feat: intercept DatabaseAuthenticatable and PasswordsController for 2FA

Modify DatabaseAuthenticatable strategy to detect 2FA-enabled users
after password validation and redirect to the default 2FA method's
challenge page instead of signing in.

Update PasswordsController to require 2FA verification after password
reset when sign_in_after_reset_password is enabled.

Author: santiagorodriguez96

app/controllers/devise/passwords_controller.rb

@@ -37,6 +37,14 @@ def update
     if resource.errors.empty?
       resource.unlock_access! if unlockable?(resource)
       if sign_in_after_reset_password?
+        if resource.respond_to?(:two_factor_enabled?) && resource.two_factor_enabled?
+          session[:devise_two_factor_resource_id] = resource.id
+          default_method = resource.enabled_two_factors.first
+          set_flash_message!(:notice, :updated_two_factor_required)
+          respond_with resource, location: new_two_factor_challenge_path(resource_name, default_method)
+          return
+        end
+
         flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
         set_flash_message!(:notice, flash_message)
         resource.after_database_authentication

config/locales/en.yml

@@ -38,6 +38,7 @@ en:
       send_paranoid_instructions: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
       updated: "Your password has been changed successfully. You are now signed in."
       updated_not_active: "Your password has been changed successfully."
+      updated_two_factor_required: "Your password has been changed successfully. Please complete two-factor authentication."
     registrations:
       destroyed: "Bye! Your account has been successfully cancelled. We hope to see you again soon."
       signed_up: "Welcome! You have signed up successfully."

lib/devise/strategies/database_authenticatable.rb

@@ -11,9 +11,13 @@ def authenticate!
         hashed = false
 
         if validate(resource){ hashed = true; resource.valid_password?(password) }
-          remember_me(resource)
-          resource.after_database_authentication
-          success!(resource)
+          if resource.respond_to?(:two_factor_enabled?) && resource.two_factor_enabled?
+            initiate_two_factor_authentication!(resource)
+          else
+            remember_me(resource)
+            resource.after_database_authentication
+            success!(resource)
+          end
         end
 
         # In paranoid mode, hash the password even when a resource doesn't exist for the given authentication key.
@@ -24,6 +28,20 @@ def authenticate!
           Devise.paranoid ? fail(:invalid) : fail(:not_found_in_database)
         end
       end
+
+      private
+
+      def initiate_two_factor_authentication!(resource)
+        session[:devise_two_factor_resource_id] = resource.id
+        session[:devise_two_factor_remember_me] = remember_me?
+        default_method = resource.enabled_two_factors.first
+        redirect!(new_two_factor_challenge_path(scope, default_method))
+      end
+
+      def new_two_factor_challenge_path(scope, method)
+        Rails.application.routes.url_helpers
+          .send(:"#{scope}_new_two_factor_#{method}_path")
+      end
     end
   end
 end