Two factor authentication ignores devise registration edit and update

[mesbahmilad]

If the two-factor authentication is turned on, the user can still navigate to the edit registration path and update the information.

[Houdini]

Thanks for your report, could you please provide some example?

[mesbahmilad]

Example:

If the devise model is "user", once logged in you are presented with the two-factor authentication wall to enter the code. From here you can navigate to "users/edit" and since this is a devise controller the gem skips code validation.

Once in the edit view you can edit the user information without being authorized with the code.

Ps. Great gem!

[monfresh]

@mesbahmilad This can be solved by overriding the Devise RegistrationsController in your app (or any other controller where you want to enforce 2FA), and adding a before_action, such as:

before_action :confirm_two_factor_authenticated, except: [:new, :create, :cancel]

def confirm_two_factor_authenticated
  return if is_fully_authenticated?

  flash[:error] = t('devise.errors.messages.user_not_authenticated')
  redirect_to user_two_factor_authentication_url
end

[wrgoto]

This is a pretty huge security flaw. You can sign in without 2FA, go to the edit page and disable 2FA from there. I'd recommend adding a note in the README at least.

[Tectract]

This note should definitely be added to the readme, as a post-setup installation note. Can the gem be secured internally, though?

[Tectract]

I made a PR, here:

https://github.com/Houdini/two_factor_authentication/pull/160

I'm not sure why it failed travis-CI, I only updated the readme...