Add support for backup codes

app/controllers/profiles/two_factor_auths_controller.rb

@@ -21,6 +21,12 @@ class Profiles::TwoFactorAuthsController < ApplicationController
     end
   end
 
+  def codes
+    codes = current_user.generate_otp_backup_codes!
+    current_user.save!
+    send_data codes.join("\n"), filename: 'gitlab_recovery_codes.txt'
+  end
+
   def destroy
     current_user.otp_required_for_login = false
     current_user.save!

app/controllers/sessions_controller.rb

@@ -44,7 +44,8 @@ class SessionsController < Devise::SessionsController
     @user = User.by_login(user_params[:login])
 
     if user_params[:otp_attempt].present?
-      unless @user.valid_otp?(user_params[:otp_attempt])
+      unless @user.valid_otp?(user_params[:otp_attempt]) ||
+        @user.recovery_code?(user_params[:otp_attempt])
         @error = 'Invalid two-factor code'
         render :two_factor and return
       end

app/views/profiles/accounts/show.html.haml

@@ -28,20 +28,31 @@
 
   - unless current_user.ldap_user?
     %fieldset
-      %legend Two-Factor Authentication
-      %p
-        Keep your account secure by enabling two-factor authentication.
-        %br
-        Each time you log in, you’ll be required to provide your password plus a randomly generated access code.
-      %div
-        - if current_user.otp_required_for_login
-          %strong.text-success
-            %i.fa.fa-check
-            2-Factor Authentication enabled
+      - if current_user.otp_required_for_login
+        %legend.text-success
+          %i.fa.fa-check
+          Two-Factor Authentication enabled
+        %div
           .pull-right
             = link_to "Disable 2-Factor Authentication", profile_two_factor_auth_path, method: :delete, class: 'btn btn-close btn-sm'
-        - else
-          = link_to "Enable 2-Factor Authentication", new_profile_two_factor_auth_path, class: 'btn btn-success'
+          %p.slead
+            %i.fa.fa-warning
+            Please
+            %strong #{link_to "download recovery codes", codes_profile_two_factor_auth_path}
+            so you can access your account if you lose your phone.
+            %br
+            %i.fa.fa-warning
+            Every time you download recovery codes - we generate the new codes. Previously downloaded codes won't work anymore.
+
+      - else
+        %legend Two-Factor Authentication
+        %div
+          %p
+            Keep your account secure by enabling two-factor authentication.
+            %br
+            Each time you log in, you’ll be required to provide your password plus a randomly generated access code.
+          %div
+            = link_to "Enable 2-Factor Authentication", new_profile_two_factor_auth_path, class: 'btn btn-success'
 
   - if show_profile_social_tab?
     %fieldset

config/initializers/devise.rb

@@ -3,6 +3,7 @@
 Devise.setup do |config|
   config.warden do |manager|
     manager.default_strategies(scope: :user).unshift :two_factor_authenticatable
+    manager.default_strategies(scope: :user).unshift :two_factor_backupable
   end
 
   # ==> Mailer Configuration

config/routes.rb

@@ -226,7 +226,11 @@ Gitlab::Application.routes.draw do
       resources :keys
       resources :emails, only: [:index, :create, :destroy]
       resource :avatar, only: [:destroy]
-      resource :two_factor_auth, only: [:new, :create, :destroy]
+      resource :two_factor_auth, only: [:new, :create, :destroy] do
+        member do
+          get :codes
+        end
+      end
     end
   end
 

db/migrate/20150331183602_add_devise_two_factor_backupable_to_users.rb

+class AddDeviseTwoFactorBackupableToUsers < ActiveRecord::Migration
+  def change
+    add_column :users, :otp_backup_codes, :string, array: true
+  end
+end