Add password challenge to 2FA settings, e-mail notifications (#11878)

Fix #3961
2019-09-18 16:37:27 +02:00 · 2019-09-18 16:37:27 +02:00 · e1066cd431
commit e1066cd431
parent d0c2c52783
32 changed files with 567 additions and 50 deletions
--- a/app/controllers/admin/two_factor_authentications_controller.rb
+++ b/app/controllers/admin/two_factor_authentications_controller.rb
@ -8,6 +8,7 @@ module Admin
      authorize @user, :disable_2fa?
      @user.disable_two_factor!
      log_action :disable_2fa, @user
+      UserMailer.two_factor_disabled(@user).deliver_later!
      redirect_to admin_accounts_path
    end

--- a/app/controllers/auth/challenges_controller.rb
+++ b/app/controllers/auth/challenges_controller.rb
@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+class Auth::ChallengesController < ApplicationController
+  include ChallengableConcern
+
+  layout 'auth'
+
+  before_action :authenticate_user!
+
+  skip_before_action :require_functional!
+
+  def create
+    if challenge_passed?
+      session[:challenge_passed_at] = Time.now.utc
+      redirect_to challenge_params[:return_to]
+    else
+      @challenge = Form::Challenge.new(return_to: challenge_params[:return_to])
+      flash.now[:alert] = I18n.t('challenge.invalid_password')
+      render_challenge
+    end
+  end
+end
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@ -42,6 +42,7 @@ class Auth::SessionsController < Devise::SessionsController
  def destroy
    tmp_stored_location = stored_location_for(:user)
    super
+    session.delete(:challenge_passed_at)
    flash.delete(:notice)
    store_location_for(:user, tmp_stored_location) if continue_after?
  end
--- a/app/controllers/concerns/challengable_concern.rb
+++ b/app/controllers/concerns/challengable_concern.rb
@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+# This concern is inspired by "sudo mode" on GitHub. It
+# is a way to re-authenticate a user before allowing them
+# to see or perform an action.
+#
+# Add `before_action :require_challenge!` to actions you
+# want to protect.
+#
+# The user will be shown a page to enter the challenge (which
+# is either the password, or just the username when no
+# password exists). Upon passing, there is a grace period
+# during which no challenge will be asked from the user.
+#
+# Accessing challenge-protected resources during the grace
+# period will refresh the grace period.
+module ChallengableConcern
+  extend ActiveSupport::Concern
+
+  CHALLENGE_TIMEOUT = 1.hour.freeze
+
+  def require_challenge!
+    return if skip_challenge?
+
+    if challenge_passed_recently?
+      session[:challenge_passed_at] = Time.now.utc
+      return
+    end
+
+    @challenge = Form::Challenge.new(return_to: request.url)
+
+    if params.key?(:form_challenge)
+      if challenge_passed?
+        session[:challenge_passed_at] = Time.now.utc
+        return
+      else
+        flash.now[:alert] = I18n.t('challenge.invalid_password')
+        render_challenge
+      end
+    else
+      render_challenge
+    end
+  end
+
+  def render_challenge
+    @body_classes = 'lighter'
+    render template: 'auth/challenges/new', layout: 'auth'
+  end
+
+  def challenge_passed?
+    current_user.valid_password?(challenge_params[:current_password])
+  end
+
+  def skip_challenge?
+    current_user.encrypted_password.blank?
+  end
+
+  def challenge_passed_recently?
+    session[:challenge_passed_at].present? && session[:challenge_passed_at] >= CHALLENGE_TIMEOUT.ago
+  end
+
+  def challenge_params
+    params.require(:form_challenge).permit(:current_password, :return_to)
+  end
+end
--- a/app/controllers/settings/two_factor_authentication/confirmations_controller.rb
+++ b/app/controllers/settings/two_factor_authentication/confirmations_controller.rb
@ -3,9 +3,12 @@
 module Settings
  module TwoFactorAuthentication
    class ConfirmationsController < BaseController
+      include ChallengableConcern
+
      layout 'admin'

      before_action :authenticate_user!
+      before_action :require_challenge!
      before_action :ensure_otp_secret

      skip_before_action :require_functional!
@ -22,6 +25,8 @@ module Settings
          @recovery_codes = current_user.generate_otp_backup_codes!
          current_user.save!

+          UserMailer.two_factor_enabled(current_user).deliver_later!
+
          render 'settings/two_factor_authentication/recovery_codes/index'
        else
          flash.now[:alert] = I18n.t('two_factor_authentication.wrong_code')
--- a/app/controllers/settings/two_factor_authentication/recovery_codes_controller.rb
+++ b/app/controllers/settings/two_factor_authentication/recovery_codes_controller.rb
@ -3,16 +3,22 @@
 module Settings
  module TwoFactorAuthentication
    class RecoveryCodesController < BaseController
+      include ChallengableConcern
+
      layout 'admin'

      before_action :authenticate_user!
+      before_action :require_challenge!, on: :create

      skip_before_action :require_functional!

      def create
        @recovery_codes = current_user.generate_otp_backup_codes!
        current_user.save!
+
+        UserMailer.two_factor_recovery_codes_changed(current_user).deliver_later!
        flash.now[:notice] = I18n.t('two_factor_authentication.recovery_codes_regenerated')
+
        render :index
      end
    end
--- a/app/controllers/settings/two_factor_authentications_controller.rb
+++ b/app/controllers/settings/two_factor_authentications_controller.rb
@ -2,10 +2,13 @@

 module Settings
  class TwoFactorAuthenticationsController < BaseController
+    include ChallengableConcern
+
    layout 'admin'

    before_action :authenticate_user!
    before_action :verify_otp_required, only: [:create]
+    before_action :require_challenge!, only: [:create]

    skip_before_action :require_functional!

@ -23,6 +26,7 @@ module Settings
      if acceptable_code?
        current_user.otp_required_for_login = false
        current_user.save!
+        UserMailer.two_factor_disabled(current_user).deliver_later!
        redirect_to settings_two_factor_authentication_path
      else
        flash.now[:alert] = I18n.t('two_factor_authentication.wrong_code')