Add a variant which sets up 2FA with devise

.github/workflows/ci.yml

@@ -84,6 +84,9 @@ jobs:
           - name: devise
             config_path: "ci/configs/devise.yml"
             skips: --skip-javascript
+          - name: devise_mfa
+            config_path: "ci/configs/devise_mfa.yml"
+            skips: --skip-javascript
           - name: basic_with_skips
             config_path: "ci/configs/basic.yml"
             skips: --skip-spring --skip-javascript

ackama_rails_template.config.yml

@@ -17,6 +17,7 @@ use_typescript: true
 # Use these flags to enable features in the rails app created by this template.
 apply_variant_react: false
 apply_variant_devise: false
+apply_variant_devise_mfa: false
 apply_variant_sidekiq: false
 apply_variant_bootstrap: false
 

ci/configs/all-typescript.yml

@@ -6,6 +6,7 @@ use_typescript: true
 apply_variant_github_actions_ci: true
 apply_variant_react: true
 apply_variant_devise: true
+apply_variant_devise_mfa: true
 apply_variant_sidekiq: true
 apply_variant_bootstrap: true
 apply_variant_deploy_with_capistrano: true

ci/configs/all.yml

@@ -6,6 +6,7 @@ use_typescript: false
 apply_variant_github_actions_ci: true
 apply_variant_react: true
 apply_variant_devise: true
+apply_variant_devise_mfa: true
 apply_variant_sidekiq: true
 apply_variant_bootstrap: true
 apply_variant_deploy_with_capistrano: true

ci/configs/basic-typescript.yml

@@ -6,6 +6,7 @@ use_typescript: true
 apply_variant_github_actions_ci: false
 apply_variant_react: false
 apply_variant_devise: false
+apply_variant_devise_mfa: true
 apply_variant_sidekiq: false
 apply_variant_bootstrap: false
 apply_variant_deploy_with_capistrano: false

ci/configs/basic.yml

@@ -6,6 +6,7 @@ use_typescript: false
 apply_variant_github_actions_ci: false
 apply_variant_react: false
 apply_variant_devise: false
+apply_variant_devise_mfa: false
 apply_variant_sidekiq: false
 apply_variant_bootstrap: false
 apply_variant_deploy_with_capistrano: false

ci/configs/bootstrap-typescript.yml

@@ -6,6 +6,7 @@ use_typescript: true
 apply_variant_github_actions_ci: false
 apply_variant_react: false
 apply_variant_devise: false
+apply_variant_devise_mfa: true
 apply_variant_sidekiq: false
 apply_variant_bootstrap: true
 apply_variant_deploy_with_capistrano: false

ci/configs/bootstrap.yml

@@ -6,6 +6,7 @@ use_typescript: false
 apply_variant_github_actions_ci: false
 apply_variant_react: false
 apply_variant_devise: false
+apply_variant_devise_mfa: true
 apply_variant_sidekiq: false
 apply_variant_bootstrap: true
 apply_variant_deploy_with_capistrano: false

ci/configs/deploy_with_ackama_ec2_capistrano.yml

@@ -5,6 +5,7 @@ git_repo_url: ""
 use_typescript: false
 apply_variant_react: false
 apply_variant_devise: false
+apply_variant_devise_mfa: true
 apply_variant_github_actions_ci: false
 apply_variant_sidekiq: false
 apply_variant_typescript: false

ci/configs/deploy_with_capistrano.yml

@@ -6,6 +6,7 @@ use_typescript: false
 apply_variant_github_actions_ci: false
 apply_variant_react: false
 apply_variant_devise: false
+apply_variant_devise_mfa: true
 apply_variant_sidekiq: false
 apply_variant_bootstrap: false
 apply_variant_deploy_with_capistrano: true

ci/configs/devise.yml

@@ -6,6 +6,7 @@ apply_variant_github_actions_ci: false
 use_typescript: false
 apply_variant_react: false
 apply_variant_devise: true
+apply_variant_devise_mfa: true
 apply_variant_sidekiq: false
 apply_variant_bootstrap: false
 apply_variant_deploy_with_capistrano: false

ci/configs/devise_mfa.yml

@@ -0,0 +1,13 @@
+---
+staging_hostname: "staging.example.com"
+production_hostname: "www.example.com"
+git_repo_url: ""
+apply_variant_github_actions_ci: false
+use_typescript: false
+apply_variant_react: false
+apply_variant_devise: true
+apply_variant_devise_mfa: true
+apply_variant_sidekiq: false
+apply_variant_bootstrap: false
+apply_variant_deploy_with_capistrano: false
+apply_variant_deploy_with_ackama_ec2_capistrano: false

ci/configs/github_actions.yml

@@ -6,6 +6,7 @@ use_typescript: false
 apply_variant_github_actions_ci: true
 apply_variant_react: false
 apply_variant_devise: false
+apply_variant_devise_mfa: true
 apply_variant_sidekiq: false
 apply_variant_bootstrap: false
 apply_variant_deploy_with_capistrano: false

ci/configs/react-typescript.yml

@@ -6,6 +6,7 @@ use_typescript: true
 apply_variant_github_actions_ci: false
 apply_variant_react: true
 apply_variant_devise: false
+apply_variant_devise_mfa: true
 apply_variant_sidekiq: false
 apply_variant_bootstrap: false
 apply_variant_deploy_with_capistrano: false

ci/configs/react.yml

@@ -6,6 +6,7 @@ use_typescript: false
 apply_variant_github_actions_ci: false
 apply_variant_react: true
 apply_variant_devise: false
+apply_variant_devise_mfa: false
 apply_variant_sidekiq: false
 apply_variant_bootstrap: false
 apply_variant_deploy_with_capistrano: false

ci/configs/sidekiq.yml

@@ -6,6 +6,7 @@ use_typescript: false
 apply_variant_github_actions_ci: false
 apply_variant_react: false
 apply_variant_devise: false
+apply_variant_devise_mfa: false
 apply_variant_sidekiq: true
 apply_variant_bootstrap: false
 apply_variant_deploy_with_capistrano: false

template.rb

@@ -45,6 +45,10 @@ def apply_variant_devise?
     @yaml_config.fetch("apply_variant_devise")
   end
 
+  def apply_variant_devise_mfa?
+    @yaml_config.fetch("apply_variant_devise")
+  end
+
   def apply_variant_sidekiq?
     @yaml_config.fetch("apply_variant_sidekiq")
   end
@@ -180,7 +184,10 @@ def apply_template! # rubocop:disable Metrics/MethodLength, Metrics/AbcSize, Met
 
     # we deliberately place this after the initial git commit because it
     # contains a lot of changes and adds its own git commit
-    apply "variants/devise/template.rb" if TEMPLATE_CONFIG.apply_variant_devise?
+    if TEMPLATE_CONFIG.apply_variant_devise?
+      apply "variants/devise/template.rb"
+      apply "variants/devise-mfa/template.rb" if TEMPLATE_CONFIG.apply_variant_devise_mfa?
+    end
 
     # We apply code annotation **after** all the other variants which might
     # generate routes and models

variants/devise-mfa/app/controllers/dashboards_controller.rb

@@ -0,0 +1,11 @@
+##
+# This is an example controller which you should remove from your application.
+# It demonstrates how to create a controller which requires users to be
+# authenticated before running any of its actions.
+#
+class DashboardsController < ApplicationController
+  # Only authenticated users can see the dashboard
+  def show
+    authorize :dashboard
+  end
+end

variants/devise-mfa/app/controllers/users/devise_controller.rb

@@ -0,0 +1,14 @@
+module Users
+  class DeviseController < ApplicationController
+    # class DeviseController < Devise::DeviseController
+    # TODO: this doesn't really need to inherit from Application controller anymore
+    # Is it more or less surprising to
+    before_action :configure_permitted_parameters, if: :devise_controller?
+
+    protected
+
+    def configure_permitted_parameters
+      devise_parameter_sanitizer.permit(:sign_in, keys: [:otp_attempt])
+    end
+  end
+end

variants/devise-mfa/app/controllers/users/multi_factor_authentications_controller.rb

@@ -0,0 +1,86 @@
+##
+# This controller allows users to manage their MFA credential(s). This
+# controller is not involved in signing in or out.
+#
+# Conceptually each user has one MFA resource which they can
+# manage because devise-two-factor only supports one mfa code per user
+#
+module Users
+  class MultiFactorAuthenticationsController < ApplicationController
+    before_action { authorize :mfa }
+
+    # Add the environment name to the two-factor authentication string so that
+    # you can more easily tell the MFA codes for different environments
+    # apart in your MFA app.
+    #
+    # Keep this name short. Some TOTP management applications (e.g. Google
+    # Authenticator) do not let users edit this name and do not show many
+    # characters on screen.
+    #
+    ISSUER = if Rails.env.production?
+               I18n.t("application.name").freeze
+             else
+               "#{I18n.t("application.name")} #{Rails.env}".freeze
+             end
+
+    # Allow the template to access issuer
+    helper_method :issuer
+
+    ##
+    # #show is the entry point for a user managing their two-factor
+    # authentication. It displays a summary of the current state of their
+    # two-factor authentication setup and buttons/links to take actions on
+    # it.
+    #
+    def show
+    end
+
+    ##
+    # #new starts the process of setting up two-factor authentication for
+    # the user
+    #
+    def new
+      @otp_secret = User.generate_otp_secret
+    end
+
+    ##
+    # #create accepts the form submission from #new and checks that the TOTP
+    # code supplied by the user is valid. If the user gives us a valid TOTP code
+    # then we can we be confident they have correctly setup OTP so we can
+    # require it at next sign in.
+    def create
+      if current_user.validate_and_consume_otp!(otp_param, otp_secret: otp_secret_param)
+        current_user.update!(otp_secret: otp_secret_param, otp_required_for_login: true)
+        redirect_to users_multi_factor_authentication_path, notice: t(".success")
+      else
+        @otp_secret = otp_secret_param
+        flash.now[:alert] = t(".invalid_code")
+        render :new
+      end
+    end
+
+    def create_backup_codes
+      @backup_codes = current_user.generate_otp_backup_codes!
+      current_user.save!
+    end
+
+    def destroy_backup_codes
+      current_user.update!(otp_backup_codes: nil)
+      redirect_to users_multi_factor_authentication_path, notice: t(".success")
+    end
+
+    private
+
+    def otp_param
+      params.require(:otp_attempt).gsub(/\A[^\d+]\z/, "")
+    end
+
+    def otp_secret_param
+      params.require(:otp_secret)
+    end
+
+    def issuer
+      ISSUER
+    end
+  end
+end