Closed dgiangrave closed 4 years ago
Thanks for opening this issue.
That does seem like a problem. I'll investigate this as soon I can.
Hi @dgiangrave, I've investigated this and I'm not sure we have a bug here.
If you follow your description and press back from the verification screen then authy-devise does not have a problem showing the phone number entry again. It is gated by having an authy_id
and authy_enabled
being true
. It might appear that a user is enabled because there is a flash message saying so on the verification page.
It turns out that the enabled message was incorrectly placed (reported as #131) and will be removed as of #136. A user isn't using Authy until authy_enabled
is set to true
after a successful verification.
Hi @philnash, thank you for looking into this for me, I believe your right, there is no bug.
In our project, we had attempted to use authy_enabled
to enforce the user to enroll in 2FA, however based on your post, it is apparent that authy_enabled
is used by the gem to gate the verification process. I made changes to do enforcement by manually routing to the enable page if authy_enabled
is false
. Thank you again for looking into this so quickly, I appreciate the help!
Great, glad we're in agreement and you have a solution for your app too. Cheers!
Description
After a user has entered their phone number on the enable authy page, they are redirected to the installation verification screen. Devise considers a user at this point to be authorized and authy has accepted the entered number as a valid account, even though no verification was entered.
Example User Issue
A user enters their phone number with a typo during enrollment. While waiting for the SMS for the verification screen, they never receive an message. Thinking they entered incorrectly, they navigate back in the browser. authy-devise, recognizes the
authy_id
generated for the wrong number, and redirects the user to the home page after logging in. At the next log in attempt the user is prompted for the sms token, finding themselves locked out due to never verifying the wrong number.Suggested Fix
It seems that there should be an extra field added to the user called
authy_verified
. Devise should consider a user withauthy_enabled = true
andauthy_verified = false
, to not be authenticated into the system. Rather it should redirect to the verify installation screen if the user has anauthy_id
butauthy_verified
is false. Additionally it should allow a user on the verify installation screen to change their entered phone number in the event it was incorrectly entered.