Discourse/discourse
Discourse/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-09-06 09:10:25 +08:00
Code Packages Activity Actions 11
discourse/app/controllers/users_email_controller.rb
Jeff Wong f4f8a293e7 FEATURE: Implement 2factor login TOTP 
implemented review items.

Blocking previous codes - valid 2-factor auth tokens can only be authenticated once/30 seconds.
I played with updating the “last used” any time the token was attempted but that seemed to be overkill, and frustrating as to why a token would fail.
Translatable texts.
Move second factor logic to a helper class.
Move second factor specific controller endpoints to its own controller.
Move serialization logic for 2-factor details in admin user views.
Add a login ember component for de-duplication
Fix up code formatting
Change verbiage of google authenticator

add controller tests:
second factor controller tests
change email tests
change password tests
admin login tests

add qunit tests - password reset, preferences

fix: check for 2factor on change email controller
fix: email controller - only show second factor errors on attempt
fix: check against 'true' to enable second factor.

Add modal for explaining what 2fa with links to Google Authenticator/FreeOTP

add two factor to email signin link

rate limit if second factor token present

add rate limiter test for second factor attempts
2018-02-21 09:04:07 +08:00

62 lines
1.8 KiB
Ruby
Raw Blame History

require_dependency 'rate_limiter'
require_dependency 'email_validator'
require_dependency 'email_updater'
class UsersEmailController < ApplicationController
requires_login only: [:index, :update]
skip_before_action :check_xhr, only: [:confirm]
skip_before_action :redirect_to_login_if_required, only: [:confirm]
def index
end
def update
params.require(:email)
user = fetch_user_from_params
RateLimiter.new(user, "change-email-hr-#{request.remote_ip}", 6, 1.hour).performed!
RateLimiter.new(user, "change-email-min-#{request.remote_ip}", 3, 1.minute).performed!
updater = EmailUpdater.new(guardian, user)
updater.change_to(params[:email])
if updater.errors.present?
return render_json_error(updater.errors.full_messages)
end
render body: nil
rescue RateLimiter::LimitExceeded
render_json_error(I18n.t("rate_limiter.slow_down"))
end
def confirm
expires_now
token = EmailToken.confirmable params[:token]
change_req = token&.user&.email_change_requests
&.where('new_email_token_id = :token_id', token_id: token.id)
&.first
if change_req.try(:change_state) == EmailChangeRequest.states[:authorizing_new] &&
!EmailToken.second_factor_valid(params[:token], params[:second_factor_token])
@update_result = :invalid_second_factor
if params[:second_factor_token].present?
RateLimiter.new(nil, "second-factor-min-#{request.remote_ip}", 3, 1.minute).performed!
@show_invalid_second_factor_error = true
end
render layout: 'no_ember'
return
end
updater = EmailUpdater.new
@update_result = updater.confirm(params[:token])
if @update_result == :complete
updater.user.user_stat.reset_bounce_score!
log_on_user(updater.user)
end
render layout: 'no_ember'
end
end
View git blame Copy permalink