two_factor_authentication icon indicating copy to clipboard operation
two_factor_authentication copied to clipboard

Published 20 hours ago verified publisher icon Houdini

Application previously using this gem has several issues trying to upgrade

Open jonuhal opened this issue 11 years ago • 8 comments

  • The migration barfed when a migration already existed with the same class name. -- Suggest adding Otp to the migration class name.
  • The migration assumed second_factor_attempts_count does not exist. This is an issue for apps that already have this column name from previous use of this gem.
  • Ability to define "login_code_random_pattern" seems to have gone away even though docs still state ability to control login pattern.
  • Table "valid_mfa_tokens" no longer is necessary (from 0.2 code).
  • Putting has_one_time_password before "devise :two_factor_authenticatable" causes start up errors -- Using Thin 1.6.2; Rails 4.0.4
  • Documentation still mentions ":second_factor_pass_code" (README.md)
  • When trying to get access to the otp_code in the model's send_two_factor_authentication_code implementation method, the following gets thrown. -- undefined method `scan' for nil:NilClass

jonuhal avatar Mar 31 '14 02:03 jonuhal

Thanks for your response. I recommend you not upgrade right now, just use previous version, it's absolutely ok.

As for new version, please check this example: https://github.com/Houdini/TwoFactorAuthenticationExample

About migration and undefined method `scan' for nil:NilClass, please give me a week, I'll prepare how to migrate section in documentation.

Houdini avatar Mar 31 '14 06:03 Houdini

Is there a quick fix avail for the issue with scan?

simonmorley avatar Apr 17 '14 09:04 simonmorley

As I understand, the problem with scan is that otp_secret_key is nil and it shouldn't. Why it's nil?

Probably you use previous version, when we didn't generate otp_secret_key in before_save action yet. If this is the case, you should update gem and manually create otp_secret_key (and of course share it with your users)

May be better solution is to ignore two_factor_authentication if otp_secret_key is nil in need_two_factor_authentication? method

Houdini avatar Apr 17 '14 10:04 Houdini

Ok. It wasn't clear in the docs. that we needed to gen. I'll have another go.

simonmorley avatar Apr 17 '14 10:04 simonmorley

@simonmorley Would be great if you add FAQ to main README.md in good english about that.

Houdini avatar Apr 17 '14 10:04 Houdini

I can probably do this :) Also worth mentioning in the upgrade path that the deps have been updated significantly too.

After updating the gem I know have Rails 4.1 and the misery that accompanies it. This isn't really a problem with your stuff, more of a general notice.

On another note, we were in the process of redoing version 2 to support custom word lists - we discovered the English dictionary has a number of pretty offensive words in it!

Not sure where that now fits though and I prefer your new and more secure functionality.

How would you feel about including the word list stuff as an addon?

simonmorley avatar Apr 17 '14 10:04 simonmorley

Not sure about word list addon. Solution with rotp is better and more scalable.

In my view missing feature right now is backup codes.

Houdini avatar Apr 18 '14 08:04 Houdini

Using the new remember_otp_session configuration. Had to manually go into the gem's directory to update. Works locally but trying to build to production (jenkins), and new configurations aren't there. Have you worked out how to migrate the changes?

mcollie1 avatar Nov 04 '15 20:11 mcollie1