Commit graph

10 commits

Author SHA1 Message Date
Sean McGivern
194fbc3c3d Restrict failed login attempts for users with 2FA
Copy logic from `Devise::Models::Lockable#valid_for_authentication?`, as
our custom login flow with two pages doesn't call this method. This will
increment the failed login counter, and lock the user's account once
they exceed the number of failed attempts.

Also ensure that users who are locked can't continue to submit 2FA
codes.
2016-10-04 15:01:38 +01:00
DJ Mountney
9224f031cf Pass the remember_me option into the u2f form and support it while authenticating
Matches the changes done for non-u2f two-factor auth
2016-09-01 17:11:42 -07:00
Timothy Andrew
4db19bb445 Add a U2F-specific audit log entry after logging in.
- "two-factor" for OTP-based 2FA
- "two-factor-via-u2f-device" for U2F-based 2FA
- "standard" for non-2FA login
2016-06-06 12:50:31 +05:30
Robert Speicher
7d33fba7af Merge branch 'upgrade-devise-two-factor' into 'master'
Upgrade devise, devise-two-factor, and attr_encrypted

Devise 4 includes support for Rails 5, working towards #14286. devise-async doesn't support Devise 4.0 and in 4.1 the bug that was blocking using Devise's built-in ActiveJob integration was fixed. So devise-async is removed. devise-two-factor 3.0.0 is required for Devise 4 support.

attr_encrypted and encryptor are optional but recommended upgrades for devise-two-factor 3.0.0. The mode and algorithm will need to be changed in order to update to attr_encrypted 4.x in the future.

See merge request !4216
2016-06-02 00:44:41 +00:00
Robert Speicher
a602df3031 Pass the "Remember me" value to the 2FA token form
Prior, if a user had 2FA enabled and checked the "Remember me" field,
the setting was ignored because the OTP input was on a new form and the
value was never passed.

Closes #18000
2016-05-30 22:25:35 -04:00
Connor Shea
5647fb14b6
Fix a broken spec
Temporary fix until Devise 4 fixes this grammar issue:
https://github.com/plataformatec/devise/issues/4095
2016-05-30 13:51:21 -06:00
Robert Speicher
75739e54be Enable RSpec/NotToNot cop and auto-correct offenses
Also removes the note from the development/testing.md guide
2016-05-24 15:40:29 -04:00
Grzegorz Bizon
33a8dfd04f Make sessions controller specs more explicit 2016-04-07 13:16:48 +02:00
Grzegorz Bizon
00da609cfd Fix 2FA authentication spoofing vulnerability
This commit attempts to change default user search scope if otp_user_id
session variable has been set. If it is present, it means that user has
2FA enabled, and has already been verified with login and password. In
this case we should look for user with otp_user_id first, before picking
it up by login.
2016-04-07 11:19:29 +02:00
Grzegorz Bizon
301f4074aa Add specs for sessions controller including 2FA
This also contains specs for a bug described in #14900
2016-04-06 12:26:10 +02:00