Merge pull request #99 from msx2/custom-resource-id-field

Custom resource id field

README.md

@@ -96,6 +96,7 @@ config.direct_otp_valid_for = 5.minutes  # Time before direct OTP becomes invali
 config.direct_otp_length = 6  # Direct OTP code length
 config.remember_otp_session_for_seconds = 30.days  # Time before browser has to perform 2fA again. Default is 0.
 config.otp_secret_encryption_key = ENV['OTP_SECRET_ENCRYPTION_KEY']
+config.second_factor_resource_id = 'id' # Field or method name used to set value for 2fA remember cookie
 ```
 The `otp_secret_encryption_key` must be a random key that is not stored in the
 DB, and is not checked in to your repo. It is recommended to store it in an

app/controllers/devise/two_factor_authentication_controller.rb

@@ -23,14 +23,7 @@ class Devise::TwoFactorAuthenticationController < DeviseController
   private
 
   def after_two_factor_success_for(resource)
-    expires_seconds = resource.class.remember_otp_session_for_seconds
+    set_remember_two_factor_cookie(resource)
-
-    if expires_seconds && expires_seconds > 0
-      cookies.signed[TwoFactorAuthentication::REMEMBER_TFA_COOKIE_NAME] = {
-          value: "#{resource.class}-#{resource.id}",
-          expires: expires_seconds.from_now
-      }
-    end
 
     warden.session(resource_name)[TwoFactorAuthentication::NEED_AUTHENTICATION] = false
     bypass_sign_in(resource, scope: resource_name)
@@ -40,6 +33,17 @@ class Devise::TwoFactorAuthenticationController < DeviseController
     redirect_to after_two_factor_success_path_for(resource)
   end
 
+  def set_remember_two_factor_cookie(resource)
+    expires_seconds = resource.class.remember_otp_session_for_seconds
+
+    if expires_seconds && expires_seconds > 0
+      cookies.signed[TwoFactorAuthentication::REMEMBER_TFA_COOKIE_NAME] = {
+          value: "#{resource.class}-#{resource.public_send(Devise.second_factor_resource_id)}",
+          expires: expires_seconds.from_now
+      }
+    end
+  end
+
   def after_two_factor_success_path_for(resource)
     stored_location_for(resource_name) || :root
   end

lib/two_factor_authentication.rb

@@ -27,6 +27,9 @@ module Devise
 
   mattr_accessor :otp_secret_encryption_key
   @@otp_secret_encryption_key = ''
+
+  mattr_accessor :second_factor_resource_id
+  @@second_factor_resource_id = 'id'
 end
 
 module TwoFactorAuthentication

lib/two_factor_authentication/hooks/two_factor_authenticatable.rb

@@ -1,6 +1,6 @@
 Warden::Manager.after_authentication do |user, auth, options|
   if auth.env["action_dispatch.cookies"]
-    expected_cookie_value = "#{user.class}-#{user.id}"
+    expected_cookie_value = "#{user.class}-#{user.public_send(Devise.second_factor_resource_id)}",
     actual_cookie_value = auth.env["action_dispatch.cookies"].signed[TwoFactorAuthentication::REMEMBER_TFA_COOKIE_NAME]
     bypass_by_cookie = actual_cookie_value == expected_cookie_value
   end