require_mfa abstracts initialize_mfa + prompt_mfa

rubygems · Jun 2, 2024 · 9fb21ca · 9fb21ca
1 parent 87572e7
commit 9fb21ca
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 25 deletions.
diff --git a/app/controllers/concerns/require_mfa.rb b/app/controllers/concerns/require_mfa.rb
@@ -1,6 +1,12 @@
 module RequireMfa
   extend ActiveSupport::Concern
 
+  def require_mfa(user = @user)
+    return unless user&.mfa_enabled?
+    initialize_mfa(user)
+    prompt_mfa
+  end
+
   # Call initialize_mfa once at the start of the MFA flow for a user (after login, after reset token verified).
   def initialize_mfa(user = @user)
     delete_mfa_session

diff --git a/app/controllers/email_confirmations_controller.rb b/app/controllers/email_confirmations_controller.rb
@@ -8,6 +8,7 @@ class EmailConfirmationsController < ApplicationController
   before_action :redirect_to_new_mfa, if: :mfa_required_not_yet_enabled?, only: :unconfirmed
   before_action :redirect_to_settings_strong_mfa_required, if: :mfa_required_weak_level_enabled?, only: :unconfirmed
   before_action :validate_confirmation_token, only: %i[update otp_update webauthn_update]
+  before_action :require_mfa, only: %i[update]
   before_action :validate_otp, only: :otp_update
   before_action :validate_webauthn, only: :webauthn_update
   after_action :delete_mfa_expiry_session, only: %i[otp_update webauthn_update]
@@ -27,12 +28,7 @@ def create
   end
 
   def update
-    if @user.mfa_enabled?
-      initialize_mfa(@user)
-      prompt_mfa
-    else
-      confirm_email
-    end
+    confirm_email
   end
 
   def otp_update

diff --git a/app/controllers/multifactor_auths_controller.rb b/app/controllers/multifactor_auths_controller.rb
@@ -8,7 +8,7 @@ class MultifactorAuthsController < ApplicationController
   before_action :require_mfa_enabled, only: %i[update otp_update]
   before_action :require_totp_enabled, only: :destroy
   before_action :seed_and_expire, only: :create
-  before_action :find_mfa_user, only: %i[otp_update webauthn_update]
+  before_action :find_mfa_user, only: %i[update otp_update webauthn_update]
   before_action :validate_otp, only: %i[otp_update]
   before_action :require_webauthn_enabled, only: %i[webauthn_update]
   before_action :validate_webauthn, only: %i[webauthn_update]
@@ -44,7 +44,6 @@ def create
   end
 
   def update
-    @user = current_user
     initialize_mfa(@user)
     session[:level] = level_param
     prompt_mfa

diff --git a/app/controllers/passwords_controller.rb b/app/controllers/passwords_controller.rb
@@ -7,6 +7,7 @@ class PasswordsController < ApplicationController
   before_action :ensure_email_present, only: %i[create]
 
   before_action :validate_confirmation_token, only: %i[edit otp_edit webauthn_edit]
+  before_action :require_mfa, only: %i[edit]
   before_action :validate_otp, only: %i[otp_edit]
   before_action :validate_webauthn, only: %i[webauthn_edit]
   after_action :delete_mfa_expiry_session, only: %i[otp_edit webauthn_edit]
@@ -17,14 +18,9 @@ def new
   end
 
   def edit
-    if @user.mfa_enabled?
-      initialize_mfa(@user)
-      prompt_mfa
-    else
-      # When user doesn't have mfa, a valid token is a full "magic link" sign in.
-      verified_sign_in
-      render :edit
-    end
+    # When user doesn't have mfa, a valid token is a full "magic link" sign in.
+    verified_sign_in
+    render :edit
   end
 
   def create

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
@@ -10,21 +10,16 @@ class SessionsController < Clearance::SessionsController
   before_action :webauthn_new_setup, only: :new
 
   before_action :ensure_not_blocked, only: %i[create]
+  before_action :find_user, only: %i[create]
+  before_action :require_mfa, only: %i[create]
   before_action :find_mfa_user, only: %i[webauthn_create otp_create]
   before_action :validate_otp, only: %i[otp_create]
   before_action :validate_webauthn, only: %i[webauthn_create]
   after_action :delete_mfa_session, only: %i[webauthn_create webauthn_full_create otp_create]
   after_action :delete_session_verification, only: :destroy
 
   def create
-    @user = find_user
-
-    if @user&.mfa_enabled?
-      initialize_mfa(@user)
-      prompt_mfa
-    else
-      do_login(two_factor_label: nil, two_factor_method: nil, authentication_method: "password")
-    end
+    do_login(two_factor_label: nil, two_factor_method: nil, authentication_method: "password")
   end
 
   def webauthn_create
@@ -120,7 +115,7 @@ def mfa_failure(message)
 
   def find_user
     password = params.permit(session: :password).require(:session).fetch(:password, nil)
-    User.authenticate(who, password) if password.is_a?(String) && who
+    @user = User.authenticate(who, password) if password.is_a?(String) && who
   end
 
   def find_mfa_user