Class: Devise::CookieCryptController

Inherits:
DeviseController
  • Object
show all
Defined in:
app/controllers/devise/cookie_crypt_controller.rb

Instance Method Summary collapse

Instance Method Details

#showObject 



8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
 
# File 'app/controllers/devise/cookie_crypt_controller.rb', line 8

def show
  if has_matching_encrypted_cookie?
    if !using_an_agent_that_is_already_being_used?
      #An attacker has successfully obtained a user's cookie and login credentials and is trying to pass themselves off as the target
      #This is an attacker because the agent data does not match the agent data from when a cookie is generated for this user's machine.
      #A machine that "suddenly" has a cookie despite not being auth'd is an attacker.

      log_hack_attempt

      resource.cookie_crypt_attempts_count = resource.class.
      resource.save #prevents attacker from deleting cookie and trying to login "normally" by inputting the user's two_fac answers

      sign_out(resource)
      redirect_to :root and return
    else
      authentication_success
    end
  else
    flash[:notice] = "Signed In Successfully, now going through two factor authentication."
    @user = resource
    render template: "devise/cookie_crypt/show"
  end
end

#updateObject 



32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
 
# File 'app/controllers/devise/cookie_crypt_controller.rb', line 32

def update
  if resource.security_question_one.blank? # initial case (first login)

    resource.security_question_one = sanitize(params[:security_question_one])
    resource.security_question_two = sanitize(params[:security_question_two])
    resource.security_answer_one   = Digest::SHA512.hexdigest(sanitize(params[:security_answer_one]))
    resource.security_answer_two   = Digest::SHA512.hexdigest(sanitize(params[:security_answer_two]))
    resource.save

    authentication_success
  else
    
    if matching_answers?
      generate_cookie
      log_agent_to_resource
      authentication_success
    else
      resource.cookie_crypt_attempts_count += 1
      resource.save
      set_flash_message :error, :attempt_failed
      if resource.
        sign_out(resource)
        render template: 'devise/cookie_crypt/max_login_attempts_reached' and return
      else
        render :show
      end
    end
  end
end