IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FEATURE: Implement 2factor login TOTP

Browse Source 
implemented review items.

Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds.
I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail.
Translatable texts.
Move second factor logic to a helper class.
Move second factor specific controller endpoints to its own controller.
Move serialization logic for 2-factor details in admin user views.
Add a login ember component for de-duplication
Fix up code formatting
Change verbiage of google authenticator

add controller tests:
second factor controller tests
change email tests
change password tests
admin login tests

add qunit tests - password reset, preferences

fix: check for 2factor on change email controller
fix: email controller - only show second factor errors on attempt
fix: check against 'true' to enable second factor.

Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP

add two factor to email signin link

rate limit if second factor token present

add rate limiter test for second factor attempts
This commit is contained in:
Jeff Wong
2017-12-21 17:18:12 -08:00
committed by Guo Xiang Tan
parent b6e82815bd
commit f4f8a293e7
52 changed files with 1005 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
app/controllers/session_controller.rb
View File

@@ -188,6 +188,10 @@ class SessionController < ApplicationController
end
def create
unless params[:second_factor_token].blank?
RateLimiter.new(nil, "second-factor-min-#{request.remote_ip}", 3, 1.minute).performed!
end
params.require(:login)
params.require(:password)
@@ -221,6 +225,12 @@ class SessionController < ApplicationController
if payload = login_error_check(user)
render json: payload
else
if SecondFactorHelper.totp_enabled?(user)
unless SecondFactorHelper.authenticate(user, params[:second_factor_token])
return render json: { error: I18n.t("login.invalid_second_factor_code"), reason: "invalid_second_factor" }
end
end
(user.active && user.email_confirmed?) ? login(user) : not_activated(user)
end
end
@@ -228,6 +238,14 @@ class SessionController < ApplicationController
def email_login
raise Discourse::NotFound if !SiteSetting.enable_local_logins_via_email
if params[:second_factor_token].present?
@error = I18n.t("login.invalid_second_factor_code")
RateLimiter.new(nil, "second-factor-min-#{request.remote_ip}", 3, 1.minute).performed!
end
unless EmailToken.second_factor_valid(params[:token], params[:second_factor_token])
@second_factor_required = true
return render layout: 'no_ember'
end
if EmailToken.valid_token_format?(params[:token]) && (user = EmailToken.confirm(params[:token]))
if login_not_approved_for?(user)
@error = login_not_approved[:error]