Handle password reset for users with 2FA enabled

author: Robert Speicher <rspeicher@gmail.com> 2015-05-11 21:31:31 +0300
committer: Robert Speicher <rspeicher@gmail.com> 2015-05-11 21:31:31 +0300
commit: 24bef5e67a81c5edf9dacb65ecc091cac1f4c528 (patch)
tree: e915aa8c1bc0ff6e735a0d510c107ed0e126ef55 /app/controllers/passwords_controller.rb
parent: 19b897e998d4b376390a3e0c12ccac4d1e92597d (diff)
1 files changed, 21 insertions, 0 deletions
diff --git a/app/controllers/passwords_controller.rb b/app/controllers/passwords_controller.rb
index dcbbe5baa4b..88459d4080a 100644
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@@ -15,4 +15,25 @@ class PasswordsController < Devise::PasswordsController
       respond_with(resource)
     end
   end
+
+  # After a user resets their password, prompt for 2FA code if enabled instead
+  # of signing in automatically
+  #
+  # See http://git.io/vURrI
+  def update
+    super do |resource|
+      # TODO (rspeicher): In Devise master (> 3.4.1), we can set
+      # `Devise.sign_in_after_reset_password = false` and avoid this mess.
+      if resource.errors.empty? && resource.try(:otp_required_for_login?)
+        resource.unlock_access! if unlockable?(resource)
+
+        # Since we are not signing this user in, we use the :updated_not_active
+        # message which only contains "Your password was changed successfully."
+        set_flash_message(:notice, :updated_not_active) if is_flashing_format?
+
+        # Redirect to sign in so they can enter 2FA code
+        respond_with(resource, location: new_session_path(resource)) and return
+      end
+    end
+  end
 end
author	Robert Speicher <rspeicher@gmail.com>	2015-05-11 21:31:31 +0300
committer	Robert Speicher <rspeicher@gmail.com>	2015-05-11 21:31:31 +0300
commit	24bef5e67a81c5edf9dacb65ecc091cac1f4c528 (patch)
tree	e915aa8c1bc0ff6e735a0d510c107ed0e126ef55 /app/controllers/passwords_controller.rb
parent	19b897e998d4b376390a3e0c12ccac4d1e92597d (diff)