two_factor_authentication 1.1.3 → 2.2.0

data/README.md

@@ -1,14 +1,20 @@
 # Two factor authentication for Devise
 
+[![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/Houdini/two_factor_authentication?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+
 [![Build Status](https://travis-ci.org/Houdini/two_factor_authentication.svg?branch=master)](https://travis-ci.org/Houdini/two_factor_authentication)
-[![Code Climate](https://codeclimate.com/github/Houdini/two_factor_authentication.png)](https://codeclimate.com/github/Houdini/two_factor_authentication)
+[![Code Climate](https://codeclimate.com/github/Houdini/two_factor_authentication.svg)](https://codeclimate.com/github/Houdini/two_factor_authentication)
 
 ## Features
 
-* control sms code pattern
-* configure max login attempts
-* per user level control if he really need two factor authentication
-* your own sms logic
+* Support for 2 types of OTP codes
+ 1. Codes delivered directly to the user
+ 2. TOTP (Google Authenticator) codes based on a shared secret (HMAC)
+* Configurable OTP code digit length
+* Configurable max login attempts
+* Customizable logic to determine if a user needs two factor authentication
+* Configurable period where users won't be asked for 2FA again
+* Option to encrypt the TOTP secret in the database, with iv and salt
 
 ## Configuration
 
@@ -22,71 +28,95 @@ Once that's done, run:
 
     bundle install
 
-### Automatic installation
+Note that Ruby 2.1 or greater is required.
 
-In order to add two factor authorisation to a model, run the command:
+### Installation
 
-    bundle exec rails g two_factor_authentication MODEL
+#### Automatic initial setup
 
-Where MODEL is your model name (e.g. User or Admin). This generator will add `:two_factor_authenticatable` to your model
-and create a migration in `db/migrate/`, which will add `:otp_secret_key` and `:second_factor_attempts_count` to your table.
-Finally, run the migration with:
+To set up the model and database migration file automatically, run the
+following command:
 
-    bundle exec rake db:migrate
+    bundle exec rails g two_factor_authentication MODEL
 
-Add the following line to your model to fully enable two-factor auth:
+Where MODEL is your model name (e.g. User or Admin). This generator will add
+`:two_factor_authenticatable` to your model's Devise options and create a
+migration in `db/migrate/`, which will add the following columns to your table:
+
+- `:second_factor_attempts_count`
+- `:encrypted_otp_secret_key`
+- `:encrypted_otp_secret_key_iv`
+- `:encrypted_otp_secret_key_salt`
+- `:direct_otp`
+- `:direct_otp_sent_at`
+- `:totp_timestamp`
 
-    has_one_time_password
+#### Manual initial setup
 
-Set config values, if desired, for maximum second factor attempts count, allowed time drift, and OTP length.
+If you prefer to set up the model and migration manually, add the
+`:two_factor_authenticatable` option to your existing devise options, such as:
 
 ```ruby
-config.max_login_attempts = 3
-config.allowed_otp_drift_seconds = 30
-config.otp_length = 6
+devise :database_authenticatable, :registerable, :recoverable, :rememberable,
+       :trackable, :validatable, :two_factor_authenticatable
 ```
 
-Override the method to send one-time passwords in your model, this is automatically called when a user logs in:
+Then create your migration file using the Rails generator, such as:
 
-```ruby
-def send_two_factor_authentication_code
-  # use Model#otp_code and send via SMS, etc.
-end
+```
+rails g migration AddTwoFactorFieldsToUsers second_factor_attempts_count:integer encrypted_otp_secret_key:string:index encrypted_otp_secret_key_iv:string encrypted_otp_secret_key_salt:string direct_otp:string direct_otp_sent_at:datetime totp_timestamp:timestamp
 ```
 
-### Manual installation
-
-To manually enable two factor authentication for the User model, you should add two_factor_authentication to your devise line, like:
+Open your migration file (it will be in the `db/migrate` directory and will be
+named something like `20151230163930_add_two_factor_fields_to_users.rb`), and
+add `unique: true` to the `add_index` line so that it looks like this:
 
 ```ruby
-devise :database_authenticatable, :registerable,
-       :recoverable, :rememberable, :trackable, :validatable, :two_factor_authenticatable
+add_index :users, :encrypted_otp_secret_key, unique: true
 ```
+Save the file.
+
+#### Complete the setup
+
+Run the migration with:
+
+    bundle exec rake db:migrate
 
 Add the following line to your model to fully enable two-factor auth:
 
-    has_one_time_password
+    has_one_time_password(encrypted: true)
 
-Set config values, if desired, for maximum second factor attempts count, allowed time drift, and OTP length.
+Set config values in `config/initializers/devise.rb`:
 
 ```ruby
-config.max_login_attempts = 3
-config.allowed_otp_drift_seconds = 30
-config.otp_length = 6
+config.max_login_attempts = 3  # Maximum second factor attempts count.
+config.allowed_otp_drift_seconds = 30  # Allowed TOTP time drift between client and server.
+config.otp_length = 6  # TOTP code length
+config.direct_otp_valid_for = 5.minutes  # Time before direct OTP becomes invalid
+config.direct_otp_length = 6  # Direct OTP code length
+config.remember_otp_session_for_seconds = 30.days  # Time before browser has to perform 2fA again. Default is 0.
+config.otp_secret_encryption_key = ENV['OTP_SECRET_ENCRYPTION_KEY']
+config.second_factor_resource_id = 'id' # Field or method name used to set value for 2fA remember cookie
+config.delete_cookie_on_logout = false # Delete cookie when user signs out, to force 2fA again on login
 ```
+The `otp_secret_encryption_key` must be a random key that is not stored in the
+DB, and is not checked in to your repo. It is recommended to store it in an
+environment variable, and you can generate it with `bundle exec rake secret`.
 
-Override the method to send one-time passwords in your model, this is automatically called when a user logs in:
+Override the method in your model in order to send direct OTP codes. This is
+automatically called when a user logs in unless they have TOTP enabled (see
+below):
 
 ```ruby
-def send_two_factor_authentication_code
-  # use Model#otp_code and send via SMS, etc.
+def send_two_factor_authentication_code(code)
+  # Send code via SMS, etc.
 end
 ```
 
-
 ### Customisation and Usage
 
-By default second factor authentication enabled for each user, you can change it with this method in your User model:
+By default, second factor authentication is required for each user. You can
+change that by overriding the following method in your model:
 
 ```ruby
 def need_two_factor_authentication?(request)
@@ -94,19 +124,34 @@ def need_two_factor_authentication?(request)
 end
 ```
 
-this will disable two factor authentication for local users
+In the example above, two factor authentication will not be required for local
+users.
 
-This gem is compatible with Google Authenticator (https://support.google.com/accounts/answer/1066447?hl=en).  You can generate provisioning uris by invoking the following method on your model:
+This gem is compatible with [Google Authenticator](https://support.google.com/accounts/answer/1066447?hl=en).
+To enable this a shared secret must be generated by invoking the following
+method on your model:
 
-    user.provisioning_uri #This assumes a user model with an email attributes
+```ruby
+user.generate_totp_secret
+```
 
-This provisioning uri can then be turned in to a QR code if desired so that users may add the app to Google Authenticator easily.  Once this is done they may retrieve a one-time password directly from the Google Authenticator app as well as through whatever method you define in `send_two_factor_authentication_code`
+This must then be shared via a provisioning uri:
+
+```ruby
+user.provisioning_uri # This assumes a user model with an email attribute
+```
+
+This provisioning uri can then be turned in to a QR code if desired so that
+users may add the app to Google Authenticator easily.  Once this is done, they
+may retrieve a one-time password directly from the Google Authenticator app.
 
 #### Overriding the view
 
-The default view that shows the form can be overridden by first adding a folder named: "two_factor_authentication" inside "app/views/devise", in here you want to create a "show.html.erb" view.
+The default view that shows the form can be overridden by adding a
+file named `show.html.erb` (or `show.html.haml` if you prefer HAML)
+inside `app/views/devise/two_factor_authentication/` and customizing it.
+Below is an example using ERB:
 
-The full path should be "app/views/devise/two_factor_authentication/show.html.erb"
 
 ```html
 <h2>Hi, you received a code by email, please enter it below, thanks!</h2>
@@ -117,27 +162,244 @@ The full path should be "app/views/devise/two_factor_authentication/show.html.er
 <% end %>
 
 <%= link_to "Sign out", destroy_user_session_path, :method => :delete %>
-
 ```
 
-#### Updating existing users with OTP secret key
+#### Upgrading from version 1.X to 2.X
+
+The following database fields are new in version 2.
 
-If you have existing users that needs to be provided with a OTP secret key, so they can take benefit of the two factor authentication, create a rake. It could look like this one below:
+- `direct_otp`
+- `direct_otp_sent_at`
+- `totp_timestamp`
+
+To add them, generate a migration such as:
+
+    $ rails g migration AddTwoFactorFieldsToUsers direct_otp:string direct_otp_sent_at:datetime totp_timestamp:timestamp
+
+The `otp_secret_key` is only required for users who use TOTP (Google Authenticator) codes,
+so unless it has been shared with the user it should be set to `nil`.  The
+following pseudo-code is an example of how this might be done:
 
 ```ruby
-desc "rake task to update users with otp secret key"
-task :update_users_with_otp_secret_key  => :environment do
-	users = User.all
-
-	users.each do |user|
-		key = ROTP::Base32.random_base32
-		user.update_attributes(:otp_secret_key => key)
-		user.save
-		puts "Rake[:update_users_with_otp_secret_key] => User '#{user.email}' OTP secret key set to '#{key}'"
-	end
+User.find_each do |user| do
+  if !uses_authenticator_app(user)
+    user.otp_secret_key = nil
+    user.save!
+  end
 end
 ```
 
-### Example
+#### Adding the TOTP encryption option to an existing app
+
+If you've already been using this gem, and want to start encrypting the OTP
+secret key in the database (recommended), you'll need to perform the following
+steps:
+
+1. Generate a migration to add the necessary columns to your model's table:
+
+   ```
+   rails g migration AddEncryptionFieldsToUsers encrypted_otp_secret_key:string:index encrypted_otp_secret_key_iv:string encrypted_otp_secret_key_salt:string
+   ```
+
+   Open your migration file (it will be in the `db/migrate` directory and will be
+   named something like `20151230163930_add_encryption_fields_to_users.rb`), and
+   add `unique: true` to the `add_index` line so that it looks like this:
+
+   ```ruby
+   add_index :users, :encrypted_otp_secret_key, unique: true
+   ```
+   Save the file.
+
+2. Run the migration: `bundle exec rake db:migrate`
+
+2. Update the gem: `bundle update two_factor_authentication`
+
+3. Add `encrypted: true` to `has_one_time_password` in your model.
+   For example: `has_one_time_password(encrypted: true)`
+
+4. Generate a migration to populate the new encryption fields:
+   ```
+   rails g migration PopulateEncryptedOtpFields
+   ```
+
+   Open the generated file, and replace its contents with the following:
+   ```ruby
+   class PopulateEncryptedOtpFields < ActiveRecord::Migration
+     def up
+       User.reset_column_information
+
+       User.find_each do |user|
+         user.otp_secret_key = user.read_attribute('otp_secret_key')
+         user.save!
+       end
+     end
+
+     def down
+       User.reset_column_information
+
+       User.find_each do |user|
+         user.otp_secret_key = ROTP::Base32.random_base32
+         user.save!
+       end
+     end
+   end
+   ```
+
+5. Generate a migration to remove the `:otp_secret_key` column:
+   ```
+   rails g migration RemoveOtpSecretKeyFromUsers otp_secret_key:string
+   ```
+
+6. Run the migrations: `bundle exec rake db:migrate`
+
+If, for some reason, you want to switch back to the old non-encrypted version,
+use these steps:
+
+1. Remove `(encrypted: true)` from `has_one_time_password`
+
+2. Roll back the last 3 migrations (assuming you haven't added any new ones
+after them):
+   ```
+   bundle exec rake db:rollback STEP=3
+   ```
+
+#### Critical Security Note! Add before_action to your user registration controllers
+
+You should have a file registrations_controller.rb in your controllers folder
+to overwrite/customize user registrations. It should include the lines below, for 2FA protection of user model updates, meaning that users can only access the users/edit page after confirming 2FA fully, not simply by logging in. Otherwise the entire 2FA system can be bypassed!
+
+   ```ruby
+   class RegistrationsController < Devise::RegistrationsController
+     before_action :confirm_two_factor_authenticated, except: [:new, :create, :cancel]
+   
+     protected
+   
+     def confirm_two_factor_authenticated
+       return if is_fully_authenticated?
+
+       flash[:error] = t('devise.errors.messages.user_not_authenticated')
+       redirect_to user_two_factor_authentication_url
+     end
+   end
+   ```
+
+#### Critical Security Note! Add 2FA validation to your custom user actions
+
+Make sure you are passing the 2FA secret codes securely and checking for them upon critical user actions, such as API key updates, user email or pgp pubkey updates, or any other changess to private/secure account-related details. Validate the secret during the initial 2FA key/secret verification by the user also, of course.
+
+ For example, a simple account_controller.rb may look something like this:
+
+   ```
+   require 'json'
+
+   class AccountController < ApplicationController
+     before_action :require_signed_in!
+     before_action :authenticate_user!
+     respond_to :html, :json
+     
+     def account_API
+       resp = {}
+       begin       
+         if(account_params["twoFAKey"] && account_params["twoFASecret"])
+           current_user.otp_secret_key = account_params["twoFAKey"]
+           if(current_user.authenticate_totp(account_params["twoFASecret"]))
+             # user has validated their temporary 2FA code, save it to their account, enable 2FA on this account
+             current_user.save!
+             resp['success'] = "passed 2FA validation!"
+           else
+             resp['error'] = "failed 2FA validation!"
+           end
+         elsif(param[:userAccountStuff] && param[:userAccountWidget])
+           #before updating important user account stuff and widgets,
+           #check to see that the 2FA secret has also been passed in, and verify it...
+           if(account_params["twoFASecret"] && current_user.totp_enabled? && current_user.authenticate_totp(account_params["twoFASecret"]))
+             # user has passed 2FA checks, do cool user account stuff here
+             ...
+           else 
+             # user failed 2FA check! No cool user stuff happens!             
+              resp[error] = 'You failed 2FA validation!'
+           end
+           
+             ...
+           end
+         else
+           resp['error'] = 'unknown format error, not saved!'  
+         end
+       rescue Exception => e
+         puts "WARNING: account api threw error : '#{e}' for user #{current_user.username}"
+         #print "error trace: #{e.backtrace}\n"
+         resp['error'] = "unanticipated server response"
+       end
+       render json: resp.to_json
+     end
+   
+     def account_params
+       params.require(:twoFA).permit(:userAccountStuff, :userAcountWidget, :twoFAKey, :twoFASecret)
+     end
+   end   
+   ```
+
+
+### Example App
 
 [TwoFactorAuthenticationExample](https://github.com/Houdini/TwoFactorAuthenticationExample)
+
+
+### Example user actions
+
+to use an ENV VAR for the 2FA encryption key:
+
+config.otp_secret_encryption_key = ENV['OTP_SECRET_ENCRYPTION_KEY']
+
+to set up TOTP for Google Authenticator for user:
+
+   ```
+   current_user.otp_secret_key =  current_user.generate_totp_secret
+   current_user.save!
+   ```
+   
+( encrypted db fields are set upon user model save action,
+rails c access relies on setting env var: OTP_SECRET_ENCRYPTION_KEY )
+
+to check if user has input the correct code (from the QR display page)
+before saving the user model:
+
+   ```
+   current_user.authenticate_totp('123456')
+   ```
+
+additional note:
+ 
+   ```
+   current_user.otp_secret_key
+   ```
+   
+This returns the OTP secret key in plaintext for the user (if you have set the env var) in the console
+the string used for generating the QR given to the user for their Google Auth is something like:
+
+otpauth://totp/LABEL?secret=p6wwetjnkjnrcmpd    (example secret used here)
+
+where LABEL should be something like "example.com (Username)", which shows up in their GA app to remind them the code is for example.com
+
+this returns true or false with an allowed_otp_drift_seconds 'grace period'
+
+to set TOTP to DISABLED for a user account:
+
+   ```
+   current_user.second_factor_attempts_count=nil
+   current_user.encrypted_otp_secret_key=nil
+   current_user.encrypted_otp_secret_key_iv=nil
+   current_user.encrypted_otp_secret_key_salt=nil
+   current_user.direct_otp=nil
+   current_user.direct_otp_sent_at=nil
+   current_user.totp_timestamp=nil
+   current_user.direct_otp=nil
+   current_user.otp_secret_key=nil
+   current_user.otp_confirmed=nil
+   current_user.save! (if in ruby code instead of console)
+   current_user.direct_otp? => false
+   current_user.totp_enabled? => false
+   ```
+   
+
+

data/app/controllers/devise/two_factor_authentication_controller.rb

@@ -1,6 +1,8 @@
+require 'devise/version'
+
 class Devise::TwoFactorAuthenticationController < DeviseController
-  prepend_before_filter :authenticate_scope!
-  before_filter :prepare_and_validate, :handle_two_factor_authentication
+  prepend_before_action :authenticate_scope!
+  before_action :prepare_and_validate, :handle_two_factor_authentication
 
   def show
   end
@@ -9,36 +11,74 @@ class Devise::TwoFactorAuthenticationController < DeviseController
     render :show and return if params[:code].nil?
 
     if resource.authenticate_otp(params[:code])
-      warden.session(resource_name)[TwoFactorAuthentication::NEED_AUTHENTICATION] = false
-      sign_in resource_name, resource, :bypass => true
-      set_flash_message :notice, :success
-      redirect_to stored_location_for(resource_name) || :root
-      resource.update_attribute(:second_factor_attempts_count, 0)
+      after_two_factor_success_for(resource)
     else
-      resource.second_factor_attempts_count += 1
-      resource.save
-      flash.now[:error] = find_message(:attempt_failed)
-      if resource.max_login_attempts?
-        sign_out(resource)
-        render :max_login_attempts_reached
-      else
-        render :show
-      end
+      after_two_factor_fail_for(resource)
     end
   end
 
+  def resend_code
+    resource.send_new_otp
+    redirect_to send("#{resource_name}_two_factor_authentication_path"), notice: I18n.t('devise.two_factor_authentication.code_has_been_sent')
+  end
+
   private
 
-    def authenticate_scope!
-      self.resource = send("current_#{resource_name}")
+  def after_two_factor_success_for(resource)
+    set_remember_two_factor_cookie(resource)
+
+    warden.session(resource_name)[TwoFactorAuthentication::NEED_AUTHENTICATION] = false
+    # For compatability with devise versions below v4.2.0
+    # https://github.com/plataformatec/devise/commit/2044fffa25d781fcbaf090e7728b48b65c854ccb
+    if respond_to?(:bypass_sign_in)
+      bypass_sign_in(resource, scope: resource_name)
+    else
+      sign_in(resource_name, resource, bypass: true)
     end
+    set_flash_message :notice, :success
+    resource.update_attribute(:second_factor_attempts_count, 0)
 
-    def prepare_and_validate
-      redirect_to :root and return if resource.nil?
-      @limit = resource.max_login_attempts
-      if resource.max_login_attempts?
-        sign_out(resource)
-        render :max_login_attempts_reached and return
-      end
+    redirect_to after_two_factor_success_path_for(resource)
+  end
+
+  def set_remember_two_factor_cookie(resource)
+    expires_seconds = resource.class.remember_otp_session_for_seconds
+
+    if expires_seconds && expires_seconds > 0
+      cookies.signed[TwoFactorAuthentication::REMEMBER_TFA_COOKIE_NAME] = {
+          value: "#{resource.class}-#{resource.public_send(Devise.second_factor_resource_id)}",
+          expires: expires_seconds.seconds.from_now
+      }
     end
+  end
+
+  def after_two_factor_success_path_for(resource)
+    stored_location_for(resource_name) || :root
+  end
+
+  def after_two_factor_fail_for(resource)
+    resource.second_factor_attempts_count += 1
+    resource.save
+    set_flash_message :alert, :attempt_failed, now: true
+
+    if resource.max_login_attempts?
+      sign_out(resource)
+      render :max_login_attempts_reached
+    else
+      render :show
+    end
+  end
+
+  def authenticate_scope!
+    self.resource = send("current_#{resource_name}")
+  end
+
+  def prepare_and_validate
+    redirect_to :root and return if resource.nil?
+    @limit = resource.max_login_attempts
+    if resource.max_login_attempts?
+      sign_out(resource)
+      render :max_login_attempts_reached and return
+    end
+  end
 end

data/app/views/devise/two_factor_authentication/show.html.erb

@@ -1,4 +1,8 @@
-<h2>Enter your personal code</h2>
+<% if resource.direct_otp %>
+<h2>Enter the code that was sent to you</h2>
+<% else %>
+<h2>Enter the code from your authenticator app</h2>
+<% end %>
 
 <p><%= flash[:notice] %></p>
 
@@ -7,4 +11,9 @@
   <%= submit_tag "Submit" %>
 <% end %>
 
-<%= link_to "Sign out", destroy_user_session_path, :method => :delete %>
+<% if resource.direct_otp %>
+  <%= link_to "Resend Code", send("resend_code_#{resource_name}_two_factor_authentication_path"), action: :get %>
+<% else %>
+<%= link_to "Send me a code instead", send("resend_code_#{resource_name}_two_factor_authentication_path"), action: :get %>
+<% end %>
+<%= link_to "Sign out", send("destroy_#{resource_name}_session_path"), :method => :delete %>

data/config/locales/en.yml

@@ -5,3 +5,4 @@ en:
       attempt_failed: "Attempt failed."
       max_login_attempts_reached: "Access completely denied as you have reached your attempts limit"
       contact_administrator: "Please contact your system administrator."
+      code_has_been_sent: "Your authentication code has been sent."

data/config/locales/es.yml

@@ -0,0 +1,8 @@
+es:
+  devise:
+    two_factor_authentication:
+      success: "Autenticación multi-factor realizada exitosamente."
+      attempt_failed: "La autenticación ha fallado."
+      max_login_attempts_reached: "Has llegado al límite de intentos fallidos, acceso denegado."
+      contact_administrator: "Contacte a su administrador de sistema."
+      code_has_been_sent: "El código de autenticación ha sido enviado."

data/config/locales/fr.yml

@@ -0,0 +1,8 @@
+fr:
+  devise:
+    two_factor_authentication:
+      success: "Validation en deux étapes effectuée avec succès."
+      attempt_failed: "La connexion a échoué."
+      max_login_attempts_reached: "Limite de tentatives atteinte, accès refusé."
+      contact_administrator: "Merci de contacter votre administrateur système."
+      code_has_been_sent: "Votre code de validation envoyé."

data/config/locales/ru.yml

@@ -5,3 +5,4 @@ ru:
       attempt_failed: "Неверный код."
       max_login_attempts_reached: "Доступ заблокирован. Превышено число попыток авторизации"
       contact_administrator: "Пожалуйста, свяжитесь с системным администратором."
+      code_has_been_sent: "Ваш персональный код был отправлен."

data/lib/generators/active_record/templates/migration.rb

@@ -1,15 +1,13 @@
 class TwoFactorAuthenticationAddTo<%= table_name.camelize %> < ActiveRecord::Migration
-  def up
-    change_table :<%= table_name %> do |t|
-      t.string   :otp_secret_key
-      t.integer  :second_factor_attempts_count, :default => 0
-    end
+  def change
+    add_column :<%= table_name %>, :second_factor_attempts_count, :integer, default: 0
+    add_column :<%= table_name %>, :encrypted_otp_secret_key, :string
+    add_column :<%= table_name %>, :encrypted_otp_secret_key_iv, :string
+    add_column :<%= table_name %>, :encrypted_otp_secret_key_salt, :string
+    add_column :<%= table_name %>, :direct_otp, :string
+    add_column :<%= table_name %>, :direct_otp_sent_at, :datetime
+    add_column :<%= table_name %>, :totp_timestamp, :timestamp
 
-    add_index :<%= table_name %>, :otp_secret_key, :unique => true
-  end
-
-  def down
-    remove_column :<%= table_name %>, :otp_secret_key
-    remove_column :<%= table_name %>, :second_factor_attempts_count
+    add_index :<%= table_name %>, :encrypted_otp_secret_key, unique: true
   end
 end

data/lib/two_factor_authentication/controllers/helpers.rb

@@ -4,7 +4,7 @@ module TwoFactorAuthentication
       extend ActiveSupport::Concern
 
       included do
-        before_filter :handle_two_factor_authentication
+        before_action :handle_two_factor_authentication
       end
 
       private
@@ -21,10 +21,10 @@ module TwoFactorAuthentication
 
       def handle_failed_second_factor(scope)
         if request.format.present? and request.format.html?
-          session["#{scope}_return_to"] = "#{request.path}?#{request.query_string}" if request.get?
+          session["#{scope}_return_to"] = request.original_fullpath if request.get?
           redirect_to two_factor_authentication_path_for(scope)
         else
-          render nothing: true, status: :unauthorized
+          head :unauthorized
         end
       end