9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
# File 'app/controllers/rails/auth/sessions_controller.rb', line 9
def create
user = Rails::Auth.user_class.find_by(email: params[:email])
if user&.access_locked?
respond_to do |format|
format.html { redirect_to new_session_path, alert: "Your account is locked. Please check your email for unlock instructions." }
format.json { render json: { error: "Account locked" }, status: :locked }
end
return
end
if user&.authenticate(params[:password])
user.update(failed_attempts: 0)
if user.otp_enabled?
session[:otp_user_id] = user.id
respond_to do |format|
format.html { redirect_to new_otp_verification_path }
format.json { render json: { mfa_required: true }, status: :accepted }
end
else
sign_in(user)
respond_to do |format|
format.html { redirect_to main_app.root_path, notice: "Signed in successfully." }
format.json { render json: { token: Rails::Auth.encode_jwt(user_id: user.id), user: user.as_json(only: [ :id, :email, :role ]) } }
end
end
else
if user
user.increment_failed_attempts!
user.log_security_event!(:login_failed, request)
message = user.access_locked? ? "Account locked. Check your email." : "Invalid email or password."
else
message = "Invalid email or password."
end
respond_to do |format|
format.html do
flash.now[:alert] = message
render :new, status: :unprocessable_entity
end
format.json { render json: { error: message }, status: :unauthorized }
end
end
end
|