feature/require-mfa-by-admin - Using Skip_before_action

2025-09-05 17:31:12 +00:00 · 2025-07-23 18:00:09 +00:00 · 2025-07-23 18:00:09 +00:00 · a8f5e3fa62
commit a8f5e3fa62
parent f5c14b753a
7 changed files with 8 additions and 40 deletions
--- a/app/controllers/auth/registrations_controller.rb
+++ b/app/controllers/auth/registrations_controller.rb
@ -18,6 +18,7 @@ class Auth::RegistrationsController < Devise::RegistrationsController

  skip_before_action :check_self_destruct!, only: [:edit, :update]
  skip_before_action :require_functional!, only: [:edit, :update]
+  skip_before_action :check_mfa_requirement, only: [:edit, :update]

  def new
    super(&:build_invite_request)
@ -144,9 +145,4 @@ class Auth::RegistrationsController < Devise::RegistrationsController
      super
    end
  end
-
-  def skip_mfa_force?
-    # Allow profile editing even when MFA is required
-    %w(edit update).include?(action_name)
-  end
 end
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@ -11,6 +11,7 @@ class Auth::SessionsController < Devise::SessionsController
  skip_before_action :require_no_authentication, only: [:create]
  skip_before_action :require_functional!
  skip_before_action :update_user_sign_in
+  skip_before_action :check_mfa_requirement, only: [:destroy]

  prepend_before_action :check_suspicious!, only: [:create]

@ -193,17 +194,8 @@ class Auth::SessionsController < Devise::SessionsController

  def respond_to_on_destroy
    respond_to do |format|
-      format.json do
-        render json: {
-          redirect_to: after_sign_out_path_for(resource_name),
-        }, status: 200
-      end
-      format.all { super }
+      format.any(*navigational_formats) { redirect_to after_sign_out_path_for(:user) }
+      format.all { head 204 }
    end
  end
-
-  def skip_mfa_force?
-    # Allow logout to work even when MFA is required
-    action_name == 'destroy'
-  end
 end
--- a/app/controllers/auth/setup_controller.rb
+++ b/app/controllers/auth/setup_controller.rb
@ -8,6 +8,7 @@ class Auth::SetupController < ApplicationController
  before_action :set_user

  skip_before_action :require_functional!
+  skip_before_action :check_mfa_requirement

  def show; end

@ -37,9 +38,4 @@ class Auth::SetupController < ApplicationController
  def user_params
    params.expect(user: [:email])
  end
-
-  def skip_mfa_force?
-    # Allow auth setup even when MFA is required
-    true
-  end
 end
--- a/app/controllers/concerns/mfa_force_concern.rb
+++ b/app/controllers/concerns/mfa_force_concern.rb
@ -12,7 +12,6 @@ module MfaForceConcern
  def check_mfa_requirement
    return unless mfa_force_enabled?
    return if current_user.otp_enabled?
-    return if mfa_force_skipped?

    flash[:alert] = I18n.t('require_multi_factor_auth.required_message')
    redirect_to settings_otp_authentication_path
@ -22,12 +21,6 @@ module MfaForceConcern
    mfa_config[:force_enabled]
  end

-  def mfa_force_skipped?
-    # Allow controllers to opt out of MFA force requirement
-    # by defining skip_mfa_force? method
-    respond_to?(:skip_mfa_force?) && skip_mfa_force?
-  end
-
  def mfa_config
    @mfa_config ||= Rails.application.config_for(:mfa)
  end
--- a/app/controllers/settings/two_factor_authentication/confirmations_controller.rb
+++ b/app/controllers/settings/two_factor_authentication/confirmations_controller.rb
@ -6,6 +6,7 @@ module Settings
      include ChallengableConcern

      skip_before_action :require_functional!
+      skip_before_action :check_mfa_requirement

      before_action :require_challenge!
      before_action :ensure_otp_secret
@ -53,10 +54,6 @@ module Settings
      def ensure_otp_secret
        redirect_to settings_otp_authentication_path if session[:new_otp_secret].blank?
      end
-
-      def skip_mfa_force?
-        true
-      end
    end
  end
 end
--- a/app/controllers/settings/two_factor_authentication/otp_authentication_controller.rb
+++ b/app/controllers/settings/two_factor_authentication/otp_authentication_controller.rb
@ -6,6 +6,7 @@ module Settings
      include ChallengableConcern

      skip_before_action :require_functional!
+      skip_before_action :check_mfa_requirement

      before_action :verify_otp_not_enabled, only: [:show]
      before_action :require_challenge!, only: [:create]
@ -25,10 +26,6 @@ module Settings
      def verify_otp_not_enabled
        redirect_to settings_two_factor_authentication_methods_path if current_user.otp_enabled?
      end
-
-      def skip_mfa_force?
-        true
-      end
    end
  end
 end
--- a/app/controllers/settings/two_factor_authentication_methods_controller.rb
+++ b/app/controllers/settings/two_factor_authentication_methods_controller.rb
@ -6,6 +6,7 @@ module Settings

    skip_before_action :check_self_destruct!
    skip_before_action :require_functional!
+    skip_before_action :check_mfa_requirement

    before_action :require_challenge!, only: :disable
    before_action :require_otp_enabled
@ -24,9 +25,5 @@ module Settings
    def require_otp_enabled
      redirect_to settings_otp_authentication_path unless current_user.otp_enabled?
    end
-
-    def skip_mfa_force?
-      true
-    end
  end
 end