refactor: mfa store #3799
Merged
refactor: mfa store #3799
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
heiytor
force-pushed
the
refactor/mfa-store
branch
16 times, most recently
from
11ac31e to
6a7d88d
Compare
heiytor
force-pushed
the
refactor/mfa-store
branch
5 times, most recently
from
8404864 to
b2efd92
Compare
heiytor
force-pushed
the
refactor/mfa-store
branch
2 times, most recently
from
05f2e7b to
c7031f8
Compare
heiytor
force-pushed
the
refactor/mfa-store
branch
6 times, most recently
from
80c5a8d to
a4e1465
Compare
heiytor
force-pushed
the
refactor/mfa-store
branch
from
a4e1465 to
3817471
Compare
heiytor
force-pushed
the
feat/recovery_email
branch
7 times, most recently
from
9e28773 to
8aa0274
Compare
heiytor
force-pushed
the
refactor/mfa-store
branch
5 times, most recently
from
0735886 to
f7507ae
Compare
Currently, when a user attempts to log in with 2FA enabled, the API returns a stateful token along with the user's information. This can lead to two issues: 1. **Information leak:** Since 2FA requires a code in addition to the password for authentication, returning user information without full authentication may pose a security risk. 2. **Violation of RFC 7519:** JWT standards mandate stateless tokens. By adding an `mfa.validate` field to determine token validity, the API contradicts this standard. To address these issues, the login route now returns a `401` status code with an `X-MFA-Token` header, indicating whether the user must authenticate using a 2FA method. As a result, the JWT will no longer include the `mfa` attribute. Authentication for these users will be handled exclusively on the cloud side with the token returned in the header. Additionally, a security issue involving JSON binding in the `User` struct, where the secret and recovery codes for MFA were returned, has been resolved. The gateway will no longer provide the `X-MFA` and `X-Validate-MFA` headers; the protection around the `/mfa/auth` and `/mfa/recovery` endpoints has been removed. Recovery codes will now be stored in a hashed state in the database. To facilitate this, a new migration has been added to hash all recovery codes that are not yet hashed. The attributes was also replaced inside a `mfa` object.
heiytor
force-pushed
the
refactor/mfa-store
branch
from
f7507ae to
1aa5dbc
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, when a user attempts to log in with 2FA enabled, the API returns a stateful token along with the user's information. This can lead to two issues:
Information leak: Since 2FA requires a code in addition to the password for authentication, returning user information without full authentication may pose a security risk.
Violation of RFC 7519: JWT standards mandate stateless tokens. By adding an
mfa.validatefield to determine token validity, the API contradicts this standard.To address these issues, the login route now returns a
401status code with anX-MFA-Tokenheader, indicating whether the user must authenticate using a 2FA method. As a result, the JWT will no longer include themfaattribute. Authentication for these users will be handled exclusively on the cloud side with the token returned in the header.Additionally, a security issue involving JSON binding in the
Userstruct, where the secret and recovery codes for MFA were returned, has been resolved. The gateway will no longer provide theX-MFAandX-Validate-MFAheaders; the protection around the/mfa/authand/mfa/recoveryendpoints has been removed.Recovery codes will now be stored in a hashed state in the database. To facilitate this, a new migration has been added to hash all recovery codes that are not yet hashed. The attributes was also replaced inside a
mfaobject.