diff options
author | Robert Speicher <rspeicher@gmail.com> | 2015-05-11 21:31:31 +0300 |
---|---|---|
committer | Robert Speicher <rspeicher@gmail.com> | 2015-05-11 21:31:31 +0300 |
commit | 24bef5e67a81c5edf9dacb65ecc091cac1f4c528 (patch) | |
tree | e915aa8c1bc0ff6e735a0d510c107ed0e126ef55 /app/controllers/passwords_controller.rb | |
parent | 19b897e998d4b376390a3e0c12ccac4d1e92597d (diff) |
Handle password reset for users with 2FA enabled
Diffstat (limited to 'app/controllers/passwords_controller.rb')
-rw-r--r-- | app/controllers/passwords_controller.rb | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/app/controllers/passwords_controller.rb b/app/controllers/passwords_controller.rb index dcbbe5baa4b..88459d4080a 100644 --- a/app/controllers/passwords_controller.rb +++ b/app/controllers/passwords_controller.rb @@ -15,4 +15,25 @@ class PasswordsController < Devise::PasswordsController respond_with(resource) end end + + # After a user resets their password, prompt for 2FA code if enabled instead + # of signing in automatically + # + # See http://git.io/vURrI + def update + super do |resource| + # TODO (rspeicher): In Devise master (> 3.4.1), we can set + # `Devise.sign_in_after_reset_password = false` and avoid this mess. + if resource.errors.empty? && resource.try(:otp_required_for_login?) + resource.unlock_access! if unlockable?(resource) + + # Since we are not signing this user in, we use the :updated_not_active + # message which only contains "Your password was changed successfully." + set_flash_message(:notice, :updated_not_active) if is_flashing_format? + + # Redirect to sign in so they can enter 2FA code + respond_with(resource, location: new_session_path(resource)) and return + end + end + end end |