diff options
| author | Grzegorz Bizon <grzesiek.bizon@gmail.com> | 2016-04-06 14:10:49 +0200 |
|---|---|---|
| committer | Grzegorz Bizon <grzesiek.bizon@gmail.com> | 2016-04-06 14:10:49 +0200 |
| commit | fab98178227fb34719122548a80dfc2b9846f122 (patch) | |
| tree | c2211b2fc827b6d0bc83418caee38f7d2d2424a5 /app/controllers/sessions_controller.rb | |
| parent | 301f4074aa05f25757396182490c3ebfffe1e81c (diff) | |
| download | gitlab-ce-fix/2fa-authentication-spoofing.tar.gz | |
Extract 2FA to mixin and fix 2FA auth spoofingfix/2fa-authentication-spoofing
Closes #14900
Diffstat (limited to 'app/controllers/sessions_controller.rb')
| -rw-r--r-- | app/controllers/sessions_controller.rb | 32 |
1 files changed, 2 insertions, 30 deletions
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb index 65677a3dd3c..758441682c8 100644 --- a/app/controllers/sessions_controller.rb +++ b/app/controllers/sessions_controller.rb @@ -5,8 +5,9 @@ class SessionsController < Devise::SessionsController skip_before_action :check_2fa_requirement, only: [:destroy] prepend_before_action :check_initial_setup, only: [:new] - prepend_before_action :authenticate_with_two_factor, only: [:create] prepend_before_action :store_redirect_path, only: [:new] + prepend_before_action :two_factor_authentication, + if: :two_factor_enabled?, only: [:create] before_action :auto_sign_in_with_provider, only: [:new] before_action :load_recaptcha @@ -55,14 +56,6 @@ class SessionsController < Devise::SessionsController params.require(:user).permit(:login, :password, :remember_me, :otp_attempt) end - def find_user - if user_params[:login] - User.by_login(user_params[:login]) - elsif user_params[:otp_attempt] && session[:otp_user_id] - User.find(session[:otp_user_id]) - end - end - def store_redirect_path redirect_path = if request.referer.present? && (params['redirect_to_referer'] == 'yes') @@ -83,27 +76,6 @@ class SessionsController < Devise::SessionsController end end - def authenticate_with_two_factor - user = self.resource = find_user - - return unless user && user.two_factor_enabled? - - if user_params[:otp_attempt].present? && session[:otp_user_id] - if valid_otp_attempt?(user) - # Remove any lingering user data from login - session.delete(:otp_user_id) - - sign_in(user) and return - else - flash.now[:alert] = 'Invalid two-factor code.' - render :two_factor and return - end - else - if user && user.valid_password?(user_params[:password]) - prompt_for_two_factor(user) - end - end - end def auto_sign_in_with_provider provider = Gitlab.config.omniauth.auto_sign_in_with_provider |