auth.rb in researchable_jwt-authenticable-1.1.0

- old
+ new

@@ -11,11 +11,12 @@
 
     # Authenticates a user.
     # @raise MissingAuthScope if the jwt does not have the right scope
     def authenticate_user!
       validate_jwt_token! token: authorization_token!
-    rescue MissingAuth, MissingAuthScope, InvalidAuthScheme, JWT::VerificationError, JWT::ExpiredSignature => e
+    rescue MissingAuth, MissingAuthScope, InvalidAuthScheme, TwoFANotEnabledError, JWT::VerificationError,
+           JWT::ExpiredSignature => e
       unauthorized(e.message)
     end
 
     # Consider any method below as private and not meant to be used by including classes
 
@@ -26,11 +27,15 @@
     # @param is_researcher [Boolean] Whether to validate the token as a researcher's or a participant's
     # @raise AuthorizationError if the user is trying to login with the incorrect rights.
     # @return [Hash] the JWT payload
     def validate_jwt_token!(token:)
       # NOTE: it is still safe if JWT_SECRET_KEY is not set. The method will trigger a JWT exception
-      JWT.decode(token, JwtAuthenticable.config.jwt_secret_key, true,
-                 { algorithm: algorithm }).first
+      payload = JWT.decode(token, JwtAuthenticable.config.jwt_secret_key, true,
+                           { algorithm: algorithm }).first
+
+      raise TwoFANotEnabledError if JwtAuthenticable.config.enforce_2fa && !payload['2fa']
+
+      payload
     end
 
     # Extracts the authorization token from the Authorization header
     # @note For now we only support Bearer schema with JWT
     # @raise [Exceptions::MissingAuth] Authorization header not present or empty