two_factor_authentication
two_factor_authentication copied to clipboard
Houdini
Skip validations when setting direct_otp
If there is a validation error on the user model, it can lead to some unpredictable 2FA behavior. For example, the send_new_otp method will send a new OTP code to the user even if it failed to update the direct_otp column in the database. When this happens, the new code does not work for the user.
Looking at other devise modules, they tend to skip validations when saving data as well:
- https://github.com/plataformatec/devise/blob/master/lib/devise/models/trackable.rb#L40
- https://github.com/plataformatec/devise/blob/master/lib/devise/models/rememberable.rb#L53
- https://github.com/plataformatec/devise/blob/master/lib/devise/models/rememberable.rb#L62
- https://github.com/plataformatec/devise/blob/master/lib/devise/models/recoverable.rb#L94
- https://github.com/plataformatec/devise/blob/master/lib/devise/models/lockable.rb#L48
- https://github.com/plataformatec/devise/blob/master/lib/devise/models/lockable.rb#L57
- https://github.com/plataformatec/devise/blob/master/lib/devise/models/lockable.rb#L69
- https://github.com/plataformatec/devise/blob/master/lib/devise/models/lockable.rb#L108
- https://github.com/plataformatec/devise/blob/master/lib/devise/models/confirmable.rb#L258
It seems like generating the direct_otp token is similar to a lot of these other cases where validation is skipped.
This should also fix #170
