Sha256: fb99ca5664510249f3ac98cd8c1d277ff5d9c6f3e5a59989f312cf97385f199e
Contents?: true
Size: 1.33 KB
Versions: 8
Compression:
Stored size: 1.33 KB
Contents
class DeviseTwilioVerify::PasswordsController < Devise::PasswordsController
##
# In the passwords controller a user can update their password using a
# recovery token. If `Devise.sign_in_after_reset_password` is `true` then the
# user is signed in immediately with the
# `Devise::Controllers::SignInOut#sign_in` method. However, if the user has
# 2FA enabled they should enter their second factor before they are signed in.
#
# This method overrides `Devise::Controllers::SignInOut#sign_in` but only
# within the `Devise::PasswordsController`. If the user needs to verify 2FA
# then `sign_in` returns `true`. This short circuits the method before it can
# call `warden.set_user` and log the user in.
#
# The user is redirected to `after_resetting_password_path_for(user)` at which
# point, since the user is not logged in, redirects again to sign in.
#
# This doesn't retain the expected behaviour of
# `Devise.sign_in_after_reset_password`, but is forgivable because this
# shouldn't be an avenue to bypass 2FA.
def sign_in(resource_or_scope, *args)
resource = args.last || resource_or_scope
if resource.respond_to?(:with_twilio_verify_authentication?) && resource.with_twilio_verify_authentication?(request)
# Do nothing. Because we need verify the 2FA
true
else
super
end
end
end
Version data entries
8 entries across 8 versions & 1 rubygems