Merge branch 'rs-refactor-2fa' into 'master'

Refactor SessionsController to use a controller concern See merge request !659

Merge branch 'rs-refactor-2fa' into 'master'
Refactor SessionsController to use a controller concern See merge request !659
aa4f0851 · Dmitriy Zaporozhets · 37bc4bb1 · c802d8ee · aa4f0851 · aa4f0851
Commit aa4f0851 authored May 14, 2015 by Dmitriy Zaporozhets
Showing with 33 additions and 9 deletions

app/controllers/concerns/authenticates_with_two_factor.rb app/controllers/concerns/authenticates_with_two_factor.rb +30 -0

app/controllers/sessions_controller.rb app/controllers/sessions_controller.rb +3 -9

No files found.
--- a/app/controllers/concerns/authenticates_with_two_factor.rb
+++ b/app/controllers/concerns/authenticates_with_two_factor.rb
+# == AuthenticatesWithTwoFactor
+#
+# Controller concern to handle two-factor authentication
+#
+# Upon inclusion, skips `require_no_authentication` on `:create`.
+module AuthenticatesWithTwoFactor
+  extend ActiveSupport::Concern
+
+  included do
+    # This action comes from DeviseController, but because we call `sign_in`
+    # manually, not skipping this action would cause a "You are already signed
+    # in." error message to be shown upon successful login.
+    skip_before_action :require_no_authentication, only: [:create]
+  end
+
+  # Store the user's ID in the session for later retrieval and render the
+  # two factor code prompt
+  #
+  # The user must have been authenticated with a valid login and password
+  # before calling this method!
+  #
+  # user - User record
+  #
+  # Returns nil
+  def prompt_for_two_factor(user)
+    session[:otp_user_id] = user.id
+
+    render 'devise/sessions/two_factor' and return
+  end
+end
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
 class SessionsController < Devise::SessionsController
-  prepend_before_action :authenticate_with_two_factor, only: [:create]
+  include AuthenticatesWithTwoFactor

-  # This action comes from DeviseController, but because we call `sign_in`
-  # manually inside `authenticate_with_two_factor`, not skipping this action
-  # would cause a "You are already signed in." error message to be shown upon
-  # successful login.
-  skip_before_action :require_no_authentication, only: [:create]
+  prepend_before_action :authenticate_with_two_factor, only: [:create]

  def new
    redirect_path =
@@ -74,9 +70,7 @@ class SessionsController < Devise::SessionsController
      end
    else
      if user && user.valid_password?(user_params[:password])
-        # Save the user's ID to session so we can ask for a one-time password
-        session[:otp_user_id] = user.id
-        render :two_factor and return
+        prompt_for_two_factor(user)
      end
    end
  end