroment * add missing .html to view file names
2017-04-15 13:26:03 +02:00
parent 67ad84b7eb
commit df4ff9a8e1
18 changed files with 149 additions and 15 deletions
--- a/app/assets/stylesheets/lists.scss
+++ b/app/assets/stylesheets/lists.scss
@ -6,3 +6,12 @@
    margin: 0 5px;
  }
 }
+
+.recovery-codes {
+  column-count: 2;
+  height: 100px;
+  li {
+    list-style: decimal;
+    margin-left: 20px;
+  }
+}
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@ -49,7 +49,8 @@ class Auth::SessionsController < Devise::SessionsController
  end

  def valid_otp_attempt?(user)
-    user.validate_and_consume_otp!(user_params[:otp_attempt])
+    user.validate_and_consume_otp!(user_params[:otp_attempt]) ||
+      user.invalidate_otp_backup_code!(user_params[:otp_attempt])
  end

  def authenticate_with_two_factor
--- a/app/controllers/settings/two_factor_auths_controller.rb
+++ b/app/controllers/settings/two_factor_auths_controller.rb
@ -19,9 +19,9 @@ class Settings::TwoFactorAuthsController < ApplicationController
  def create
    if current_user.validate_and_consume_otp!(confirmation_params[:code])
      current_user.otp_required_for_login = true
+      @codes = current_user.generate_otp_backup_codes!
      current_user.save!
-
-      redirect_to settings_two_factor_auth_path, notice: I18n.t('two_factor_auth.enabled_success')
+      flash[:notice] = I18n.t('two_factor_auth.enabled_success')
    else
      @confirmation = Form::TwoFactorConfirmation.new
      set_qr_code
@ -30,6 +30,12 @@ class Settings::TwoFactorAuthsController < ApplicationController
    end
  end

+  def recovery_codes
+    @codes = current_user.generate_otp_backup_codes!
+    current_user.save!
+    flash[:notice] = I18n.t('two_factor_auth.recovery_codes_regenerated')
+  end
+
  def disable
    current_user.otp_required_for_login = false
    current_user.save!
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -5,7 +5,9 @@ class User < ApplicationRecord

  devise :registerable, :recoverable,
         :rememberable, :trackable, :validatable, :confirmable,
-         :two_factor_authenticatable, otp_secret_encryption_key: ENV['OTP_SECRET']
+         :two_factor_authenticatable, :two_factor_backupable,
+         otp_secret_encryption_key: ENV['OTP_SECRET'],
+         otp_number_of_backup_codes: 10

  belongs_to :account, inverse_of: :user
  accepts_nested_attributes_for :account
--- a/app/views/auth/sessions/two_factor.html.haml
+++ b/app/views/auth/sessions/two_factor.html.haml
@ -2,7 +2,9 @@
  = t('auth.login')

 = simple_form_for(resource, as: resource_name, url: session_path(resource_name), method: :post) do |f|
-  = f.input :otp_attempt, type: :number, placeholder: t('simple_form.labels.defaults.otp_attempt'), input_html: { 'aria-label' => t('simple_form.labels.defaults.otp_attempt') }, required: true, autofocus: true, autocomplete: 'off'
+  = f.input :otp_attempt, type: :number, placeholder: t('simple_form.labels.defaults.otp_attempt'),
+      input_html: { 'aria-label' => t('simple_form.labels.defaults.otp_attempt') }, required: true, autofocus: true, autocomplete: 'off',
+      hint: t('simple_form.hints.sessions.otp')

  .actions
    = f.button :button, t('auth.login'), type: :submit
--- a/app/views/settings/two_factor_auths/_recovery_codes.html.haml
+++ b/app/views/settings/two_factor_auths/_recovery_codes.html.haml
@ -0,0 +1,7 @@
+%p.hint= t('two_factor_auth.recovery_instructions')
+
+%h3= t('two_factor_auth.recovery_codes')
+%ol.recovery-codes
+  - @codes.each do |code|
+    %li
+      %samp= code
--- a/app/views/settings/two_factor_auths/create.html.haml
+++ b/app/views/settings/two_factor_auths/create.html.haml
@ -0,0 +1,4 @@
+- content_for :page_title do
+  = t('settings.two_factor_auth')
+
+= render 'recovery_codes'
--- a/app/views/settings/two_factor_auths/recovery_codes.html.haml
+++ b/app/views/settings/two_factor_auths/recovery_codes.html.haml
@ -0,0 +1,4 @@
+- content_for :page_title do
+  = t('settings.two_factor_auth')
+
+= render 'recovery_codes'
--- a/app/views/settings/two_factor_auths/show.html.haml
+++ b/app/views/settings/two_factor_auths/show.html.haml
@ -8,3 +8,8 @@
    = link_to t('two_factor_auth.disable'), disable_settings_two_factor_auth_path, data: { method: 'POST' }, class: 'block-button'
  - else
    = link_to t('two_factor_auth.setup'), new_settings_two_factor_auth_path, class: 'block-button'
+
+- if current_user.otp_required_for_login
+  .simple_form
+    %p.hint= t('two_factor_auth.lost_recovery_codes')
+    = link_to t('two_factor_auth.generate_recovery_codes'), recovery_codes_settings_two_factor_auth_path, data: { method: 'POST' }, class: 'block-button'