gavin/maybe
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 28 Wiki Activity

Multi-factor authentication #1817

Merged
Shpigford merged 6 commits from mfa into main 2025-02-07 04:16:53 +08:00
Conversation 1 Commits 6 Files Changed 29 +598 -33
Shpigford commented 2025-02-07 01:56:06 +08:00 (Migrated from github.com)
Copy Link

Implements #1372

https://github.com/user-attachments/assets/b4047e5d-bb24-4c1a-8a2c-e376c8d5eec1

Implements #1372 https://github.com/user-attachments/assets/b4047e5d-bb24-4c1a-8a2c-e376c8d5eec1
zachgoll (Migrated from github.com) reviewed 2025-02-07 04:03:34 +08:00
zachgoll (Migrated from github.com) left a comment
Copy Link

Everything works great!

From a security standpoint, we should probably protect the password_resets_controller with 2FA if the user has it enabled. Other than that, I think the flow looks good.

Everything works great! From a security standpoint, we should probably protect the `password_resets_controller` with 2FA if the user has it enabled. Other than that, I think the flow looks good.
app/controllers/mfa_controller.rb
@@ -0,0 +1,53 @@
class MfaController < ApplicationController
zachgoll (Migrated from github.com) commented 2025-02-07 04:00:14 +08:00
Copy Link

We can remove the Current.session check since we're skipping this route for authentication.

We can remove the `Current.session` check since we're skipping this route for authentication.
app/models/user.rb
@@ -133,4 +168,26 @@ class User < ApplicationRecord
errors.add(:profile_image, :invalid_file_size, max_megabytes: 10)
zachgoll (Migrated from github.com) commented 2025-02-07 02:50:42 +08:00
Copy Link
      ROTP::TOTP.new(otp_secret, issuer: "Maybe Finance")

Just to stay consistent with our domain URL to increase trust

```suggestion ROTP::TOTP.new(otp_secret, issuer: "Maybe Finance") ``` Just to stay consistent with our domain URL to increase trust
test/controllers/sessions_controller_test.rb
zachgoll (Migrated from github.com) commented 2025-02-07 03:12:35 +08:00
Copy Link

We can delete "destroys session" and "rejects invalid credentials" as they are both dups of existing tests

We can delete "destroys session" and "rejects invalid credentials" as they are both dups of existing tests
zachgoll (Migrated from github.com) commented 2025-02-07 03:14:44 +08:00
Copy Link

Can delete this and throw the assert Session.exists?(user_id: @user.id) up in the "can sign in" test

Can delete this and throw the `assert Session.exists?(user_id: @user.id)` up in the "can sign in" test
Sign in to join this conversation.
Reviewers
No Reviewers
zachgoll
Labels
Clear labels
📆 Planned
Not ready to be worked on yet, but planned for future
 💻 Self Hosted only
Issues pertaining to self-hosted versions of Maybe
 ⚙️ Config
ℹ️ Needs info
Further information is requested
 📱 Mobile
Bugs exclusively happening on mobile devices
 1️⃣ High Priority
High priority issues will be worked on next
 🚨 Urgent
Issues that are urgent for app functionality
 3️⃣ Low priority
Contributions accepted, but Maybe team will not be working on this in the near term
 2️⃣ Medium Priority
Community contributions accepted, Maybe team only works on if there are no high priority items open
 Performance
Performance issues to address
 🎨 UI / UX
Issues related to UI / UX interactions and design.
 💎 Bounty
💰 Rewarded
📊 Data issue
Issues where the app functionally works, but the data is missing or inaccurate.
 🙋 Bounty claim
$1.5K
Community
This is a great issue for community members to work on
 dependencies
Pull requests that update a dependency file
 Design
Hosted only
Hosted app only
 Required self hoster data migration
Self hosters must run data migrations to resolve this issue
 ruby
Pull requests that update Ruby code
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
gavin
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: gavin/maybe#1817
Delete Branch "mfa"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?