is_fully_authenticated? returns true when the user model is not called user

[ostigley]

Firstly thanks for this gem, it has, for the most part, been excellent to use.

Issue

calling the helper is_fully_authenticated? when the resource is not called user, always returns true.

Background

We have been refactoring a few of our authentication processes, and I have discovered that is_fully_authenticated? will return true if your user model is not called user.

Example

One of our user models is called admin. In one our our exposed devise controllers, we are calling the following to ensure two_factor is required:

warden.session(resource_name)[TwoFactorAuthentication::NEED_AUTHENTICATION] = true if warden.authenticated? resource_name

The session is now:

{
  "session_id" => "e506f931c02b42d17b398af55e95387a",
  "_csrf_token" => "esijVCN7Yf/y3/vExmc5Ci1t3ydcZe72EQ0HhpEF8lE=",
  "warden.user.admin.key" => [[1], "$2a$11$g84JZdWomFd6O6h9Ym6E2e"],
  "warden.user.admin.session" => {"need_two_factor_authentication"=>true}
}

But now, is_fully_authenticated? returns true because it runs this check:

!session["warden.user.user.session"].try(:[], TwoFactorAuthentication::NEED_AUTHENTICATION)

It should be returning false. Note the warden.user.user instead of the warden.user.admin

Proposed fix

The helper should be:

!session["warden.user.admin.session"].try(:[], TwoFactorAuthentication::NEED_AUTHENTICATION)

In theory, this could be achieved with

!session["warden.user.#{resource_name}.session"].try(:[], TwoFactorAuthentication::NEED_AUTHENTICATION)

If I am correct please let me know and I will attempt to make a pr for you. Otherwise any suggestions to my implementation are welcome.

[BenjaminBenetti]

+1 we have been using your proposed fix in our app with multiple devise user types.

[Houdini]

Thanks, I'll will fix it in next few days