Allow to customize value passed to 2fa remember cookie

8 years ago · 198ef91997
3 changed files with 16 additions and 9 deletions
--- a/app/controllers/devise/two_factor_authentication_controller.rb
+++ b/app/controllers/devise/two_factor_authentication_controller.rb
@ -23,14 +23,7 @@ class Devise::TwoFactorAuthenticationController < DeviseController
  private

  def after_two_factor_success_for(resource)
-    expires_seconds = resource.class.remember_otp_session_for_seconds
-
-    if expires_seconds && expires_seconds > 0
-      cookies.signed[TwoFactorAuthentication::REMEMBER_TFA_COOKIE_NAME] = {
-          value: "#{resource.class}-#{resource.id}",
-          expires: expires_seconds.from_now
-      }
-    end
+    set_remember_tfa_cookie(resource)

    warden.session(resource_name)[TwoFactorAuthentication::NEED_AUTHENTICATION] = false
    bypass_sign_in(resource, scope: resource_name)
@ -40,6 +33,17 @@ class Devise::TwoFactorAuthenticationController < DeviseController
    redirect_to after_two_factor_success_path_for(resource)
  end

+  def set_remember_tfa_cookie(resource)
+    expires_seconds = resource.class.remember_otp_session_for_seconds
+
+    if expires_seconds && expires_seconds > 0
+      cookies.signed[TwoFactorAuthentication::REMEMBER_TFA_COOKIE_NAME] = {
+          value: "#{resource.class}-#{resource.public_send(Devise.second_factor_resource_id)}",
+          expires: expires_seconds.from_now
+      }
+    end
+  end
+
  def after_two_factor_success_path_for(resource)
    stored_location_for(resource_name) || :root
  end
--- a/lib/two_factor_authentication.rb
+++ b/lib/two_factor_authentication.rb
@ -27,6 +27,9 @@ module Devise

  mattr_accessor :otp_secret_encryption_key
  @@otp_secret_encryption_key = ''
+
+  mattr_accessor :second_factor_resource_id
+  @@second_factor_resource_id = 'id'
 end

 module TwoFactorAuthentication
--- a/lib/two_factor_authentication/hooks/two_factor_authenticatable.rb
+++ b/lib/two_factor_authentication/hooks/two_factor_authenticatable.rb
@ -1,6 +1,6 @@
 Warden::Manager.after_authentication do |user, auth, options|
  if auth.env["action_dispatch.cookies"]
-    expected_cookie_value = "#{user.class}-#{user.id}"
+    expected_cookie_value = "#{user.class}-#{user.public_send(Devise.second_factor_resource_id)}",
    actual_cookie_value = auth.env["action_dispatch.cookies"].signed[TwoFactorAuthentication::REMEMBER_TFA_COOKIE_NAME]
    bypass_by_cookie = actual_cookie_value == expected_cookie_value
  end