WIP: Initial feature for OTP / authenticator passwords#5306

flovilmart · 2019-01-20T22:23:20Z

No description provided.

codecov · 2019-01-20T22:37:02Z

Codecov Report

Merging #5306 into master will increase coverage by 0.01%.
The diff coverage is 90%.

@@            Coverage Diff             @@
##           master    #5306      +/-   ##
==========================================
+ Coverage   93.88%   93.89%   +0.01%     
==========================================
  Files         123      123              
  Lines        8972     9007      +35     
==========================================
+ Hits         8423     8457      +34     
- Misses        549      550       +1

Impacted Files	Coverage Δ
...dapters/Storage/Postgres/PostgresStorageAdapter.js	`97.08% <100%> (ø)`	⬆️
src/Controllers/DatabaseController.js	`94.94% <100%> (ø)`	⬆️
src/Adapters/Storage/Mongo/MongoTransform.js	`88.18% <80%> (-0.07%)`	⬇️
src/Routers/UsersRouter.js	`92.69% <90%> (-0.77%)`	⬇️
src/Adapters/Auth/httpsRequest.js	`95.23% <0%> (-4.77%)`	⬇️
src/RestWrite.js	`93.06% <0%> (+0.18%)`	⬆️
src/Adapters/Storage/Mongo/MongoStorageAdapter.js	`92.21% <0%> (+0.72%)`	⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3851641...b395f15. Read the comment docs.

awgeorge · 2019-02-02T10:15:15Z

Implementing #2FA apps how do you store the TOTP secret so it is safe in case of a data leak? The server needs the secret in plain text to compare the token. What's your strategy?

Tokens should be secured at rest, check out 7.5 of the specification: https://www.ietf.org/rfc/rfc4226.txt. If the master key isn't already in the database, this could be used as the encryption key (not sure how often people change this key).

Depending on how you want the 2FA to be used, IE (only at login) you could use composite keys (Section 8), the user's password/pin is used to generate the token, meaning the database effectively only stores a seed.

flovilmart · 2019-02-02T14:49:41Z

Ok, we could introduce a runtime encryption key for the tokens, different from the master key. Or just use the master key. What do you think?

_{Sent with GitHawk}

awgeorge · 2019-02-02T17:24:20Z

Probably best to use a different key, as if you somehow gained access to a master key, you also gain the power to query the token. —

…

Sent from my iPhone

On 2 Feb 2019, at 14:49, Florent Vilmart ***@***.***> wrote: Ok, we could introduce a runtime encryption key for the tokens, different from the master key. Or just use the master key. What do you think? Sent with GitHawk — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

flovilmart · 2019-02-02T18:29:19Z

Makes sense, we can add the option. I also will likely add an OTP adapter, so users will be able to transmit the OTP password by email or phone if they want to.

_{Sent with GitHawk}

awgeorge · 2019-02-02T22:31:45Z

Good idea - I'm looking for an email based solution - (although I want a single auth, email only, passwordless solution)

flovilmart · 2019-04-06T15:17:25Z

@acinader @dplewis closing this one as I don’t intend to work on it anymore

_{Sent with GitHawk}

acinader · 2019-04-06T16:28:37Z

@awgeorge any interest in getting this across the finish line? If you can pick up where @flovilmart left off, I can get up to speed so I can review it with you.

awgeorge · 2019-04-06T18:57:09Z

This is something I’m interested in - I’ll take a look and see what’s left to get this implantation merged. —

…

Sent from my iPhone

On 6 Apr 2019, at 17:28, Arthur Cinader ***@***.***> wrote: @awgeorge any interest in getting this across the finish line? I can review and get up to speed if it is still something you'd like to see in the product? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

brianmwadime · 2019-11-21T09:26:07Z

This is something I’m interested in - I’ll take a look and see what’s left to get this implantation merged. —
Hey @awgeorge, were you able to get this to the finish line?

awgeorge · 2019-11-21T09:31:21Z

Not at this time, feel free to take it on. Thanks.

brianmwadime · 2019-11-21T09:53:33Z

Alright @awgeorge. Thanks for the update.

tehsunnliu · 2021-03-24T07:02:22Z

Hey guys! is it finished yet? If anyone is interested we can do it together.

Initial feature for totp

8d7cb6d

Remove usage of expectAsync

b395f15

flovilmart force-pushed the feature/totp branch from 3c16166 to b395f15 Compare January 20, 2019 22:49

flovilmart closed this Apr 6, 2019

dplewis mentioned this pull request Oct 23, 2019

Passwordless authentication #6152

Closed

thobhanifreddy mentioned this pull request Nov 1, 2019

Authenticate user with OTP without password #6169

Closed

dblythy mentioned this pull request Oct 27, 2020

Two Factor Authentication #6977

Closed

mtrezza deleted the feature/totp branch October 24, 2021 10:34

Uh oh!

Comments

Conversation

flovilmart commented Jan 20, 2019

Uh oh!

codecov bot commented Jan 20, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

awgeorge commented Feb 2, 2019

Uh oh!

flovilmart commented Feb 2, 2019

Uh oh!

awgeorge commented Feb 2, 2019 via email

Uh oh!

flovilmart commented Feb 2, 2019

Uh oh!

awgeorge commented Feb 2, 2019

Uh oh!

flovilmart commented Apr 6, 2019

Uh oh!

acinader commented Apr 6, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

awgeorge commented Apr 6, 2019 via email

Uh oh!

brianmwadime commented Nov 21, 2019

Uh oh!

awgeorge commented Nov 21, 2019

Uh oh!

brianmwadime commented Nov 21, 2019

Uh oh!

tehsunnliu commented Mar 24, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

codecov bot commented Jan 20, 2019 •

edited

Loading

acinader commented Apr 6, 2019 •

edited

Loading