From a8f5e3fa6255204b7663683b51596c80a130d44e Mon Sep 17 00:00:00 2001
From: Fredys Fonseca <alkemist17@gmail.com>
Date: Wed, 23 Jul 2025 18:00:09 +0000
Subject: [PATCH] feature/require-mfa-by-admin - Using Skip_before_action

---
 app/controllers/auth/registrations_controller.rb   |  6 +-----
 app/controllers/auth/sessions_controller.rb        | 14 +++-----------
 app/controllers/auth/setup_controller.rb           |  6 +-----
 app/controllers/concerns/mfa_force_concern.rb      |  7 -------
 .../confirmations_controller.rb                    |  5 +----
 .../otp_authentication_controller.rb               |  5 +----
 ...two_factor_authentication_methods_controller.rb |  5 +----
 7 files changed, 8 insertions(+), 40 deletions(-)

diff --git a/app/controllers/auth/registrations_controller.rb b/app/controllers/auth/registrations_controller.rb
index aa00c1726e0..0350114280c 100644
--- a/app/controllers/auth/registrations_controller.rb
+++ b/app/controllers/auth/registrations_controller.rb
@@ -18,6 +18,7 @@ class Auth::RegistrationsController < Devise::RegistrationsController
 
   skip_before_action :check_self_destruct!, only: [:edit, :update]
   skip_before_action :require_functional!, only: [:edit, :update]
+  skip_before_action :check_mfa_requirement, only: [:edit, :update]
 
   def new
     super(&:build_invite_request)
@@ -144,9 +145,4 @@ class Auth::RegistrationsController < Devise::RegistrationsController
       super
     end
   end
-
-  def skip_mfa_force?
-    # Allow profile editing even when MFA is required
-    %w(edit update).include?(action_name)
-  end
 end
diff --git a/app/controllers/auth/sessions_controller.rb b/app/controllers/auth/sessions_controller.rb
index b802940ec3d..d101ab252f9 100644
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@@ -11,6 +11,7 @@ class Auth::SessionsController < Devise::SessionsController
   skip_before_action :require_no_authentication, only: [:create]
   skip_before_action :require_functional!
   skip_before_action :update_user_sign_in
+  skip_before_action :check_mfa_requirement, only: [:destroy]
 
   prepend_before_action :check_suspicious!, only: [:create]
 
@@ -193,17 +194,8 @@ class Auth::SessionsController < Devise::SessionsController
 
   def respond_to_on_destroy
     respond_to do |format|
-      format.json do
-        render json: {
-          redirect_to: after_sign_out_path_for(resource_name),
-        }, status: 200
-      end
-      format.all { super }
+      format.any(*navigational_formats) { redirect_to after_sign_out_path_for(:user) }
+      format.all { head 204 }
     end
   end
-
-  def skip_mfa_force?
-    # Allow logout to work even when MFA is required
-    action_name == 'destroy'
-  end
 end
diff --git a/app/controllers/auth/setup_controller.rb b/app/controllers/auth/setup_controller.rb
index 0db7fa4f335..519452d9d9b 100644
--- a/app/controllers/auth/setup_controller.rb
+++ b/app/controllers/auth/setup_controller.rb
@@ -8,6 +8,7 @@ class Auth::SetupController < ApplicationController
   before_action :set_user
 
   skip_before_action :require_functional!
+  skip_before_action :check_mfa_requirement
 
   def show; end
 
@@ -37,9 +38,4 @@ class Auth::SetupController < ApplicationController
   def user_params
     params.expect(user: [:email])
   end
-
-  def skip_mfa_force?
-    # Allow auth setup even when MFA is required
-    true
-  end
 end
diff --git a/app/controllers/concerns/mfa_force_concern.rb b/app/controllers/concerns/mfa_force_concern.rb
index 1a94e1fa1c3..ca68d3649c9 100644
--- a/app/controllers/concerns/mfa_force_concern.rb
+++ b/app/controllers/concerns/mfa_force_concern.rb
@@ -12,7 +12,6 @@ module MfaForceConcern
   def check_mfa_requirement
     return unless mfa_force_enabled?
     return if current_user.otp_enabled?
-    return if mfa_force_skipped?
 
     flash[:alert] = I18n.t('require_multi_factor_auth.required_message')
     redirect_to settings_otp_authentication_path
@@ -22,12 +21,6 @@ module MfaForceConcern
     mfa_config[:force_enabled]
   end
 
-  def mfa_force_skipped?
-    # Allow controllers to opt out of MFA force requirement
-    # by defining skip_mfa_force? method
-    respond_to?(:skip_mfa_force?) && skip_mfa_force?
-  end
-
   def mfa_config
     @mfa_config ||= Rails.application.config_for(:mfa)
   end
diff --git a/app/controllers/settings/two_factor_authentication/confirmations_controller.rb b/app/controllers/settings/two_factor_authentication/confirmations_controller.rb
index d0028e9b44b..00b2c68ccaf 100644
--- a/app/controllers/settings/two_factor_authentication/confirmations_controller.rb
+++ b/app/controllers/settings/two_factor_authentication/confirmations_controller.rb
@@ -6,6 +6,7 @@ module Settings
       include ChallengableConcern
 
       skip_before_action :require_functional!
+      skip_before_action :check_mfa_requirement
 
       before_action :require_challenge!
       before_action :ensure_otp_secret
@@ -53,10 +54,6 @@ module Settings
       def ensure_otp_secret
         redirect_to settings_otp_authentication_path if session[:new_otp_secret].blank?
       end
-
-      def skip_mfa_force?
-        true
-      end
     end
   end
 end
diff --git a/app/controllers/settings/two_factor_authentication/otp_authentication_controller.rb b/app/controllers/settings/two_factor_authentication/otp_authentication_controller.rb
index 97284fb41ad..9e03fcdd354 100644
--- a/app/controllers/settings/two_factor_authentication/otp_authentication_controller.rb
+++ b/app/controllers/settings/two_factor_authentication/otp_authentication_controller.rb
@@ -6,6 +6,7 @@ module Settings
       include ChallengableConcern
 
       skip_before_action :require_functional!
+      skip_before_action :check_mfa_requirement
 
       before_action :verify_otp_not_enabled, only: [:show]
       before_action :require_challenge!, only: [:create]
@@ -25,10 +26,6 @@ module Settings
       def verify_otp_not_enabled
         redirect_to settings_two_factor_authentication_methods_path if current_user.otp_enabled?
       end
-
-      def skip_mfa_force?
-        true
-      end
     end
   end
 end
diff --git a/app/controllers/settings/two_factor_authentication_methods_controller.rb b/app/controllers/settings/two_factor_authentication_methods_controller.rb
index 4aa00a37b0c..0face326e49 100644
--- a/app/controllers/settings/two_factor_authentication_methods_controller.rb
+++ b/app/controllers/settings/two_factor_authentication_methods_controller.rb
@@ -6,6 +6,7 @@ module Settings
 
     skip_before_action :check_self_destruct!
     skip_before_action :require_functional!
+    skip_before_action :check_mfa_requirement
 
     before_action :require_challenge!, only: :disable
     before_action :require_otp_enabled
@@ -24,9 +25,5 @@ module Settings
     def require_otp_enabled
       redirect_to settings_otp_authentication_path unless current_user.otp_enabled?
     end
-
-    def skip_mfa_force?
-      true
-    end
   end
 end