Summary: Add reset token action, and hide/repurpose disable token action
Details:
- Add reset token action to disable OTP, reset token secret, and redirect to otp_tokens#edit to re-enable with new token secret;
- Update disable action to preserve the existing token secret (since the reset action now accomplishes this functionality);
- Hide disable button when mandatory OTP;
- Move disable button to bottom of page;
Breaking Changes (config/locales/en.yml):
- Add:
- reset_link
- successfully_reset_otp
- Move/Update
- disable_explain > reset_explain
- disable_explain_warn > reset_explain_warn
Fix regression due to warden session scope usage
Details:
- Correct warden session usage for refresh_credentials hook and helper methods (requires scope to be specified)
- Add Admin model and AdminPosts controller to dummy app for testing;
- Add tests to confirm resolution;
Summary: Move refresh_credentials functionality to dedicated hook (Refreshable);
Details:
- Add Refreshable hook, and tie into after_set_user calback;
- Utilize native warden session for scoping of credentials_refreshed_at and refresh_return_url properties;
- Remove otp_refresh_credentials from sessions hook (no longer needed);
Summary: Move mandatory OTP functionality to the helper layer to ensure that it is enforced throughout application (rather than one time at log in).
Details:
- Add PublicHelpers class, and add to Devise @@helpers variable to generate per-scope ensure_mandatory_{scope}_otp! methods;
- Update order of module definitions and "require" statements in devise-otp.rb (required for adding DeviseOtpAuthenticable PublicHelpers to Devise @@helpers variable);
Breaking Changes:
- Requires adding "ensure_mandatory_{scope}_otp! to controllers;
Summary:
- Require confirmation token before enabling Two Factor Authentication (2FA) to ensure that user has added OTP token properly to their device
- Update system to populate OTP secrets as needed
Details:
-
Add "edit" action with Confirmation Token for enabling 2FA to otp_tokens controller
-
Make enabling of 2FA in update action conditional on valid Confirmation Token
-
Repurpose "show" view for display of OTP status and info (no form)
-
Update otp_tokens#edit to populate OTP secrets (rather than assuming they are populated via callbacks in OTPDeviseAuthenticatable module)
-
Repurpose otp_tokens#destroy to disable 2FA and clear OTP secrets (rather than resetting them)
-
Remove OtpAuthenticatable callbacks for setting OTP credentials on create action (no longer needed)
-
Replace OtpAuthenticatable "reset_otp_credentials" methods with "clear_otp_fields!" method;
Changes to Locales:
- Remove:
- otp_tokens.enable_request
- otp_tokens.status
- otp_tokens.submit
- Add to otp_tokens scope:
- enable_link
- Move/rename devise.otp.token_secret.reset_* values to devise.otp.otp_tokens.disable_* (for consistency with "enable_link")
- disable_link
- disable_explain
- disable_explain_warn
- Add to new edit_otp_token scope:
- title
- lead_in
- step1
- step2
- confirmation_code
- submit
- Move "explain" to new edit_otp_token scope
- Add devise.otp.otp_tokens.could_not_confirm
- Rename "successfully_reset_creds" to "successfully_disabled_otp"
Breaking changes:
- rename
Devise::OtptoDevise::OTP - change
credentialsdirectory tootp_credentials - change
tokensdirectory tootp_tokens
Other improvements:
- Fix file permissions
A long awaited update bringing Devise::OTP from the dead!