feature/require-mfa-by-admin - Refact Opt-Out

2025-09-05 17:31:12 +00:00 · 2025-07-23 05:41:48 +00:00 · 2025-07-23 05:41:48 +00:00 · 1073956fbc
commit 1073956fbc
parent 673d875a95
7 changed files with 40 additions and 23 deletions
--- a/app/controllers/auth/registrations_controller.rb
+++ b/app/controllers/auth/registrations_controller.rb
@ -100,12 +100,13 @@ class Auth::RegistrationsController < Devise::RegistrationsController
    end
  end

-  private
-
  def set_invite
    @invite = begin
-      invite = Invite.find_by(code: invite_code) if invite_code.present?
-      invite if invite&.valid_for_use?
+      if invite_code.present?
+        Invite.find_by(code: invite_code)
+      elsif params[:invite_code].present?
+        Invite.find_by(code: params[:invite_code])
+      end
    end
  end

@ -132,17 +133,20 @@ class Auth::RegistrationsController < Devise::RegistrationsController
  def require_rules_acceptance!
    return if @rules.empty? || (session[:accept_token].present? && params[:accept] == session[:accept_token])

-    @accept_token = session[:accept_token] = SecureRandom.hex
-    @invite_code  = invite_code
-
-    set_locale { render :rules }
+    session[:accept_token] = SecureRandom.hex(16)
+    redirect_to new_user_registration_path(accept: session[:accept_token])
  end

  def is_flashing_format? # rubocop:disable Naming/PredicatePrefix
    if params[:action] == 'create'
-      false # Disable flash messages for sign-up
+      false
    else
      super
    end
  end
+
+  def skip_mfa_force?
+    # Allow profile editing even when MFA is required
+    %w(edit update).include?(action_name)
+  end
 end
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@ -201,4 +201,9 @@ class Auth::SessionsController < Devise::SessionsController
      format.all { super }
    end
  end
+
+  def skip_mfa_force?
+    # Allow logout to work even when MFA is required
+    action_name == 'destroy'
+  end
 end
--- a/app/controllers/auth/setup_controller.rb
+++ b/app/controllers/auth/setup_controller.rb
@ -37,4 +37,9 @@ class Auth::SetupController < ApplicationController
  def user_params
    params.expect(user: [:email])
  end
+
+  def skip_mfa_force?
+    # Allow auth setup even when MFA is required
+    true
+  end
 end
--- a/app/controllers/concerns/mfa_force_concern.rb
+++ b/app/controllers/concerns/mfa_force_concern.rb
@ -12,7 +12,7 @@ module MfaForceConcern
  def check_mfa_requirement
    return unless mfa_force_enabled?
    return if current_user.otp_enabled?
-    return if mfa_setup_allowed_paths?
+    return if mfa_force_skipped?

    flash[:alert] = I18n.t('require_multi_factor_auth.required_message')
    redirect_to settings_otp_authentication_path
@ -22,19 +22,10 @@ module MfaForceConcern
    mfa_config[:force_enabled]
  end

-  def mfa_setup_allowed_paths?
-    allowed_paths = [
-      settings_otp_authentication_path,
-      new_settings_two_factor_authentication_confirmation_path,
-      settings_two_factor_authentication_confirmation_path,
-      settings_two_factor_authentication_methods_path,
-      settings_two_factor_authentication_recovery_codes_path,
-      destroy_user_session_path,
-      auth_setup_path,
-      edit_user_registration_path,
-    ]
-
-    allowed_paths.any? { |path| request.path.start_with?(path) }
+  def mfa_force_skipped?
+    # Allow controllers to opt out of MFA force requirement
+    # by defining skip_mfa_force? method
+    respond_to?(:skip_mfa_force?) && skip_mfa_force?
  end

  def mfa_config
--- a/app/controllers/settings/two_factor_authentication/confirmations_controller.rb
+++ b/app/controllers/settings/two_factor_authentication/confirmations_controller.rb
@ -53,6 +53,10 @@ module Settings
      def ensure_otp_secret
        redirect_to settings_otp_authentication_path if session[:new_otp_secret].blank?
      end
+
+      def skip_mfa_force?
+        true
+      end
    end
  end
 end
--- a/app/controllers/settings/two_factor_authentication/otp_authentication_controller.rb
+++ b/app/controllers/settings/two_factor_authentication/otp_authentication_controller.rb
@ -25,6 +25,10 @@ module Settings
      def verify_otp_not_enabled
        redirect_to settings_two_factor_authentication_methods_path if current_user.otp_enabled?
      end
+
+      def skip_mfa_force?
+        true
+      end
    end
  end
 end
--- a/app/controllers/settings/two_factor_authentication_methods_controller.rb
+++ b/app/controllers/settings/two_factor_authentication_methods_controller.rb
@ -24,5 +24,9 @@ module Settings
    def require_otp_enabled
      redirect_to settings_otp_authentication_path unless current_user.otp_enabled?
    end
+
+    def skip_mfa_force?
+      true
+    end
  end
 end