Delete cookie on logout
@ -97,6 +97,7 @@ config.direct_otp_length = 6 # Direct OTP code length
config.remember_otp_session_for_seconds = 30.days # Time before browser has to perform 2fA again. Default is 0.
config.otp_secret_encryption_key = ENV['OTP_SECRET_ENCRYPTION_KEY']
config.second_factor_resource_id = 'id' # Field or method name used to set value for 2fA remember cookie
config.delete_cookie_on_logout = false # Delete cookie when user signs out, to force 2fA again on login
```
The `otp_secret_encryption_key` must be a random key that is not stored in the
DB, and is not checked in to your repo. It is recommended to store it in an
@ -30,6 +30,9 @@ module Devise
mattr_accessor :second_factor_resource_id
@@second_factor_resource_id = 'id'
mattr_accessor :delete_cookie_on_logout
@@delete_cookie_on_logout = false
end
module TwoFactorAuthentication
@ -11,3 +11,7 @@ Warden::Manager.after_authentication do |user, auth, options|
Warden::Manager.before_logout do |user, auth, _options|
auth.cookies.delete TwoFactorAuthentication::REMEMBER_TFA_COOKIE_NAME if Devise.delete_cookie_on_logout
@ -16,7 +16,8 @@ module Devise
::Devise::Models.config(
self, :max_login_attempts, :allowed_otp_drift_seconds, :otp_length,
:remember_otp_session_for_seconds, :otp_secret_encryption_key,
:direct_otp_length, :direct_otp_valid_for, :totp_timestamp)
:direct_otp_length, :direct_otp_valid_for, :totp_timestamp, :delete_cookie_on_logout
)
module InstanceMethodsOnActivation
@ -174,6 +174,18 @@ feature "User of two factor authentication" do
visit dashboard_path
expect(page).to have_content("Enter the code that was sent to you")
scenario 'Delete cookie when user logs out if enabled' do
user.class.delete_cookie_on_logout = true
login_as user
logout
it 'sets the warden session need_two_factor_authentication key to true' do