You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 30, 2022. It is now read-only.
* commit 'e790ac877c62baf8e8eaac846ca7c86148b978e4': (43 commits)
Bump version to 1.8.1
Always require token when user has an old cookie
Fix specs
actually sign out everything
Fix for twilio#69
Fixing broken specs broken in twilio#59
Be backwards compatible with old cookies
remove leftover byebug
Make remember_device account specific
Bump version to 1.8.0
Update to rails 4.2.7
Fix token message test
use before_action instead and fix before_filter deprication warning
Fix install spec
Fix tests
Replaced alias_method_chain with Module#prepend approach
Making quotes in the locale files consistent
Add ability to pass in custom text to request sms link.
Generate the Authy initializer as part of the install generator.
Adds documentation for the request phone call helper
...
# Conflicts:
# lib/devise-authy/controllers/helpers.rb
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
At the end of the
check_request_and_redirect_to_verify_token
method (https://github.com/authy/authy-devise/blob/master/lib/devise-authy/controllers/helpers.rb#L53), the user is still signed in because thewarden.authenticate?
in Devise'ssign_in
(https://github.com/plataformatec/devise/blob/master/lib/devise/controllers/sign_in_out.rb#L10) is not super clearly named and will re-authenticate the user (https://github.com/hassox/warden/blob/master/lib/warden/proxy.rb#L113)As a result, the user is signed in at the end of this
before_filter
so a user can just change the url to a different endpoint and bypass 2fa entirely.A quick fix is to add
sign_out
tocheck_request_and_redirect_to_verify_token
(https://github.com/authy/authy-devise/blob/master/lib/devise-authy/controllers/helpers.rb#L53) which has some extra callbacks and will stop the user from being reauthenticatedThe text was updated successfully, but these errors were encountered: