Add recovery code support for two-factor auth (#1773)

* Add recovery code support for two-factor auth When users enable two-factor auth, the app now generates ten single-use recovery codes. Users are encouraged to print the codes and store them in a safe place. The two-factor prompt during login now accepts both OTP codes and recovery codes. The two-factor settings UI allows users to regenerated lost recovery codes. Users who have set up two-factor auth prior to this feature being added can use it to generate recovery codes for the first time. Fixes #563 and fixes #987 * Set OTP_SECRET in test enviroment * add missing .html to view file names
author: Patrick Figel <patrick@figel.email> 2017-04-15 13:26:03 +0200
committer: Eugen <eugen@zeonfederated.com> 2017-04-15 13:26:03 +0200
commit: df4ff9a8e13d776e1670c232655db0275a353a0f (patch)
tree: a7bdb4c0240e169bac01bf67b76f685e9a9b4a67 /app/controllers/auth
parent: 67ad84b7ebf080d6a6cbcb7d299e02c2a51d955e (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/app/controllers/auth/sessions_controller.rb b/app/controllers/auth/sessions_controller.rb
index 4184750f3..a187ae6da 100644
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@@ -49,7 +49,8 @@ class Auth::SessionsController < Devise::SessionsController
   end
 
   def valid_otp_attempt?(user)
-    user.validate_and_consume_otp!(user_params[:otp_attempt])
+    user.validate_and_consume_otp!(user_params[:otp_attempt]) ||
+      user.invalidate_otp_backup_code!(user_params[:otp_attempt])
   end
 
   def authenticate_with_two_factor
author	Patrick Figel <patrick@figel.email>	2017-04-15 13:26:03 +0200
committer	Eugen <eugen@zeonfederated.com>	2017-04-15 13:26:03 +0200
commit	df4ff9a8e13d776e1670c232655db0275a353a0f (patch)
tree	a7bdb4c0240e169bac01bf67b76f685e9a9b4a67 /app/controllers/auth
parent	67ad84b7ebf080d6a6cbcb7d299e02c2a51d955e (diff)