From 9acdb166e8871632f592bfcd2386dfc288d81a07 Mon Sep 17 00:00:00 2001
From: Eugen <eugen@zeonfederated.com>
Date: Sat, 8 Apr 2017 22:20:08 +0200
Subject: Fix #795, fix #704, fix #835 - 2FA requires confirmation to be
 enabled (#1278)

* Fix #795, fix #704, fix #835 - 2FA requires confirmation to be enabled
TOTP secret is not shown again after 2FA is enabled

* Clean up
---
 .../settings/two_factor_auths_controller.rb        | 39 +++++++++++++++++-----
 1 file changed, 30 insertions(+), 9 deletions(-)

(limited to 'app/controllers')

diff --git a/app/controllers/settings/two_factor_auths_controller.rb b/app/controllers/settings/two_factor_auths_controller.rb
index cfee92391..203d1fc46 100644
--- a/app/controllers/settings/two_factor_auths_controller.rb
+++ b/app/controllers/settings/two_factor_auths_controller.rb
@@ -5,19 +5,29 @@ class Settings::TwoFactorAuthsController < ApplicationController
 
   before_action :authenticate_user!
 
-  def show
-    return unless current_user.otp_required_for_login
+  def show; end
 
-    @provision_url = current_user.otp_provisioning_uri(current_user.email, issuer: Rails.configuration.x.local_domain)
-    @qrcode        = RQRCode::QRCode.new(@provision_url)
-  end
+  def new
+    redirect_to settings_two_factor_auth_path if current_user.otp_required_for_login
 
-  def enable
-    current_user.otp_required_for_login = true
-    current_user.otp_secret = User.generate_otp_secret
+    @confirmation = Form::TwoFactorConfirmation.new
+    current_user.otp_secret = User.generate_otp_secret(32)
     current_user.save!
+    set_qr_code
+  end
 
-    redirect_to settings_two_factor_auth_path
+  def create
+    if current_user.validate_and_consume_otp!(confirmation_params[:code])
+      current_user.otp_required_for_login = true
+      current_user.save!
+
+      redirect_to settings_two_factor_auth_path, notice: I18n.t('two_factor_auth.enabled_success')
+    else
+      @confirmation = Form::TwoFactorConfirmation.new
+      set_qr_code
+      flash.now[:alert] = I18n.t('two_factor_auth.wrong_code')
+      render action: :new
+    end
   end
 
   def disable
@@ -26,4 +36,15 @@ class Settings::TwoFactorAuthsController < ApplicationController
 
     redirect_to settings_two_factor_auth_path
   end
+
+  private
+
+  def set_qr_code
+    @provision_url = current_user.otp_provisioning_uri(current_user.email, issuer: Rails.configuration.x.local_domain)
+    @qrcode        = RQRCode::QRCode.new(@provision_url)
+  end
+
+  def confirmation_params
+    params.require(:form_two_factor_confirmation).permit(:code)
+  end
 end
-- 
cgit