Merge remote-tracking branch 'parent/main' into upstream-20240503

db/migrate/20231210154528_add_otp_secret_to_user.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class AddOtpSecretToUser < ActiveRecord::Migration[7.1]
+  def change
+    add_column :users, :otp_secret, :string
+  end
+end

db/post_migrate/20240307180905_migrate_devise_two_factor_secrets.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+class MigrateDeviseTwoFactorSecrets < ActiveRecord::Migration[7.1]
+  disable_ddl_transaction!
+
+  class MigrationUser < ApplicationRecord
+    self.table_name = :users
+
+    devise :two_factor_authenticatable,
+           otp_secret_encryption_key: Rails.configuration.x.otp_secret
+
+    include LegacyOtpSecret # Must be after the above `devise` line in order to override the legacy method
+  end
+
+  def up
+    MigrationUser.reset_column_information
+
+    users_with_otp_enabled.find_each do |user|
+      # Gets the new value on already-updated users
+      # Falls back to legacy value on not-yet-migrated users
+      otp_secret = user.otp_secret
+
+      Rails.logger.debug { "Processing #{user.email}" }
+
+      # This is a no-op for migrated users and updates format for not migrated
+      user.update!(otp_secret: otp_secret)
+    end
+  end
+
+  def down
+    raise ActiveRecord::IrreversibleMigration
+  end
+
+  private
+
+  def users_with_otp_enabled
+    MigrationUser.where(otp_required_for_login: true, otp_secret: nil)
+  end
+end

db/schema.rb

@@ -1559,6 +1559,7 @@ ActiveRecord::Schema[7.1].define(version: 2024_04_26_233435) do
     t.bigint "role_id"
     t.text "settings"
     t.string "time_zone"
+    t.string "otp_secret"
     t.index ["account_id"], name: "index_users_on_account_id"
     t.index ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true
     t.index ["created_by_application_id"], name: "index_users_on_created_by_application_id", where: "(created_by_application_id IS NOT NULL)"