Fixed api_access_only toggle to generate otp_secret when missing#1084
Open
philayres wants to merge 2 commits intoconsected:developfrom
Open
Fixed api_access_only toggle to generate otp_secret when missing#1084philayres wants to merge 2 commits intoconsected:developfrom
philayres wants to merge 2 commits intoconsected:developfrom
Conversation
philayres
force-pushed
the
fix-api-access-only-2fa-otp-secret-1083
branch
from
f8161ff to
4bd9165
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #1083
When toggling an existing user to
api_access_only = true, thehandle_api_access_only_changecallback now generates a missingotp_secretif one was never set. This can occur when a user was created whileTwoFactorAuthDisabledForUserwastrue, sosetup_two_factor_authskipped secret generation at creation time.Without this fix, such a user ends up with
otp_secret = nilandotp_required_for_login = true, causingtwo_factor_setup_required?to returntrue. Thebefore_actioninUserBaseControllerthen redirects every request — including token-authenticated API calls — to/users/show_otp.Changes
app/models/concerns/standard_authentication.rb: Inhandle_api_access_only_change, generateotp_secretif absent before settingotp_required_for_login = truespec/models/user_api_access_only_spec.rb: New test covering the gap — creates a user with 2FA disabled (nootp_secret), re-enables 2FA, toggles toapi_access_only, and asserts all three conditions are correct (otp_secretpresent,otp_required_for_logintrue,two_factor_setup_required?false)