From ab768d4784163e9f8ad95d03bcd869aa67c44008 Mon Sep 17 00:00:00 2001
From: Wojtek Kruszewski <wojtek@oxos.pl>
Date: Fri, 21 Dec 2012 11:45:29 +0100
Subject: [PATCH] Respond with 401 for request non-HTML requests [#6]

---
 .../controllers/helpers.rb                        | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/lib/two_factor_authentication/controllers/helpers.rb b/lib/two_factor_authentication/controllers/helpers.rb
index dda5d05..661cbb4 100644
--- a/lib/two_factor_authentication/controllers/helpers.rb
+++ b/lib/two_factor_authentication/controllers/helpers.rb
@@ -10,17 +10,24 @@ module TwoFactorAuthentication
       private
 
       def handle_two_factor_authentication
-        if not request.format.nil? and request.format.html? and not devise_controller?
+        unless devise_controller?
           Devise.mappings.keys.flatten.any? do |scope|
             if signed_in?(scope) and warden.session(scope)[:need_two_factor_authentication]
-              session["#{scope}_return_tor"] = request.path if request.get?
-              redirect_to two_factor_authentication_path_for(scope)
-              return
+              handle_failed_second_factor(scope)
             end
           end
         end
       end
 
+      def handle_failed_second_factor(scope)
+        if request.format.present? and request.format.html?
+          session["#{scope}_return_tor"] = request.path if request.get?
+          redirect_to two_factor_authentication_path_for(scope)
+        else
+          render nothing: true, status: :unauthorized
+        end
+      end
+
       def two_factor_authentication_path_for(resource_or_scope = nil)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
         change_path = "#{scope}_two_factor_authentication_path"