Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use the remembered device when switching #15042

Merged
merged 3 commits into from
Mar 19, 2024
Merged

use the remembered device when switching #15042

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
91cbbee
use the remembered device when switching
oliverguenther Mar 19, 2024
fa77c13
fixup! use the remembered device when switching
oliverguenther Mar 19, 2024
118f9c9
Remove discouraged user verification
klaustopher Mar 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 8 additions & 6 deletions ...tor_authentication/app/controllers/two_factor_authentication/authentication_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,24 +84,26 @@ def successful_2fa_transmission(service, transmit)
##
# Create a token service for the current user
# with an optional override to use a non-default channel
def otp_service(user, use_channel: nil, use_device: nil)
def otp_service(user, use_channel: nil, use_device: remembered_device(user))
session[:two_factor_authentication_device_id] = use_device.try(:id)
::TwoFactorAuthentication::TokenService.new user:, use_channel:, use_device:
end

##
# Get the used device for verification
def otp_service_for_verification(user)
use_device =
if session[:two_factor_authentication_device_id]
user.otp_devices.find(session[:two_factor_authentication_device_id])
end
otp_service(user, use_device:)
otp_service(user, use_device: remembered_device(user))
rescue ActiveRecord::RecordNotFound
render_404
false
end

def remembered_device(user)
if session[:two_factor_authentication_device_id]
user.otp_devices.find(session[:two_factor_authentication_device_id])
end
end

##
# Detect overridden channel or device from params when trying to resend
def service_from_resend_params
Expand Down
4 changes: 1 addition & 3 deletions modules/two_factor_authentication/app/models/two_factor_authentication/device/webauthn.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,14 +21,12 @@ def self.device_type
def options_for_create(relying_party)
@options_for_create ||= relying_party.options_for_registration(
user: { id: user.webauthn_id, name: user.name },
exclude: TwoFactorAuthentication::Device::Webauthn.where(user:).pluck(:webauthn_external_id),
authenticator_selection: { user_verification: "discouraged" }
exclude: TwoFactorAuthentication::Device::Webauthn.where(user:).pluck(:webauthn_external_id)
)
end

def options_for_get(relying_party)
@options_for_get ||= relying_party.options_for_authentication(
user_verification: "discouraged", # we do not require user verification
allow: [webauthn_external_id] # TODO: Maybe also allow all other tokens? Let's see
)
end
Expand Down
Loading