Sha256: a4854fd103a6a5781ec8e1c8591c4c5052d10c1e62b60482ab3a2574efa30cb1
Contents?: true
Size: 1.3 KB
Versions: 6
Compression:
Stored size: 1.3 KB
Contents
class DeviseAuthy::PasswordsController < Devise::PasswordsController
##
# In the passwords controller a user can update their password using a
# recovery token. If `Devise.sign_in_after_reset_password` is `true` then the
# user is signed in immediately with the
# `Devise::Controllers::SignInOut#sign_in` method. However, if the user has
# 2FA enabled they should enter their second factor before they are signed in.
#
# This method overrides `Devise::Controllers::SignInOut#sign_in` but only
# within the `Devise::PasswordsController`. If the user needs to verify 2FA
# then `sign_in` returns `true`. This short circuits the method before it can
# call `warden.set_user` and log the user in.
#
# The user is redirected to `after_resetting_password_path_for(user)` at which
# point, since the user is not logged in, redirects again to sign in.
#
# This doesn't retain the expected behaviour of
# `Devise.sign_in_after_reset_password`, but is forgivable because this
# shouldn't be an avenue to bypass 2FA.
def sign_in(resource_or_scope, *args)
resource = args.last || resource_or_scope
if resource.respond_to?(:with_authy_authentication?) && resource.with_authy_authentication?(request)
# Do nothing. Because we need verify the 2FA
true
else
super
end
end
end
Version data entries
6 entries across 6 versions & 1 rubygems