From 7eeccbc006624dab01234125d97161960c6126b2 Mon Sep 17 00:00:00 2001 From: Logan Fick Date: Wed, 6 Jun 2018 18:38:28 -0400 Subject: Installed TOTP gem and added TOTP column to schema. --- Gemfile | 1 + Gemfile.lock | 6 +- db/migrate/20180606223258_add_totp_to_users.rb | 5 ++ db/schema.rb | 76 +++++++++++++------------- 4 files changed, 48 insertions(+), 40 deletions(-) create mode 100644 db/migrate/20180606223258_add_totp_to_users.rb diff --git a/Gemfile b/Gemfile index 09f297d..4ef3294 100644 --- a/Gemfile +++ b/Gemfile @@ -17,6 +17,7 @@ gem 'kaminari', github: 'jomo/kaminari', branch: 'patch-2' # pagination gem 'jquery-textcomplete-rails' # @mentions gem 'actionpack-action_caching', github: 'antulik/actionpack-action_caching', ref: '8c6e52c69315d67437f480da5dce4b7c8737fb32' gem 'mail-gpg', github: 'jomo/mail-gpg', ref: 'a666b48ee866dfa3eaa700f9c5edf4d195d0f8c9' +gem 'totp' # Gems used only for assets and not required # in production environments by default. diff --git a/Gemfile.lock b/Gemfile.lock index bd8feba..939e4e6 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -99,6 +99,7 @@ GEM airbrussh (1.3.0) sshkit (>= 1.6.1, != 1.7.0) arel (6.0.4) + base32 (0.3.2) bcrypt (3.1.11) better_errors (2.4.0) coderay (>= 1.0.0) @@ -237,6 +238,8 @@ GEM thor (0.20.0) thread_safe (0.3.6) tilt (2.0.8) + totp (1.0.0) + base32 tzinfo (1.2.5) thread_safe (~> 0.1) uglifier (4.1.8) @@ -277,10 +280,11 @@ DEPENDENCIES sass-rails sqlite3 strip_attributes + totp tzinfo-data uglifier unicorn webrick BUNDLED WITH - 1.16.1 + 1.16.2 diff --git a/db/migrate/20180606223258_add_totp_to_users.rb b/db/migrate/20180606223258_add_totp_to_users.rb new file mode 100644 index 0000000..9b97902 --- /dev/null +++ b/db/migrate/20180606223258_add_totp_to_users.rb @@ -0,0 +1,5 @@ +class AddTotpToUsers < ActiveRecord::Migration + def change + add_column :users, :totp, :string + end +end diff --git a/db/schema.rb b/db/schema.rb index 183a432..030d86d 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -11,18 +11,17 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20171013001146) do +ActiveRecord::Schema.define(version: 20180606223258) do create_table "badges", force: :cascade do |t| - t.string "name", limit: 191 - t.string "symbol", limit: 191 - t.string "color", limit: 191 - t.integer "value", limit: 4 + t.string "name", limit: 191 + t.string "symbol", limit: 191 + t.string "color", limit: 191 end create_table "blogposts", force: :cascade do |t| - t.string "title", limit: 255 - t.text "content", limit: 16777215 + t.string "title", limit: 191 + t.text "content", limit: 65535 t.integer "user_author_id", limit: 4 t.integer "user_editor_id", limit: 4 t.datetime "created_at" @@ -30,7 +29,7 @@ ActiveRecord::Schema.define(version: 20171013001146) do end create_table "comments", force: :cascade do |t| - t.text "content", limit: 16777215 + t.text "content", limit: 65535 t.integer "user_author_id", limit: 4 t.integer "user_editor_id", limit: 4 t.integer "blogpost_id", limit: 4 @@ -39,14 +38,14 @@ ActiveRecord::Schema.define(version: 20171013001146) do end create_table "forumgroups", force: :cascade do |t| - t.string "name", limit: 255 + t.string "name", limit: 191 t.integer "position", limit: 4 t.integer "role_read_id", limit: 4 t.integer "role_write_id", limit: 4 end create_table "forums", force: :cascade do |t| - t.string "name", limit: 255 + t.string "name", limit: 191 t.integer "position", limit: 4 t.integer "role_read_id", limit: 4 t.integer "role_write_id", limit: 4 @@ -60,10 +59,10 @@ ActiveRecord::Schema.define(version: 20171013001146) do end create_table "forumthreads", force: :cascade do |t| - t.string "title", limit: 255 - t.text "content", limit: 16777215 - t.boolean "sticky", default: false - t.boolean "locked", default: false + t.string "title", limit: 191 + t.text "content", limit: 65535 + t.boolean "sticky", default: false + t.boolean "locked", default: false t.integer "user_author_id", limit: 4 t.integer "user_editor_id", limit: 4 t.integer "forum_id", limit: 4 @@ -73,49 +72,47 @@ ActiveRecord::Schema.define(version: 20171013001146) do end add_index "forumthreads", ["content"], name: "index_forumthreads_on_content", type: :fulltext - add_index "forumthreads", ["title", "content"], name: "forumthreads_title_content", type: :fulltext add_index "forumthreads", ["title", "content"], name: "index_forumthreads_on_title_and_content", type: :fulltext add_index "forumthreads", ["title"], name: "index_forumthreads_on_title", type: :fulltext create_table "info", force: :cascade do |t| - t.string "title", limit: 255 - t.text "content", limit: 16777215 + t.string "title", limit: 191 + t.text "content", limit: 65535 t.datetime "created_at" t.datetime "updated_at" end create_table "labels", force: :cascade do |t| - t.string "name", limit: 255 - t.string "color", limit: 255 + t.string "name", limit: 191 + t.string "color", limit: 191 end create_table "register_tokens", force: :cascade do |t| t.string "uuid", limit: 32, null: false t.string "token", limit: 6, null: false - t.string "email", limit: 191 + t.string "email", limit: 191, null: false end - add_index "register_tokens", ["email"], name: "index_register_tokens_on_email", unique: true, using: :btree add_index "register_tokens", ["uuid"], name: "index_register_tokens_on_uuid", unique: true, using: :btree create_table "roles", force: :cascade do |t| - t.string "name", limit: 255 + t.string "name", limit: 191 t.integer "value", limit: 4 - t.string "color", limit: 255 + t.string "color", limit: 191 end create_table "sessions", force: :cascade do |t| - t.string "session_id", limit: 255, null: false - t.text "data", limit: 16777215 + t.string "session_id", limit: 191, null: false + t.text "data", limit: 65535 t.datetime "created_at" t.datetime "updated_at" end - add_index "sessions", ["session_id"], name: "index_sessions_on_session_id", length: {"session_id"=>191}, using: :btree + add_index "sessions", ["session_id"], name: "index_sessions_on_session_id", using: :btree add_index "sessions", ["updated_at"], name: "index_sessions_on_updated_at", using: :btree create_table "threadreplies", force: :cascade do |t| - t.text "content", limit: 16777215 + t.text "content", limit: 65535 t.integer "user_author_id", limit: 4 t.integer "user_editor_id", limit: 4 t.integer "forumthread_id", limit: 4 @@ -127,18 +124,18 @@ ActiveRecord::Schema.define(version: 20171013001146) do add_index "threadreplies", ["forumthread_id"], name: "index_threadreplies_on_forumthread_id", using: :btree create_table "users", force: :cascade do |t| - t.string "uuid", limit: 255, null: false - t.string "name", limit: 191 - t.string "password_digest", limit: 255, null: false - t.string "ign", limit: 255, null: false - t.string "email", limit: 191 + t.string "uuid", limit: 191, null: false + t.string "name", limit: 191, null: false + t.string "password_digest", limit: 191, null: false + t.string "ign", limit: 191, null: false + t.string "email", limit: 191, null: false t.text "about", limit: 65535 - t.string "last_ip", limit: 255 - t.string "skype", limit: 255 - t.string "youtube", limit: 255 - t.string "youtube_channelname", limit: 255 - t.string "twitter", limit: 255 - t.string "email_token", limit: 255 + t.string "last_ip", limit: 191 + t.string "skype", limit: 191 + t.string "youtube", limit: 191 + t.string "youtube_channelname", limit: 191 + t.string "twitter", limit: 191 + t.string "email_token", limit: 191 t.boolean "confirmed", default: false t.datetime "last_seen" t.integer "role_id", limit: 4, null: false @@ -149,11 +146,12 @@ ActiveRecord::Schema.define(version: 20171013001146) do t.boolean "mail_own_blogpost_comment", default: true t.boolean "mail_other_blogpost_comment", default: true t.boolean "mail_mention", default: true - t.integer "badge_id", limit: 4, default: 0 + t.integer "badge_id", limit: 4, default: 1 t.boolean "utc_time", default: false t.boolean "header_scroll", default: false t.boolean "dark", default: false t.text "public_key", limit: 65535 + t.string "totp", limit: 191 end add_index "users", ["email"], name: "index_users_on_email", unique: true, using: :btree -- cgit v1.2.3 From 201e59964e5689922b4d91b1483813ad53ae6509 Mon Sep 17 00:00:00 2001 From: Logan Fick Date: Wed, 6 Jun 2018 18:44:31 -0400 Subject: Cleaned up schema. --- db/schema.rb | 74 ++++++++++++++++++++++++++++++++---------------------------- 1 file changed, 39 insertions(+), 35 deletions(-) diff --git a/db/schema.rb b/db/schema.rb index 030d86d..d5113e1 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -14,14 +14,15 @@ ActiveRecord::Schema.define(version: 20180606223258) do create_table "badges", force: :cascade do |t| - t.string "name", limit: 191 - t.string "symbol", limit: 191 - t.string "color", limit: 191 + t.string "name", limit: 191 + t.string "symbol", limit: 191 + t.string "color", limit: 191 + t.integer "value", limit: 4 end create_table "blogposts", force: :cascade do |t| - t.string "title", limit: 191 - t.text "content", limit: 65535 + t.string "title", limit: 255 + t.text "content", limit: 16777215 t.integer "user_author_id", limit: 4 t.integer "user_editor_id", limit: 4 t.datetime "created_at" @@ -29,7 +30,7 @@ ActiveRecord::Schema.define(version: 20180606223258) do end create_table "comments", force: :cascade do |t| - t.text "content", limit: 65535 + t.text "content", limit: 16777215 t.integer "user_author_id", limit: 4 t.integer "user_editor_id", limit: 4 t.integer "blogpost_id", limit: 4 @@ -38,14 +39,14 @@ ActiveRecord::Schema.define(version: 20180606223258) do end create_table "forumgroups", force: :cascade do |t| - t.string "name", limit: 191 + t.string "name", limit: 255 t.integer "position", limit: 4 t.integer "role_read_id", limit: 4 t.integer "role_write_id", limit: 4 end create_table "forums", force: :cascade do |t| - t.string "name", limit: 191 + t.string "name", limit: 255 t.integer "position", limit: 4 t.integer "role_read_id", limit: 4 t.integer "role_write_id", limit: 4 @@ -59,10 +60,10 @@ ActiveRecord::Schema.define(version: 20180606223258) do end create_table "forumthreads", force: :cascade do |t| - t.string "title", limit: 191 - t.text "content", limit: 65535 - t.boolean "sticky", default: false - t.boolean "locked", default: false + t.string "title", limit: 255 + t.text "content", limit: 16777215 + t.boolean "sticky", default: false + t.boolean "locked", default: false t.integer "user_author_id", limit: 4 t.integer "user_editor_id", limit: 4 t.integer "forum_id", limit: 4 @@ -72,47 +73,49 @@ ActiveRecord::Schema.define(version: 20180606223258) do end add_index "forumthreads", ["content"], name: "index_forumthreads_on_content", type: :fulltext + add_index "forumthreads", ["title", "content"], name: "forumthreads_title_content", type: :fulltext add_index "forumthreads", ["title", "content"], name: "index_forumthreads_on_title_and_content", type: :fulltext add_index "forumthreads", ["title"], name: "index_forumthreads_on_title", type: :fulltext create_table "info", force: :cascade do |t| - t.string "title", limit: 191 - t.text "content", limit: 65535 + t.string "title", limit: 255 + t.text "content", limit: 16777215 t.datetime "created_at" t.datetime "updated_at" end create_table "labels", force: :cascade do |t| - t.string "name", limit: 191 - t.string "color", limit: 191 + t.string "name", limit: 255 + t.string "color", limit: 255 end create_table "register_tokens", force: :cascade do |t| t.string "uuid", limit: 32, null: false t.string "token", limit: 6, null: false - t.string "email", limit: 191, null: false + t.string "email", limit: 191 end + add_index "register_tokens", ["email"], name: "index_register_tokens_on_email", unique: true, using: :btree add_index "register_tokens", ["uuid"], name: "index_register_tokens_on_uuid", unique: true, using: :btree create_table "roles", force: :cascade do |t| - t.string "name", limit: 191 + t.string "name", limit: 255 t.integer "value", limit: 4 - t.string "color", limit: 191 + t.string "color", limit: 255 end create_table "sessions", force: :cascade do |t| - t.string "session_id", limit: 191, null: false - t.text "data", limit: 65535 + t.string "session_id", limit: 255, null: false + t.text "data", limit: 16777215 t.datetime "created_at" t.datetime "updated_at" end - add_index "sessions", ["session_id"], name: "index_sessions_on_session_id", using: :btree + add_index "sessions", ["session_id"], name: "index_sessions_on_session_id", length: {"session_id"=>191}, using: :btree add_index "sessions", ["updated_at"], name: "index_sessions_on_updated_at", using: :btree create_table "threadreplies", force: :cascade do |t| - t.text "content", limit: 65535 + t.text "content", limit: 16777215 t.integer "user_author_id", limit: 4 t.integer "user_editor_id", limit: 4 t.integer "forumthread_id", limit: 4 @@ -124,18 +127,18 @@ ActiveRecord::Schema.define(version: 20180606223258) do add_index "threadreplies", ["forumthread_id"], name: "index_threadreplies_on_forumthread_id", using: :btree create_table "users", force: :cascade do |t| - t.string "uuid", limit: 191, null: false - t.string "name", limit: 191, null: false - t.string "password_digest", limit: 191, null: false - t.string "ign", limit: 191, null: false - t.string "email", limit: 191, null: false + t.string "uuid", limit: 255, null: false + t.string "name", limit: 191 + t.string "password_digest", limit: 255, null: false + t.string "ign", limit: 255, null: false + t.string "email", limit: 191 t.text "about", limit: 65535 - t.string "last_ip", limit: 191 - t.string "skype", limit: 191 - t.string "youtube", limit: 191 - t.string "youtube_channelname", limit: 191 - t.string "twitter", limit: 191 - t.string "email_token", limit: 191 + t.string "last_ip", limit: 255 + t.string "skype", limit: 255 + t.string "youtube", limit: 255 + t.string "youtube_channelname", limit: 255 + t.string "twitter", limit: 255 + t.string "email_token", limit: 255 t.boolean "confirmed", default: false t.datetime "last_seen" t.integer "role_id", limit: 4, null: false @@ -146,7 +149,7 @@ ActiveRecord::Schema.define(version: 20180606223258) do t.boolean "mail_own_blogpost_comment", default: true t.boolean "mail_other_blogpost_comment", default: true t.boolean "mail_mention", default: true - t.integer "badge_id", limit: 4, default: 1 + t.integer "badge_id", limit: 4, default: 0 t.boolean "utc_time", default: false t.boolean "header_scroll", default: false t.boolean "dark", default: false @@ -163,3 +166,4 @@ ActiveRecord::Schema.define(version: 20180606223258) do add_index "users", ["youtube"], name: "index_users_on_youtube", unique: true, using: :btree end + -- cgit v1.2.3 From a241749ee3eb8aaf2044fe49dc55cf1443d1e8cf Mon Sep 17 00:00:00 2001 From: Logan Fick Date: Thu, 7 Jun 2018 20:27:13 -0400 Subject: Added TOTP toggle status to schema. --- db/migrate/20180606223258_add_totp_to_users.rb | 3 ++- db/schema.rb | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/db/migrate/20180606223258_add_totp_to_users.rb b/db/migrate/20180606223258_add_totp_to_users.rb index 9b97902..a85f67a 100644 --- a/db/migrate/20180606223258_add_totp_to_users.rb +++ b/db/migrate/20180606223258_add_totp_to_users.rb @@ -1,5 +1,6 @@ class AddTotpToUsers < ActiveRecord::Migration def change - add_column :users, :totp, :string + add_column :users, :totp_code, :string + add_column :users, :totp_enabled, :boolean, default: false end end diff --git a/db/schema.rb b/db/schema.rb index d5113e1..3fc4abb 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -154,7 +154,8 @@ ActiveRecord::Schema.define(version: 20180606223258) do t.boolean "header_scroll", default: false t.boolean "dark", default: false t.text "public_key", limit: 65535 - t.string "totp", limit: 191 + t.string "totp_code", limit: 255 + t.boolean "totp_enabled", default: false end add_index "users", ["email"], name: "index_users_on_email", unique: true, using: :btree @@ -166,4 +167,3 @@ ActiveRecord::Schema.define(version: 20180606223258) do add_index "users", ["youtube"], name: "index_users_on_youtube", unique: true, using: :btree end - -- cgit v1.2.3 From 6d22462d7a3bebf63b2ea3e28aca4ba75fcac489 Mon Sep 17 00:00:00 2001 From: Logan Fick Date: Thu, 7 Jun 2018 20:31:11 -0400 Subject: Added TOTP field to login screen. --- app/controllers/sessions_controller.rb | 6 +++++- app/views/sessions/new.html.erb | 8 ++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 784647c..8755730 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -21,6 +21,10 @@ class SessionsController < ApplicationController flash[:alert] = "Your account has been disabled!" elsif user.banned? flash[:alert] = "You are banned!" + elsif user.totp_enabled && !TOTP.verify?(user.totp_code, params[:totp_code]) + flash[:alert] = "You're doing it wrong!" + render action: 'new' + return else session[:user_id] = user.id flash[:notice] = "Logged in!" @@ -110,4 +114,4 @@ class SessionsController < ApplicationController redirect_to login_path end end -end \ No newline at end of file +end diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb index 0158f59..c7cac42 100644 --- a/app/views/sessions/new.html.erb +++ b/app/views/sessions/new.html.erb @@ -16,6 +16,14 @@ <%= link_to "Lost your password?", lost_password_users_path %> + + <%= label_tag :totp_code %> + <%= text_field_tag :totp_code, nil, placeholder: "123456", required: false %> + + + + Leave this field blank if you do not have 2FA enabled. +

<%= submit_tag "Log in", class: "btn blue" %>

<% end %> -- cgit v1.2.3 From 1d1b66f4a0ae069965fd1541418f2a9bda654659 Mon Sep 17 00:00:00 2001 From: Logan Fick Date: Thu, 7 Jun 2018 20:37:58 -0400 Subject: Fixed incorrect function name. --- app/controllers/sessions_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 8755730..2681320 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -21,7 +21,7 @@ class SessionsController < ApplicationController flash[:alert] = "Your account has been disabled!" elsif user.banned? flash[:alert] = "You are banned!" - elsif user.totp_enabled && !TOTP.verify?(user.totp_code, params[:totp_code]) + elsif user.totp_enabled && !TOTP.valid?(user.totp_code, params[:totp_code]) flash[:alert] = "You're doing it wrong!" render action: 'new' return -- cgit v1.2.3 From ce8cb6f4ae275c2687be8c0224789e108483fc52 Mon Sep 17 00:00:00 2001 From: Logan Fick Date: Thu, 7 Jun 2018 20:43:51 -0400 Subject: Renamed TOTP secret column in schema. --- db/migrate/20180606223258_add_totp_to_users.rb | 2 +- db/schema.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/db/migrate/20180606223258_add_totp_to_users.rb b/db/migrate/20180606223258_add_totp_to_users.rb index a85f67a..7113c0f 100644 --- a/db/migrate/20180606223258_add_totp_to_users.rb +++ b/db/migrate/20180606223258_add_totp_to_users.rb @@ -1,6 +1,6 @@ class AddTotpToUsers < ActiveRecord::Migration def change - add_column :users, :totp_code, :string + add_column :users, :totp_secret, :string add_column :users, :totp_enabled, :boolean, default: false end end diff --git a/db/schema.rb b/db/schema.rb index 3fc4abb..afd5218 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -154,7 +154,7 @@ ActiveRecord::Schema.define(version: 20180606223258) do t.boolean "header_scroll", default: false t.boolean "dark", default: false t.text "public_key", limit: 65535 - t.string "totp_code", limit: 255 + t.string "totp_string", limit: 255 t.boolean "totp_enabled", default: false end -- cgit v1.2.3 From 4a49bae011b47aee8303b5b0ca4eda65e1fbaa4d Mon Sep 17 00:00:00 2001 From: Logan Fick Date: Thu, 7 Jun 2018 20:47:28 -0400 Subject: Fixed name inconsistency between migration and schema. --- db/schema.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/db/schema.rb b/db/schema.rb index afd5218..1e4d5f4 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -154,7 +154,7 @@ ActiveRecord::Schema.define(version: 20180606223258) do t.boolean "header_scroll", default: false t.boolean "dark", default: false t.text "public_key", limit: 65535 - t.string "totp_string", limit: 255 + t.string "totp_secret", limit: 255 t.boolean "totp_enabled", default: false end -- cgit v1.2.3 From e3eaccd430030ebaf61823ac1e6da0fad05e04a5 Mon Sep 17 00:00:00 2001 From: Logan Fick Date: Thu, 7 Jun 2018 21:45:02 -0400 Subject: Added ability to configure 2FA settings in login settings. --- app/controllers/users_controller.rb | 19 ++++++++++++++++++- app/views/users/edit_login.html.erb | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+), 1 deletion(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 85e1613..4ad9d59 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -241,6 +241,11 @@ class UsersController < ApplicationController unless @user.is?(current_user) || admin? && current_user.role > @user.role || superadmin? flash[:alert] = "You are not allowed to edit this user's login details!" redirect_to @user + return + end + + if !@user.totp_enabled + @user.update(totp_secret: TOTP.secret) end end @@ -263,6 +268,18 @@ class UsersController < ApplicationController @user.email_token = SecureRandom.hex(16) if mail_changed @user.confirmed = !mail_changed + if params[:user][:totp_enabled] == "1" && !@user.totp_enabled + if TOTP.valid?(@user.totp_secret, params[:totp_code].to_i) + @user.totp_enabled = true + else + flash[:alert] = "Wrong TOTP code!" + render action: "edit_login" + return + end + elsif params[:user][:totp_enabled] == "0" && @user.totp_enabled + @user.totp_enabled = false + end + # checking here for password so we can send back changes to the view if authenticated if @user.save @@ -370,7 +387,7 @@ class UsersController < ApplicationController end def user_params(add = []) - a = [:ign, :email, :password, :password_confirmation, :mail_own_thread_reply, :mail_other_thread_reply, :mail_own_blogpost_comment, :mail_other_blogpost_comment, :mail_mention, :public_key] + add + a = [:ign, :email, :password, :password_confirmation, :mail_own_thread_reply, :mail_other_thread_reply, :mail_own_blogpost_comment, :mail_other_blogpost_comment, :mail_mention, :public_key, :totp_code] + add params.require(:user).permit(a) end end diff --git a/app/views/users/edit_login.html.erb b/app/views/users/edit_login.html.erb index 2fb9903..c09bd54 100644 --- a/app/views/users/edit_login.html.erb +++ b/app/views/users/edit_login.html.erb @@ -25,12 +25,49 @@ <%= f.password_field :password_confirmation %> + + +
+ + + + + + + + + + + +
2FA Enabled + <%= f.check_box :totp_enabled %> +
TOTP Secret + <% if !@user.totp_enabled? %> + <%= f.text_field :totp_secret, :readonly => true %> + <% else %> + 2FA is currently enabled. Disable 2FA to generate a new secret. + <% end %> +
+
+ + + <% if !@user.totp_enabled? %> + + + + + + + + <% end %>
Current password <%= password_field_tag :current_password, nil, disabled: !@user.is?(current_user) %>
TOTP Code + <%= text_field_tag :totp_code, nil, disabled: !@user.is?(current_user) %> +
Leave this field blank if you are not enabling 2FA.

<%= f.submit "Save Changes", class: "btn blue left" %>

-- cgit v1.2.3 From e8038a5416b55a022be3bb78f19b0f712a0c94ce Mon Sep 17 00:00:00 2001 From: Logan Fick Date: Thu, 7 Jun 2018 21:51:54 -0400 Subject: Fixed 2FA enforcement on login screen. --- app/controllers/sessions_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 2681320..cb8dcef 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -21,7 +21,7 @@ class SessionsController < ApplicationController flash[:alert] = "Your account has been disabled!" elsif user.banned? flash[:alert] = "You are banned!" - elsif user.totp_enabled && !TOTP.valid?(user.totp_code, params[:totp_code]) + elsif user.totp_enabled && !TOTP.valid?(user.totp_secret, params[:totp_code].to_i) flash[:alert] = "You're doing it wrong!" render action: 'new' return -- cgit v1.2.3 From 8158520bcc0bf272f6bf055fb0aa73d27559ecbf Mon Sep 17 00:00:00 2001 From: Logan Fick Date: Thu, 7 Jun 2018 22:11:58 -0400 Subject: Made login settings page title and buttons leading to it consistent. --- app/views/users/edit.html.erb | 2 +- app/views/users/edit_login.html.erb | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/app/views/users/edit.html.erb b/app/views/users/edit.html.erb index 2408c3b..3516cc9 100644 --- a/app/views/users/edit.html.erb +++ b/app/views/users/edit.html.erb @@ -71,7 +71,7 @@

<%= f.submit "Save Profile", class: "btn variable-size left", disabled: (!@user.confirmed? && @user.is?(current_user)) %>

- <%= link_to "Edit Login Details", edit_login_user_path(@user), class: "btn variable-size right" %> + <%= link_to "Login Settings", edit_login_user_path(@user), class: "btn variable-size right" %> <%= link_to "Notification Settings", edit_notifications_user_path(@user), class: "btn variable-size right" %> <%= link_to "Website Settings", edit_website_settings_user_path(@user), class: "btn variable-size right" %>

diff --git a/app/views/users/edit_login.html.erb b/app/views/users/edit_login.html.erb index c09bd54..c55ace7 100644 --- a/app/views/users/edit_login.html.erb +++ b/app/views/users/edit_login.html.erb @@ -1,7 +1,7 @@ <% title "Edit Login Credentials: #{@user.name}" %> -<%= link_to @user.name, @user %> → Edit Login credentials -

Edit Login Credentials

+<%= link_to @user.name, @user %> → Edit Login settings +

Edit Login Settings

<%= form_for @user, url: update_login_user_path(@user), method: :put do |f| %> -- cgit v1.2.3 From 12efb769302317128057807ce3912b4da18abd3c Mon Sep 17 00:00:00 2001 From: Logan Fick Date: Sat, 9 Jun 2018 12:56:06 -0400 Subject: Added enforcement for requirement of staff members having 2FA enabled. --- app/controllers/application_controller.rb | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index d489611..7548b33 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,6 +1,6 @@ class ApplicationController < ActionController::Base protect_from_forgery - before_filter :update_ip, :update_seen, :check_banned + before_filter :update_ip, :update_seen, :check_banned, :check_2fa # TODO: use SSL @@ -41,6 +41,14 @@ class ApplicationController < ActionController::Base end end + def check_2fa + # Over complicated way of asking if the user is logged in as a mod without TOTP enabled while they are not on their login settings screen, logging out, or updating their login settings. + if current_user && current_user.mod? && !current_user.totp_enabled? && (!(controller_name == "users") || !(action_name == "edit_login")) && !(controller_name == "sessions" && action_name == "destroy") && !(action_name == "update_login") + flash[:alert] = "Due to your staff rank, you are required to enable 2FA." + redirect_to :controller => "users", :action => "edit_login", :id => current_user.id + end + end + #roles def disabled? -- cgit v1.2.3 From 09e3312ccaf3215876444c6f3afc08b0c7eea4ce Mon Sep 17 00:00:00 2001 From: Logan Fick Date: Sat, 9 Jun 2018 13:02:43 -0400 Subject: Made formatting more consistent. --- app/controllers/application_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 7548b33..063c173 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -43,7 +43,7 @@ class ApplicationController < ActionController::Base def check_2fa # Over complicated way of asking if the user is logged in as a mod without TOTP enabled while they are not on their login settings screen, logging out, or updating their login settings. - if current_user && current_user.mod? && !current_user.totp_enabled? && (!(controller_name == "users") || !(action_name == "edit_login")) && !(controller_name == "sessions" && action_name == "destroy") && !(action_name == "update_login") + if current_user && current_user.mod? && !current_user.totp_enabled? && !(controller_name == "users" && action_name == "edit_login") && !(controller_name == "sessions" && action_name == "destroy") && !(controller_name == "users" && action_name == "update_login") flash[:alert] = "Due to your staff rank, you are required to enable 2FA." redirect_to :controller => "users", :action => "edit_login", :id => current_user.id end -- cgit v1.2.3