two_factor_authentication icon indicating copy to clipboard operation
two_factor_authentication copied to clipboard

Published 20 hours ago verified publisher icon Houdini

Use with Pundit

Open davidkrider opened this issue 5 years ago • 3 comments

I've "taken the training wheels off" my Pundit setup by adding after_action :verify_authorized to my ApplicationPolicy (which blocks every path not explicitly allowed by policy). I'm using Devise with the two_factor_authentication plugin, and ActiveAdmin. So Devise authentications have now been "absorbed" into the /admin namespace, and the 2-factor controller lives somewhere in the mix. This has been working fine until I forced explicit definitions of policy. Now, when the app tries to serve the page to allow a user to enter the OTP, I get the following error:

Started GET "/admin/two_factor_authentication" for ::1 at 2020-02-24 14:27:13 -0500
   (0.8ms)  SELECT "schema_migrations"."version" FROM "schema_migrations" ORDER BY "schema_migrations"."version" ASC
  ↳ /Users/davidkrider/.rvm/gems/ruby-2.5.5/gems/activerecord-5.2.3/lib/active_record/log_subscriber.rb:98
Processing by Devise::TwoFactorAuthenticationController#show as HTML
  User Load (0.5ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = $1 ORDER BY "users"."id" ASC LIMIT $2  [["id", 2], ["LIMIT", 1]]
  ↳ /Users/davidkrider/.rvm/gems/ruby-2.5.5/gems/activerecord-5.2.3/lib/active_record/log_subscriber.rb:98
  Rendering devise/two_factor_authentication/show.html.haml within layouts/application
  Rendered devise/two_factor_authentication/show.html.haml within layouts/application (6.4ms)
  Role Load (0.2ms)  SELECT  "roles".* FROM "roles" WHERE "roles"."id" = $1 LIMIT $2  [["id", 3], ["LIMIT", 1]]
  ↳ app/models/user.rb:47
Completed 500 Internal Server Error in 767ms (Views: 728.7ms | ActiveRecord: 6.6ms)

Pundit::AuthorizationNotPerformedError - Devise::TwoFactorAuthenticationController:

Started POST "/__better_errors/c9b9b9703df4dabc/variables" for ::1 at 2020-02-24 14:27:14 -0500

I don't know what path/module/namespace/controller/model I'm supposed to be defining to allow this action for all users. How can I cover this path with a Pundit policy? I've tried creating just about every combination of file name, directory path (under /app/policies), and namespace inside the file, but nothing I try even gives me a different error message. Does anyone know the right way to handle this? I can't find a single example on the internet.

davidkrider avatar Feb 24 '20 19:02 davidkrider

Hi, ActiveAdmin has separate authentication namespaces. It doesn't use DeviseController, but rather ActiveAdmin::Devise::SessionsController.

So that's why you can't just easy plug and play two_factor_authentication with AA.

Could you please give me project example? I could check it

Houdini avatar Feb 25 '20 13:02 Houdini

The application is proprietary, and already in production, so I can't share it, and it would be hard to remove enough to make it sharable. It just seems like there should be a place in the Pundit gem where I can "see" what the policy name is that the library is trying to find, so that I can write it and place it in the code tree correctly. My best guess so far has been:

/app/policies/active_admin/two_factor_authentication_policy.rb

module ActiveAdmin
	
	class Devise::TwoFactorAuthenticationPolicy

		def show
			true
		end

	end
end

davidkrider avatar Feb 25 '20 15:02 davidkrider

No, I mean you could make separate empty application just with active admin and pundit. And share that new app.

Houdini avatar Feb 26 '20 10:02 Houdini