Fix 2FA backup code removal

app/models/user.rb

@@ -80,7 +80,10 @@ class User < ActiveRecord::Base
 
   devise :two_factor_authenticatable,
          otp_secret_encryption_key: File.read(Rails.root.join('.secret')).chomp
+
   devise :two_factor_backupable
+  serialize :otp_backup_codes, JSON
+
   devise :lockable, :async, :recoverable, :rememberable, :trackable,
     :validatable, :omniauthable, :confirmable, :registerable
 

spec/features/login_spec.rb

@@ -47,7 +47,7 @@ feature 'Login' do
         before do
           expect(codes.size).to eq 5
 
-          # Because `generate_otp_backup_codes!` doesn't actually do this...
+          # Ensure the generated codes get saved
           user.save
         end
 
@@ -58,20 +58,18 @@ feature 'Login' do
           end
 
           it 'invalidates the used code' do
-            # FIXME (rspeicher): Broken library is broken
-            expect { enter_code(codes.sample) }.to change { user.otp_backup_codes.size }.by(-1)
+            expect { enter_code(codes.sample) }.
+              to change { user.reload.otp_backup_codes.size }.by(-1)
           end
         end
 
         context 'with invalid code' do
           it 'blocks login' do
-            # FIXME (rspeicher): Broken library is broken
             code = codes.sample
             expect(user.invalidate_otp_backup_code!(code)).to eq true
-            expect(user.otp_backup_codes.size).to eq 4 # Passes
+
             user.save!
-            user.reload
-            expect(user.otp_backup_codes.size).to eq 4 # Fails... WAT?!
+            expect(user.reload.otp_backup_codes.size).to eq 4
 
             enter_code(code)
             expect(page).to have_content('Invalid two-factor code')