elsif !current_user.functional?
render json: { error: 'Your login is currently disabled' }, status: 403
else
- set_user_activity
+ update_user_sign_in
end
end
skip_before_action :require_no_authentication, only: [:create]
skip_before_action :require_functional!
+ skip_before_action :update_user_sign_in
include TwoFactorAuthenticationConcern
include SignInTokenAuthenticationConcern
def create
super do |resource|
+ resource.update_sign_in!(request, new_sign_in: true)
remember_me(resource)
flash.delete(:notice)
end
def find_user
if session[:attempt_user_id]
- User.find(session[:attempt_user_id])
+ User.find_by(id: session[:attempt_user_id])
else
user = User.authenticate_with_ldap(user_params) if Devise.ldap_authentication
user ||= User.authenticate_with_pam(user_params) if Devise.pam_authentication
def require_no_authentication
super
+
# Delete flash message that isn't entirely useful and may be confusing in
# most cases because /web doesn't display/clear flash messages.
flash.delete(:alert) if flash[:alert] == I18n.t('devise.failure.already_authenticated')
def home_paths(resource)
paths = [about_path]
+
if single_user_mode? && resource.is_a?(User)
paths << short_account_path(username: resource.account)
end
+
paths
end
def continue_after?
truthy_param?(:continue)
end
+
+ def restart_session
+ clear_attempt_from_session
+ redirect_to new_user_session_path, alert: I18n.t('devise.failure.timeout')
+ end
+
+ def set_attempt_session(user)
+ session[:attempt_user_id] = user.id
+ session[:attempt_user_updated_at] = user.updated_at.to_s
+ end
+
+ def clear_attempt_from_session
+ session.delete(:attempt_user_id)
+ session.delete(:attempt_user_updated_at)
+ end
end
def authenticate_with_sign_in_token
user = self.resource = find_user
- if user_params[:sign_in_token_attempt].present? && session[:attempt_user_id]
+ if user.present? && session[:attempt_user_id].present? && session[:attempt_user_updated_at] != user.updated_at.to_s
+ restart_session
+ elsif user_params.key?(:sign_in_token_attempt) && session[:attempt_user_id]
authenticate_with_sign_in_token_attempt(user)
elsif user.present? && user.external_or_valid_password?(user_params[:password])
prompt_for_sign_in_token(user)
def authenticate_with_sign_in_token_attempt(user)
if valid_sign_in_token_attempt?(user)
- session.delete(:attempt_user_id)
+ clear_attempt_from_session
remember_me(user)
sign_in(user)
else
UserMailer.sign_in_token(user, request.remote_ip, request.user_agent, Time.now.utc.to_s).deliver_later!
end
- set_locale do
- session[:attempt_user_id] = user.id
- @body_classes = 'lighter'
- render :sign_in_token
- end
+ set_attempt_session(user)
+
+ @body_classes = 'lighter'
+
+ set_locale { render :sign_in_token }
end
end
def authenticate_with_two_factor
user = self.resource = find_user
- if user.webauthn_enabled? && user_params[:credential].present? && session[:attempt_user_id]
+ if user.present? && session[:attempt_user_id].present? && session[:attempt_user_updated_at] != user.updated_at.to_s
+ restart_session
+ elsif user.webauthn_enabled? && user_params.key?(:credential) && session[:attempt_user_id]
authenticate_with_two_factor_via_webauthn(user)
- elsif user_params[:otp_attempt].present? && session[:attempt_user_id]
+ elsif user_params.key?(:otp_attempt) && session[:attempt_user_id]
authenticate_with_two_factor_via_otp(user)
elsif user.present? && user.external_or_valid_password?(user_params[:password])
prompt_for_two_factor(user)
webauthn_credential = WebAuthn::Credential.from_get(user_params[:credential])
if valid_webauthn_credential?(user, webauthn_credential)
- session.delete(:attempt_user_id)
+ clear_attempt_from_session
remember_me(user)
sign_in(user)
render json: { redirect_path: root_path }, status: :ok
def authenticate_with_two_factor_via_otp(user)
if valid_otp_attempt?(user)
- session.delete(:attempt_user_id)
+ clear_attempt_from_session
remember_me(user)
sign_in(user)
else
end
def prompt_for_two_factor(user)
- set_locale do
- session[:attempt_user_id] = user.id
- @body_classes = 'lighter'
- @webauthn_enabled = user.webauthn_enabled?
- @scheme_type = if user.webauthn_enabled? && user_params[:otp_attempt].blank?
- 'webauthn'
- else
- 'totp'
- end
- render :two_factor
+ set_attempt_session(user)
+
+ @body_classes = 'lighter'
+ @webauthn_enabled = user.webauthn_enabled?
+ @scheme_type = begin
+ if user.webauthn_enabled? && user_params[:otp_attempt].blank?
+ 'webauthn'
+ else
+ 'totp'
+ end
end
+
+ set_locale { render :two_factor }
end
end
UPDATE_SIGN_IN_HOURS = 24
included do
- before_action :set_user_activity
+ before_action :update_user_sign_in
end
private
- def set_user_activity
- return unless user_needs_sign_in_update?
- current_user.update_tracked_fields!(request)
+ def update_user_sign_in
+ current_user.update_sign_in!(request) if user_needs_sign_in_update?
end
def user_needs_sign_in_update?
devise :two_factor_backupable,
otp_number_of_backup_codes: 10
- devise :registerable, :recoverable, :rememberable, :trackable, :validatable,
+ devise :registerable, :recoverable, :rememberable, :validatable,
:confirmable
include Omniauthable
prepare_new_user! if new_user && approved?
end
+ def update_sign_in!(request, new_sign_in: false)
+ old_current, new_current = current_sign_in_at, Time.now.utc
+ self.last_sign_in_at = old_current || new_current
+ self.current_sign_in_at = new_current
+
+ old_current, new_current = current_sign_in_ip, request.remote_ip
+ self.last_sign_in_ip = old_current || new_current
+ self.current_sign_in_ip = new_current
+
+ if new_sign_in
+ self.sign_in_count ||= 0
+ self.sign_in_count += 1
+ end
+
+ save(validate: false) unless new_record?
+ prepare_returning_user!
+ end
+
def pending?
!approved?
end
prepare_new_user!
end
- def update_tracked_fields!(request)
- super
- prepare_returning_user!
- end
-
def otp_enabled?
otp_required_for_login
end
context 'using a valid OTP' do
before do
- post :create, params: { user: { otp_attempt: user.current_otp } }, session: { attempt_user_id: user.id }
+ post :create, params: { user: { otp_attempt: user.current_otp } }, session: { attempt_user_id: user.id, attempt_user_updated_at: user.updated_at.to_s }
end
it 'redirects to home' do
context 'when the server has an decryption error' do
before do
allow_any_instance_of(User).to receive(:validate_and_consume_otp!).and_raise(OpenSSL::Cipher::CipherError)
- post :create, params: { user: { otp_attempt: user.current_otp } }, session: { attempt_user_id: user.id }
+ post :create, params: { user: { otp_attempt: user.current_otp } }, session: { attempt_user_id: user.id, attempt_user_updated_at: user.updated_at.to_s }
end
it 'shows a login error' do
context 'using a valid recovery code' do
before do
- post :create, params: { user: { otp_attempt: recovery_codes.first } }, session: { attempt_user_id: user.id }
+ post :create, params: { user: { otp_attempt: recovery_codes.first } }, session: { attempt_user_id: user.id, attempt_user_updated_at: user.updated_at.to_s }
end
it 'redirects to home' do
context 'using an invalid OTP' do
before do
- post :create, params: { user: { otp_attempt: 'wrongotp' } }, session: { attempt_user_id: user.id }
+ post :create, params: { user: { otp_attempt: 'wrongotp' } }, session: { attempt_user_id: user.id, attempt_user_updated_at: user.updated_at.to_s }
end
it 'shows a login error' do
before do
@controller.session[:webauthn_challenge] = challenge
- post :create, params: { user: { credential: fake_credential } }, session: { attempt_user_id: user.id }
+ post :create, params: { user: { credential: fake_credential } }, session: { attempt_user_id: user.id, attempt_user_updated_at: user.updated_at.to_s }
end
it 'instructs the browser to redirect to home' do
context 'using a valid sign in token' do
before do
user.generate_sign_in_token && user.save
- post :create, params: { user: { sign_in_token_attempt: user.sign_in_token } }, session: { attempt_user_id: user.id }
+ post :create, params: { user: { sign_in_token_attempt: user.sign_in_token } }, session: { attempt_user_id: user.id, attempt_user_updated_at: user.updated_at.to_s }
end
it 'redirects to home' do
context 'using an invalid sign in token' do
before do
- post :create, params: { user: { sign_in_token_attempt: 'wrongotp' } }, session: { attempt_user_id: user.id }
+ post :create, params: { user: { sign_in_token_attempt: 'wrongotp' } }, session: { attempt_user_id: user.id, attempt_user_updated_at: user.updated_at.to_s }
end
it 'shows a login error' do
cat aescling's git repositories / mastodon.git / commitdiff