enable 2FA for manager

when trying to access manager, if superadmin did'nt enable otp, he/she is redirected to a page to enable 2FA. When superadmin is enabling 2FA, he has to to scan a qrcode with the 2FA application client. And afterwards, the superadmin has to log in with email, password and OTP code.

app/controllers/administrations/sessions_controller.rb

@@ -1,12 +1,2 @@
-class Administrations::SessionsController < ApplicationController
-  def new
-  end
-
-  def destroy
-    if administration_signed_in?
-      sign_out :administration
-    end
-
-    redirect_to root_path
-  end
+class Administrations::SessionsController < Devise::SessionsController
 end

app/controllers/administrations_controller.rb

@@ -0,0 +1,28 @@
+class AdministrationsController < ApplicationController
+  before_action :authenticate_administration!
+
+  def edit_otp
+  end
+
+  def enable_otp
+    current_administration.enable_otp!
+    @qrcode = generate_qr_code
+    sign_out :administration
+  end
+
+  protected
+
+  def authenticate_administration!
+    if !administration_signed_in?
+      redirect_to root_path
+    end
+  end
+
+  private
+
+  def generate_qr_code
+    issuer = 'DSManager'
+    label = "#{issuer}:#{current_administration.email}"
+    RQRCode::QRCode.new(current_administration.otp_provisioning_uri(label, issuer: issuer))
+  end
+end

app/controllers/application_controller.rb

@@ -13,6 +13,7 @@ class ApplicationController < ActionController::Base
   before_action :set_raven_context
   before_action :redirect_if_untrusted
   before_action :reject, if: -> { feature_enabled?(:maintenance_mode) }
+  before_action :configure_permitted_parameters, if: :devise_controller?
 
   before_action :staging_authenticate
   before_action :set_active_storage_host
@@ -105,6 +106,10 @@ class ApplicationController < ActionController::Base
     stored_location_for(:user) || super
   end
 
+  def configure_permitted_parameters
+    devise_parameter_sanitizer.permit(:sign_in, keys: [:otp_attempt])
+  end
+
   private
 
   def set_current_roles

app/controllers/manager/application_controller.rb

@@ -13,8 +13,10 @@ module Manager
     protected
 
     def authenticate_administration!
-      if administration_signed_in?
+      if administration_signed_in? && current_administration.otp_required_for_login?
         super
+      elsif administration_signed_in?
+        redirect_to edit_administration_otp_path
       else
         redirect_to manager_sign_in_path
       end