devise-two-factor icon indicating copy to clipboard operation
devise-two-factor copied to clipboard
verified publisher icon tinfoil

calling super in the two factor strategy is problematic...

Open patrick99e99 opened this issue 2 years ago • 0 comments

My application has a two step authentication process:

  1. calls out to a 3rd party authentication service to validate a username & password (I have a custom devise strategy for this)
  2. redirects to an otp page for authorization

The TwoFactorAuthenticatable strategy inherits from Devise::Strategies::DatabaseAuthenticatable and does:

        if validate(resource) { validate_otp(resource) }
          super
        end

As soon as super is called, DatabaseAuthenticatable is expecting there to be a password param, and trying to authenticate the user with that. So with my case, it is trying to authenticate twice (as I stated, my custom devise strategy handles username/password authentication), except user password hashes are not stored in my database, so DatabaseAuthenticatable is completely the wrong subclass for TwoFactorAuthenticatable to use in my case...

It would have been so nice if you could have had a configuration flag that would do conditionally execute that super call...

I hate to have to monkey patch, but it seems like the only option.

patrick99e99 avatar Jun 15 '23 04:06 patrick99e99