View on GitHub



RubyGems GSoC Progress report on Jun 3rd

This is a weekly report on a project adding two factor authentication to RubyGems tool and, a site for hosting RubyGems. This week my work focus on controllers and pages for the UI part. In my last post, I mocked up the UI of four occasions concerned with this feature. Now it’s time to implement them.


Since we have discussed occasions in the mock-ups, it’s natural to have five actions:

Just in config/routes.rb UI part:

resource :two_factor_auth, only: %i[new create destroy]

So we can use /two_factor_auth/new to access the 2fa settings page.


Every time we generate different random 2fa seeds and recovery codes when user try to set up 2fa. We store them in session, so we can have it when user confirms to enable 2fa while user cannot change these secrets by themselves.

seed, @recovery = User.generate_mfa
session[:mfa_seed] = seed
session[:mfa_recovery] = @recovery

And when the site receives POST request from user to enable 2fa, the sessions will be cleared.

seed = session[:mfa_seed]
recovery = session[:mfa_recovery]
session[:mfa_seed] = session[:mfa_recovery] = nil
totp =, issuer: '')

For the disabling process, user just inputs current OTP to send DELETE request to disable it.

def destroy
  if current_user.otp_verified?(params[:otp])
    flash[:success] = t('.disable_success')
    flash[:error] = t('profiles.mfa_enable.otp_auth_failed')
  redirect_to edit_profile_url

We should ensure that when a user tries to enable 2fa, he/she should have not enabled it yet. And vice versa.

before_action :require_no_auth, only: %i[new create]
before_action :require_auth_set, only: :destroy

These means we can turn on/off 2fa settings now. See my commit.

More issues

These should be further discussed with my mentor. Next Sunday (Jun 10th) is around GSoC 2018’s mid-term evalution time. I expect to finish site part (2fa of UI & API) before that deadline. Since my code base currently does not have any tests on it, it cannot be merged into main code base. But I still plan to open a pull request (labelled with WIP:) to show the progress.