Fix paranoid-mode being ignored (#138)

* Fix paranoid-mode being ignored Devise's paranoid-mode is meant to hide when a record with an e-mail exists in the system, by always showing the invalid error message instead of conditionally revealing when a record is not found. This gem ignores the setting and reveals existing accounts during an enumeration attack.
devise-two-factor · Jan 7, 2019 · 5549aba · 5549aba
1 parent f3e40dc
commit 5549aba
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/lib/devise_two_factor/strategies/two_factor_authenticatable.rb b/lib/devise_two_factor/strategies/two_factor_authenticatable.rb
@@ -12,7 +12,7 @@ def authenticate!
           super
         end
 
-        fail(:not_found_in_database) unless resource
+        fail(Devise.paranoid ? :invalid : :not_found_in_database) unless resource
 
         # We want to cascade to the next strategy if this one fails,
         # but database authenticatable automatically halts on a bad password

diff --git a/lib/devise_two_factor/strategies/two_factor_backupable.rb b/lib/devise_two_factor/strategies/two_factor_backupable.rb
@@ -12,7 +12,7 @@ def authenticate!
           super
         end
 
-        fail(:not_found_in_database) unless resource
+        fail(Devise.paranoid ? :invalid : :not_found_in_database) unless resource
 
         # We want to cascade to the next strategy if this one fails,
         # but database authenticatable automatically halts on a bad password