feature/require-mfa-by-admin - Refact Opt-Out

app/controllers/auth/registrations_controller.rb

@@ -100,12 +100,13 @@ class Auth::RegistrationsController < Devise::RegistrationsController
     end
   end
 
-  private
-
   def set_invite
     @invite = begin
-      invite = Invite.find_by(code: invite_code) if invite_code.present?
+      if invite_code.present?
-      invite if invite&.valid_for_use?
+        Invite.find_by(code: invite_code)
+      elsif params[:invite_code].present?
+        Invite.find_by(code: params[:invite_code])
+      end
     end
   end
 
@@ -132,17 +133,20 @@ class Auth::RegistrationsController < Devise::RegistrationsController
   def require_rules_acceptance!
     return if @rules.empty? || (session[:accept_token].present? && params[:accept] == session[:accept_token])
 
-    @accept_token = session[:accept_token] = SecureRandom.hex
+    session[:accept_token] = SecureRandom.hex(16)
-    @invite_code  = invite_code
+    redirect_to new_user_registration_path(accept: session[:accept_token])
-
-    set_locale { render :rules }
   end
 
   def is_flashing_format? # rubocop:disable Naming/PredicatePrefix
     if params[:action] == 'create'
-      false # Disable flash messages for sign-up
+      false
     else
       super
     end
   end
+
+  def skip_mfa_force?
+    # Allow profile editing even when MFA is required
+    %w(edit update).include?(action_name)
+  end
 end

app/controllers/auth/sessions_controller.rb

@@ -201,4 +201,9 @@ class Auth::SessionsController < Devise::SessionsController
       format.all { super }
     end
   end
+
+  def skip_mfa_force?
+    # Allow logout to work even when MFA is required
+    action_name == 'destroy'
+  end
 end

app/controllers/auth/setup_controller.rb

@@ -37,4 +37,9 @@ class Auth::SetupController < ApplicationController
   def user_params
     params.expect(user: [:email])
   end
+
+  def skip_mfa_force?
+    # Allow auth setup even when MFA is required
+    true
+  end
 end

app/controllers/concerns/mfa_force_concern.rb

@@ -12,7 +12,7 @@ module MfaForceConcern
   def check_mfa_requirement
     return unless mfa_force_enabled?
     return if current_user.otp_enabled?
-    return if mfa_setup_allowed_paths?
+    return if mfa_force_skipped?
 
     flash[:alert] = I18n.t('require_multi_factor_auth.required_message')
     redirect_to settings_otp_authentication_path
@@ -22,19 +22,10 @@ module MfaForceConcern
     mfa_config[:force_enabled]
   end
 
-  def mfa_setup_allowed_paths?
+  def mfa_force_skipped?
-    allowed_paths = [
+    # Allow controllers to opt out of MFA force requirement
-      settings_otp_authentication_path,
+    # by defining skip_mfa_force? method
-      new_settings_two_factor_authentication_confirmation_path,
+    respond_to?(:skip_mfa_force?) && skip_mfa_force?
-      settings_two_factor_authentication_confirmation_path,
-      settings_two_factor_authentication_methods_path,
-      settings_two_factor_authentication_recovery_codes_path,
-      destroy_user_session_path,
-      auth_setup_path,
-      edit_user_registration_path,
-    ]
-
-    allowed_paths.any? { |path| request.path.start_with?(path) }
   end
 
   def mfa_config

app/controllers/settings/two_factor_authentication/confirmations_controller.rb

@@ -53,6 +53,10 @@ module Settings
       def ensure_otp_secret
         redirect_to settings_otp_authentication_path if session[:new_otp_secret].blank?
       end
+
+      def skip_mfa_force?
+        true
+      end
     end
   end
 end

app/controllers/settings/two_factor_authentication/otp_authentication_controller.rb

@@ -25,6 +25,10 @@ module Settings
       def verify_otp_not_enabled
         redirect_to settings_two_factor_authentication_methods_path if current_user.otp_enabled?
       end
+
+      def skip_mfa_force?
+        true
+      end
     end
   end
 end

app/controllers/settings/two_factor_authentication_methods_controller.rb

@@ -24,5 +24,9 @@ module Settings
     def require_otp_enabled
       redirect_to settings_otp_authentication_path unless current_user.otp_enabled?
     end
+
+    def skip_mfa_force?
+      true
+    end
   end
 end