Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revalidate two factor settings prior to allowing any two-factor changes to an account. #529

Merged
merged 57 commits into from
May 11, 2023

Conversation

dd32
Copy link
Member

@dd32 dd32 commented Feb 20, 2023

What?

This PR requires that the user "revalidate" their two-factor details prior to changing their two-factor settings.
The grace-time from last-2fa-validation to changes is 10 minutes (Twice this for the save, so you can start editing at minute 9, and save at 18 minutes).

Why?

It's generally accepted that a user should not be able to change their 2FA settings without validating that the user currently has their 2FA token.
For example, consider an account left logged in on a public computer (or left unattended in an office), a malicious user should not be able to add a new key or create new backup codes.

How?

This works by building off #528 to track when the user last validated their 2FA tokens, and preventing updates unless the session is 2fa'd recently.

Testing Instructions

  1. Login
  2. Validate you can change 2FA settings
  3. Wait 15 minutes (Or change the grace time via two_factor_revalidate_time to a lower time)
  4. Validate you can't change 2FA settings after the grace-time is expired
  5. Revalidate your 2FA, check you can change 2FA settings again.

Screenshots or screencast

Changelog Entry

Added Security - Validate the user has access to their 2FA keys prior to changing 2FA details.

Tickets

Fixes #484.

#527 and #528 have been split out of this, but are included in the git commit history of this branch.

dd32 added 30 commits February 17, 2023 16:26
…rently logged in with, not their primary method.
… these are not fields that need sanitization. Either they match an expected value or they don't.
…returning truthful, this closer matches the expectation from other providers.
…he interim-login parameter is passed through.
Copy link
Member

@iandunn iandunn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great, kudos!

Increasing the test coverage would be nice, but not necessarily a blocker.

class-two-factor-core.php Show resolved Hide resolved
class-two-factor-core.php Outdated Show resolved Hide resolved
providers/class-two-factor-backup-codes.php Show resolved Hide resolved
class-two-factor-core.php Outdated Show resolved Hide resolved
class-two-factor-core.php Show resolved Hide resolved
class-two-factor-core.php Show resolved Hide resolved
class-two-factor-core.php Show resolved Hide resolved
dd32 and others added 7 commits April 27, 2023 14:50
Co-authored-by: Ian Dunn <ian@iandunn.name>
Co-authored-by: Ian Dunn <ian@iandunn.name>
…to avoid needing to revalidate the session immediately.
…actor_options() if the user isn't logged in. This function doesn't check capabilities, but should not return truthful for logged out users.
@dd32
Copy link
Member Author

dd32 commented Apr 27, 2023

Changes in the commits above that are notable since reviews:

  • Disabling revalidation by setting a false/0 time: 6502d24
  • When initially setting 2FA, mark the session as 2FA so that the users current session can continue to edit their 2FA settings. 6721a41 Without this, if you login without 2FA, setup 2FA, and save, the next page load prompted for 2FA revalidation, annoying if you hadn't properly setup your 2FA settings yet.
  • Don't return true for logged out requests to Two_Factor_Core::current_user_can_update_two_factor_options(). d3e024c This should really be used in addition to a current_user_can() check, but better to include a check here.

@jeffpaul jeffpaul modified the milestones: Future Release, 0.9.0 May 8, 2023
@dd32 dd32 merged commit 9032f2d into WordPress:master May 11, 2023
@dd32 dd32 deleted the add/2fa-revalidation-for-changes branch May 11, 2023 06:47
@iandunn iandunn mentioned this pull request Jun 1, 2023
14 tasks
This was referenced Apr 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Reauth 2nd factor to change 2FA settings
5 participants