More direction in readme in regards to the token

larron opened this issue 11 years ago · comments

Hey Jared

So I'm having a hard time understanding what needs to be done in regards to the google_lookup_token. Not sure if I should be adding this field to my table and setting it my self etc...

I was able to get the secret created and show the QR with no problems.
After attempting to create the session however I get hit with: GoogleAuthenticatorRails::Session::Persistence::TokenNotFound

So I guess what I'm trying to figure out is what actually needs to be configured in regards to the token if anything? Seems like I or the documentation missed a step?

Thanks Jared

Jared McFarland · Answer 1 · Fri Feb 28 2014 08:14:07 GMT+0800 (China Standard Time)

Hey there,

The google_lookup_token has to be an instance method on the class you're using.

For example:

# app/models/user.rb
class User < ActiveRecord::Base
  acts_as_google_authentic :lookup_token => :persistence_token
end

# app/models/user_mfa_session.rb
class UserMfaSession < GoogleAuthenticatorRails::Session::Base
end

# app/controllers/mfa_session_controller.rb
def class MfaSessionController < ApplicationController
  def create
    UserMfaSession.create(user)
  end
end

The call to UserMfaSession::create will fail for one of three reasons:

user is nil
user doesn't respond to :persistence_token
user.persistence_token is blank

Specifically, to answer your question, you don't need to specify a lookup_token if you don't want to, it will default to :persistence_token, but your model needs to respond to the method persistence_token (either because there's a column in the database with that name of you've defined that method yourself).

You mention setting that field yourself... this gem is written under the assumption you're using some sort of authentication library (eg Devise or Authlogic) and they're managing a persistence token for looking up the currently logged in user. Usually those frameworks handle the setting of that token, if you're not using a token, you'd have to set it yourself.

Hope that helps!

Larron Armstead · Answer 2 · Fri Feb 28 2014 08:18:58 GMT+0800 (China Standard Time)

Ok starting to make more sense. My authentication is custom so explains why I'm out of the loop :) What would you suggest as a best practice for this scenario?

Jared McFarland · Answer 3 · Fri Feb 28 2014 08:21:19 GMT+0800 (China Standard Time)

My opinion for best best practices would be to let someone else handle the complications of secure authentication, but if you must use the custom scheme, I'd generate a random token for your user and store it in a column in the DB (which will allow google-authenticator-rails to work).

If you don't have a column named persistence_token you could add one there and use it.

Larron Armstead · Answer 4 · Fri Feb 28 2014 08:30:01 GMT+0800 (China Standard Time)

Awesome! Thanks for the help Jared.

Jared McFarland · Answer 5 · Fri Feb 28 2014 08:30:57 GMT+0800 (China Standard Time)

My pleasure! I'll make some updates to the README to make it more clear (or you could submit a pull request if you have the time).