b876e02c3a
TOTP enrollment previously round-tripped the generated secret through a hidden form field and saved whatever the client submitted, letting an attacker with session access enroll a 2FA device they control by posting their own secret plus a matching code. Stash the secret in the session at GET /totp/new, read it only from the session at POST /totp, and drop the hidden field from the view. Notify the user by email on successful enrollment so unauthorized activations are visible even if a new vector appears later. Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>
8 lines
187 B
Ruby
8 lines
187 B
Ruby
class TotpMailer < ApplicationMailer
|
|
def enabled(user)
|
|
@user = user
|
|
mail subject: "Two-factor authentication enabled on your account",
|
|
to: user.email_address
|
|
end
|
|
end
|