Class: Devise::CookieCryptController

Inherits:
DeviseController
  • Object
show all
Defined in:
app/controllers/devise/cookie_crypt_controller.rb

Instance Method Summary collapse

Instance Method Details

#showObject 



9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
 
# File 'app/controllers/devise/cookie_crypt_controller.rb', line 9

def show
  if has_matching_encrypted_cookie?
    if !using_an_agent_that_is_already_being_used?
      #An attacker has successfully obtained a user's cookie and login credentials and is trying to pass themselves off as the target
      #This is an attacker because the agent data does not match the agent data from when a cookie is generated for this user's machine.
      #A machine that "suddenly" has a cookie despite not being auth'd is an attacker.

      log_hack_attempt

      resource.cookie_crypt_attempts_count = resource.class.
      resource.save #prevents attacker from deleting cookie and trying to login "normally" by inputting the user's two_fac answers

      sign_out(resource)
      redirect_to :root and return
    else
      authentication_success
    end
  else
    flash[:notice] = "Signed In Successfully, now going through two factor authentication."
    @user = resource
    @request_path = request.fullpath.split('?').first
    render template: "devise/cookie_crypt/show"
  end
end

#updateObject 



34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
 
# File 'app/controllers/devise/cookie_crypt_controller.rb', line 34

def update
  h = Hash.class_eval(resource.security_hash)
  if h.empty? # initial case (first login)

    (1..(params[:security].keys.count/2)).each do |n|
      h["security_question_#{n}"] = sanitize(params[:security]["security_question_#{n}".to_sym])
      h["security_answer_#{n}"] = Digest::SHA512.hexdigest(sanitize(params[:security]["security_answer_#{n}".to_sym]))
    end

    resource.security_hash = h.to_s

    resource.save

    authentication_success
  elsif (h.keys.count/2) < resource.class.cookie_crypt_minimum_questions # Need to update hash from an old install

    ((h.keys.count/2)+1..(params[:security].keys.count/2)+((h.keys.count/2))).each do |n|
      h["security_question_#{n}"] = sanitize(params[:security]["security_question_#{n}".to_sym])
      h["security_answer_#{n}"] = Digest::SHA512.hexdigest(sanitize(params[:security]["security_answer_#{n}".to_sym]))
    end
    resource.security_hash = h.to_s

    resource.save

    authentication_success
  else #normal login attempts
    puts "TESTING::#{ h }\n#{ resource.cookie_crypt_attempts_count }"
    
    if matching_answers?(h)
      generate_cookie unless params[:do_not_save_cookie]
      update_resource_cycle(h)
      log_agent_to_resource
      authentication_success
    else
      resource.cookie_crypt_attempts_count += 1
      resource.save
      set_flash_message :error, :attempt_failed
      if resource.
        update_resource_cycle(h)
        sign_out(resource)
        render template: 'devise/cookie_crypt/max_login_attempts_reached' and return
      else
        render :show
      end
    end
  end
end