Draft: Replace devise-two-factor auth with custom code
What does this MR do and why?
devise-two-factor is a blocker to Rails 7 upgrade. It relies on attr_encrypted gem that is not actively maintained and is not compatible with Rails 7 newly introduced native encryption. Avoiding devise-two-factor gem dependency let us be more flexible and, for example, use a fork of attr_encrypted
that supports Rails 7 (or create our own).
It makes sense to gradually replace the gem with custom code that simply uses rotp gem. We don't need much more code for the custom implementation.
This current merge request replaces devise :two_factor_authenticatable
with devise :database_authenticatable
and modifies our own Devise strategy to use ROTP
for verifying OTP
codes.
If we accept the approach this merge request is taking on, then a follow-up to this issue will be replacing devise :two_factor_backupable
with something like https://github.com/tinfoil/devise-two-factor/blob/main/lib/devise_two_factor/models/two_factor_backupable.rb. After that the gem can be removed (replaced with rotp
gem that is currently used as a nested dependency)