Skip to content
This repository has been archived by the owner on May 30, 2022. It is now read-only.

Authy completely by passable #69

Closed
Gasparila opened this issue Nov 16, 2016 · 1 comment
Closed

Authy completely by passable #69

Gasparila opened this issue Nov 16, 2016 · 1 comment

Comments

@Gasparila
Copy link
Contributor

Gasparila commented Nov 16, 2016
edited
Loading

At the end of the check_request_and_redirect_to_verify_token method (https://github.com/authy/authy-devise/blob/master/lib/devise-authy/controllers/helpers.rb#L53), the user is still signed in because the warden.authenticate? in Devise's sign_in (https://github.com/plataformatec/devise/blob/master/lib/devise/controllers/sign_in_out.rb#L10) is not super clearly named and will re-authenticate the user (https://github.com/hassox/warden/blob/master/lib/warden/proxy.rb#L113)

As a result, the user is signed in at the end of this before_filter so a user can just change the url to a different endpoint and bypass 2fa entirely.

A quick fix is to add sign_out to check_request_and_redirect_to_verify_token (https://github.com/authy/authy-devise/blob/master/lib/devise-authy/controllers/helpers.rb#L53) which has some extra callbacks and will stop the user from being reauthenticated
Gasparila added a commit to flexport/authy-devise that referenced this issue Nov 16, 2016
@Gasparila
Fix for twilio#69
01652c6
Gasparila added a commit to flexport/authy-devise that referenced this issue Nov 16, 2016
@Gasparila
Fix for twilio#69
0d9ae25
@Gasparila Gasparila mentioned this issue Nov 16, 2016
Merged
@senekis
Copy link
Contributor

senekis commented Dec 6, 2016

Related to #70

@senekis senekis closed this as completed Dec 6, 2016
jdejong added a commit to jdejong/authy-devise that referenced this issue Aug 9, 2017
@jdejong
Merge commit 'e790ac877c62baf8e8eaac846ca7c86148b978e4'
df8a7e2 
* commit 'e790ac877c62baf8e8eaac846ca7c86148b978e4': (43 commits)
  Bump version to 1.8.1
  Always require token when user has an old cookie
  Fix specs
  actually sign out everything
  Fix for twilio#69
  Fixing broken specs broken in twilio#59
  Be backwards compatible with old cookies
  remove leftover byebug
  Make remember_device account specific
  Bump version to 1.8.0
  Update to rails 4.2.7
  Fix token message test
  use before_action instead and fix before_filter deprication warning
  Fix install spec
  Fix tests
  Replaced alias_method_chain with Module#prepend approach
  Making quotes in the locale files consistent
  Add ability to pass in custom text to request sms link.
  Generate the Authy initializer as part of the install generator.
  Adds documentation for the request phone call helper
  ...

# Conflicts:
#	lib/devise-authy/controllers/helpers.rb
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@senekis @Gasparila