fix(auth): hash MFA backup codes (#1629)

* fix(auth): hash MFA backup codes * fix(auth): lock and filter backup code verification * test(auth): assert consumed backup code digest * fix(auth): strengthen backup code handling * fix(auth): require otp secret before mfa enable * test(auth): assert backup code digest consumption * fix(auth): rehash legacy MFA backup codes * fix(auth): narrow legacy backup code migration
2026-05-11 22:55:00 +00:00 · 2026-05-04 17:20:57 -06:00
parent 1ec8bd90b7
commit d0883f9018
7 changed files with 230 additions and 29 deletions
--- a/app/controllers/mfa_controller.rb
+++ b/app/controllers/mfa_controller.rb
@@ -11,8 +11,7 @@ class MfaController < ApplicationController

  def create
    if Current.user.verify_otp?(params[:code])
-      Current.user.enable_mfa!
-      @backup_codes = Current.user.otp_backup_codes
+      @backup_codes = Current.user.enable_mfa!
      render :backup_codes
    else
      Current.user.disable_mfa!