Don't set up 2fa without authenticating first#2250
Merged
jgsmith-usds merged 1 commit intomasterfrom Jun 18, 2018
Merged
Conversation
monfresh
reviewed
Jun 15, 2018
Contributor
There was a problem hiding this comment.
Good catch! Can we write these tests please?
- totp_enabled but not phone enabled should not be able to access
phone_setuppage directly after signing in with just email and password - piv_cac_enabled but not phone enabled should not be able to access
phone_setuppage directly after signing in with just email and password - totp_enabled but not phone enabled should not be able to access
phone_setuppage indirectly by visitinglogin/two_factor/smsafter signing in with just email and password - piv_cac_enabled but not phone enabled should not be able to access
phone_setuppage indirectly by visitinglogin/two_factor/smsafter signing in with just email and password - totp_enabled but not phone enabled should not be able to access
phone_setuppage indirectly by visitinglogin/two_factor/voiceafter signing in with just email and password - piv_cac_enabled but not phone enabled should not be able to access
phone_setuppage indirectly by visitinglogin/two_factor/voiceafter signing in with just email and password
monfresh
reviewed
Jun 15, 2018
spec/support/saml_response_doc.rb
Outdated
Contributor
There was a problem hiding this comment.
These match? changes seem to be unrelated Rubocop fixes. Can we do these in a separate PR?
monfresh
reviewed
Jun 15, 2018
app/models/user.rb
Outdated
Contributor
There was a problem hiding this comment.
I know you did this for testing purposes, but flagging it to remove the true.
Contributor
Author
There was a problem hiding this comment.
Yeah - I realized this crept in when I saw some of the failing tests.
jgsmith-usds
force-pushed
the
prevent-adding-phone-during-authentication
branch
2 times, most recently
from
b1d32b5 to
084038f
Compare
jgsmith-usds
added
status - ready for review
and removed
status - do not merge
status - work in progress
labels
monfresh
force-pushed
the
prevent-adding-phone-during-authentication
branch
from
084038f to
03b5c38
Compare
monfresh
force-pushed
the
prevent-adding-phone-during-authentication
branch
from
03b5c38 to
1b2e355
Compare
**Why**: If someone creates an account and adds their piv/cac and then logs out, on subsequent login, they had the option of adding a phone number when prompted for their piv/cac. This allowed someone with the username and password to bypass the piv/cac second factor and set the phone, which would then be used as the second factor. **How**: Only allow phone setup during account creation or after authenticating with a second factor.
jgsmith-usds
force-pushed
the
prevent-adding-phone-during-authentication
branch
from
1d1f42d to
9d7f5f3
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why:
If someone creates an account and adds their piv/cac
and then logs out, on subsequent login, they had the
option of adding a phone number when prompted for
their piv/cac. This allowed someone with the username
and password to bypass the piv/cac second factor and
set the phone, which would then be used as the
second factor.
How:
Only allow phone setup during account creation or after
authenticating with a second factor.
Hi! Before submitting your PR for review, and/or before merging it, please
go through the following checklist:
For DB changes, check for missing indexes, check to see if the changes
affect other apps (such as the dashboard), make sure the DB columns in the
various environments are properly populated, coordinate with devops, plan
migrations in separate steps.
For route changes, make sure GET requests don't change state or result in
destructive behavior. GET requests should only result in information being
read, not written.
For encryption changes, make sure it is compatible with data that was
encrypted with the old code.
For secrets changes, make sure to update the S3 secrets bucket with the
new configs in all environments.
Do not disable Rubocop or Reek offenses unless you are absolutely sure
they are false positives. If you're not sure how to fix the offense, please
ask a teammate.
When reading data, write tests for nil values, empty strings,
and invalid formats.
When calling
redirect_toin a controller, use_url, not_path.When adding user data to the session, use the
user_sessionhelperinstead of the
sessionhelper so the data does not persist beyond the user'ssession.
When adding a new controller that requires the user to be fully
authenticated, make sure to add
before_action :confirm_two_factor_authenticated.