Comments (6)
mattcg
commented on July 20, 2024
4
It's possible to display a specific message when only the authentication code is incorrect with a few changes to your model and the Devise language configuration file.
#app/models/user.rb
#...
def unauthenticated_message
if @failed_otp
:invalid_otp
else
super
end
end
def validate_and_consume_otp!(code, options = {})
@failed_otp = !super(code, options)
return !@failed_otp
end
private
@failed_otp = false
#...#config/locales/devise.en.yml
en:
devise:
failure:
invalid_otp: "Invalid authentication code."from devise-two-factor.
ZempTime
commented on July 20, 2024
1
in config/locales/devise.en.yml you can set the majority of the message Devise uses.
to do authentication on login specifically, look for the invalid entry, and change it something like this:
en:
devise:
failure:
invalid: "Invalid %{authentication_keys}, one-time-use code, or password."
from devise-two-factor.
I-Iugo
commented on July 20, 2024
+1
from devise-two-factor.
mattcg
commented on July 20, 2024
@ZempTime that is helpful, but I don't think it works around the original issue, which is that it should be possible for a specific message to be shown when the authentication is invalid but the username and password are valid.
from devise-two-factor.
thiagosf
commented on July 20, 2024
@mattcg perfect to my situation! I added a little bit:
def unauthenticated_message
if @failed_otp
:invalid_otp
elsif self.otp_required_for_login
:required_otp
else
super
end
end
from devise-two-factor.
QuinnWilton
commented on July 20, 2024
This is a perfectly valid use-case, but it's worth keeping in mind the usability / security trade-off that's being made. More specific messages are helpful to the user, but they also provide more information to an attacker.
For example, depending on what error messages you use, an attacker that compares a leaked username / password list from another site against your login form will either gain no information about whether the user exists, or they will learn that the user does exist, and that they shared their password across the two sites. From there, they might opt to perform a more targeted attack against the user.
Whether that's something you're concerned with is up for debate, but it's worth remembering when deciding to provide more detailed error messages.
from devise-two-factor.
Related Issues (20)
- Remove "Rails 4" misleading sentences from readme
- NoMethodError Exception: undefined method `tr' for nil:NilClass HOT 1
- Require email verification when enabling Authenticator App type
- Generator throws exception HOT 1
- `Devise.add_module(:two_factor_authenticatable)` should be inserted on top
- calling super in the two factor strategy is problematic...
- Remove the old `otp_secret_encryption_key` in the UPGRADING.md guide
- Git tag for v4.1.0 appears to be missing HOT 2
- No changelog for 4.1.0
- `user.current_otp` code sent to user are always invalid HOT 1
- [question] mass users update?
- Not required on every login HOT 1
- Rails 7.1 on 4.x HOT 1
- Support for Rails 7.1 HOT 3
- ActiveRecord::Encryption::Errors::Decryption error on login after upgrade to Rails 7.1 defaults HOT 3
- Backup codes aren't written to the database so can't be used HOT 1
- Clarification on GHSA-chcr-x7hc-8fp8 HOT 8
- Lockbox instead of ActiveRecord encrypted attributes HOT 1
- Remove faker or make it gem dependency? HOT 4
- Possible to set logo?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from devise-two-factor.