Add support for backup codes

802fcd05 · Dmitriy Zaporozhets · Robert Speicher · b66be0a2 · 802fcd05 · 802fcd05
Commit 802fcd05 authored Mar 31, 2015 by Dmitriy Zaporozhets Committed by Robert Speicher May 09, 2015
6 changed files
--- a/app/controllers/profiles/two_factor_auths_controller.rb
+++ b/app/controllers/profiles/two_factor_auths_controller.rb
@@ -21,6 +21,12 @@ class Profiles::TwoFactorAuthsController < ApplicationController
    end
  end
+  def codes
+    codes = current_user.generate_otp_backup_codes!
+    current_user.save!
+    send_data codes.join("\n"), filename: 'gitlab_recovery_codes.txt'
+  end
  def destroy
    current_user.otp_required_for_login = false
    current_user.save!

--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -44,7 +44,8 @@ class SessionsController < Devise::SessionsController
    @user = User.by_login(user_params[:login])
    if user_params[:otp_attempt].present?
-      unless @user.valid_otp?(user_params[:otp_attempt])
+      unless @user.valid_otp?(user_params[:otp_attempt]) ||
+        @user.recovery_code?(user_params[:otp_attempt])
        @error = 'Invalid two-factor code'
        render :two_factor and return
      end

--- a/app/views/profiles/accounts/show.html.haml
+++ b/app/views/profiles/accounts/show.html.haml
@@ -28,19 +28,30 @@
  - unless current_user.ldap_user?
    %fieldset
+      - if current_user.otp_required_for_login
+        %legend.text-success
+          %i.fa.fa-check
+          Two-Factor Authentication enabled
+        %div
+          .pull-right
+            = link_to "Disable 2-Factor Authentication", profile_two_factor_auth_path, method: :delete, class: 'btn btn-close btn-sm'
+          %p.slead
+            %i.fa.fa-warning
+            Please
+            %strong #{link_to "download recovery codes", codes_profile_two_factor_auth_path}
+            so you can access your account if you lose your phone.
+            %br
+            %i.fa.fa-warning
+            Every time you download recovery codes - we generate the new codes. Previously downloaded codes won't work anymore.
+      - else
        %legend Two-Factor Authentication
+        %div
          %p
            Keep your account secure by enabling two-factor authentication.
            %br
            Each time you log in, you’ll be required to provide your password plus a randomly generated access code.
          %div
-        - if current_user.otp_required_for_login
-          %strong.text-success
-            %i.fa.fa-check
-            2-Factor Authentication enabled
-          .pull-right
-            = link_to "Disable 2-Factor Authentication", profile_two_factor_auth_path, method: :delete, class: 'btn btn-close btn-sm'
-        - else
            = link_to "Enable 2-Factor Authentication", new_profile_two_factor_auth_path, class: 'btn btn-success'
  - if show_profile_social_tab?

--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -3,6 +3,7 @@
 Devise.setup do |config|
  config.warden do |manager|
    manager.default_strategies(scope: :user).unshift :two_factor_authenticatable
+    manager.default_strategies(scope: :user).unshift :two_factor_backupable
  end
  # ==> Mailer Configuration

--- a/config/routes.rb
+++ b/config/routes.rb
@@ -226,7 +226,11 @@ Gitlab::Application.routes.draw do
      resources :keys
      resources :emails, only: [:index, :create, :destroy]
      resource :avatar, only: [:destroy]
-      resource :two_factor_auth, only: [:new, :create, :destroy]
+      resource :two_factor_auth, only: [:new, :create, :destroy] do
+        member do
+          get :codes
+        end
+      end
    end
  end

--- a/db/migrate/20150331183602_add_devise_two_factor_backupable_to_users.rb
+++ b/db/migrate/20150331183602_add_devise_two_factor_backupable_to_users.rb
+class AddDeviseTwoFactorBackupableToUsers < ActiveRecord::Migration
+  def change
+    add_column :users, :otp_backup_codes, :string, array: true
+  end
+end