diff options
Diffstat (limited to 'app/controllers/admin/sessions_controller.rb')
-rw-r--r-- | app/controllers/admin/sessions_controller.rb | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/app/controllers/admin/sessions_controller.rb b/app/controllers/admin/sessions_controller.rb index f9587655a8d..841ad46b47e 100644 --- a/app/controllers/admin/sessions_controller.rb +++ b/app/controllers/admin/sessions_controller.rb @@ -1,6 +1,7 @@ # frozen_string_literal: true class Admin::SessionsController < ApplicationController + include Authenticates2FAForAdminMode include InternalRedirect before_action :user_is_admin! @@ -15,7 +16,9 @@ class Admin::SessionsController < ApplicationController end def create - if current_user_mode.enable_admin_mode!(password: params[:password]) + if two_factor_enabled_for_user? + admin_mode_authenticate_with_two_factor + elsif current_user_mode.enable_admin_mode!(password: user_params[:password]) redirect_to redirect_path, notice: _('Admin mode enabled') else flash.now[:alert] = _('Invalid login or password') @@ -37,6 +40,10 @@ class Admin::SessionsController < ApplicationController render_404 unless current_user&.admin? end + def two_factor_enabled_for_user? + current_user&.two_factor_enabled? + end + def redirect_path redirect_to_path = safe_redirect_path(stored_location_for(:redirect)) || safe_redirect_path_for_url(request.referer) @@ -51,4 +58,13 @@ class Admin::SessionsController < ApplicationController def excluded_redirect_paths [new_admin_session_path, admin_session_path] end + + def user_params + params.fetch(:user, {}).permit(:password, :otp_attempt, :device_response) + end + + def valid_otp_attempt?(user) + user.validate_and_consume_otp!(user_params[:otp_attempt]) || + user.invalidate_otp_backup_code!(user_params[:otp_attempt]) + end end |