Add a 2FA Validity Window #401
Conversation
|
I will look at the content closely - but many of the changes were due to formatting - that shouldn't be since it always passes 'black' - so somehow there must be some configuration difference. Could you try to figure out why? otherwise when I get it - it will reformat again... That will reduce the PR by a bunch..... |
|
I'm currently changing a couple of things. I didn't realize some of the tests could potentially fail if two functions were called within the same second. I don't know what the issue is. I am currently using version |
|
Odd - I just use pre-commit and it picks up 'stable' which is 20.8b1... The most strange thing is that is is removing a space after """? Do you have something else in your precommit file? |
|
I think it has something to do with the way that black is formatting docstrings, via psf/black#1053. There are several issues complaining about the way it handles docstrings since the first 20 version. Even now, I see that it failed the black check, even though they pass locally and in the Travis ci that's built in my fork. Here is my fork's Travis build before I changed the branch. https://travis-ci.com/github/baurt/flask-security-1/builds Even here is shows that the latest master commit fails,which shouldn't be possible, so I think it has to be something with black. |
|
Odd - but why are we getting different versions? There hasn't been a black release since august - and you can see in the travis logs that I have built master etc many times since then... Ok - I removed my black cache and changed my pre-commit file to specify 20.8b1 and now I see it re-formatting. So possibly this has something to do with pre-commit caching its environment - more digging required. |
|
What I don't really understand is that it's not even returning the same number of modified files. The most recent build only would have changed 8 files, but I initially changed around 25. I wonder if it's using some sort of cached version? I know that pre-commit builds an environment for each hook and runs the hook from that environment. |
|
It is definitely caching things - black has a cache and so does pre-commit. |
|
I'll keep an eye out for that and then rebase this pr on the new version. |
TillerBurr
force-pushed
the
tf_validity
branch
from
9f3e9f6 to
0841103
Compare
…fter a successful validation
TillerBurr
changed the title
|
I am going to be traveling for the next week - so review comments will likely be delayed.. Thanks for doing this. |
|
No worries. Should be easier to view now, since I rebased and squashed some commits. Safe travels! |
There was a problem hiding this comment.
unified_signin also calls tf_login - so it needs the same new logic...
- I made a few comments about the remember token/cookie w.r.t. JSON. Should we support non-form/JSON front ends to be able to save the token (i.e. return the token on successfull login) and they can return it on next login attempt? or say that this feature relies on cookies?
Not sure myself which way to go.
I haven't looked carefully at the default cookie options - but this one should be http-only, probably secure, and maybe same-site?
|
Good point on the cookie options. I'll make those configurable. I can definitely see it being a pain for development if secure was always on. I can work on creating a way to pass the token via json. I'd have to think how to implement that first. |
I'll have to take a look at the unified signin. I haven't looked much into it, so I may need a little help with tests. I can create the logic, but the tests might evade me. |
…Remove signal for emitting token value. If the tokens dont match, the verification wouldnt work
|
I think I got everything. I figured out the unified signin stuff. That is impressive work. |
There was a problem hiding this comment.
This is looking really good - thanks for all the work.
As I noted - I think the cookie should default to httponly - since there is no reason for scripts to be able to see it.
Second - and hopefully last - please update the openapi.yml to document the new JSON return token. There are basic instructions for how to do that in CONTRIBUTING.rst.
Thanks!
|
I'm not sure if I updated the openapi.yaml correctly. Let me know if I need to change anything. |
|
Thanks for all the hard work! |
|
My pleasure. Thank you for maintaining this package. |
It is sometimes preferable to have two factor authentication with a grace period where one does not have to revalidate the second factor. This pull request adds such a functionality by setting a cookie with a signed token confirming that the user has been authenticated within a given time frame and does not need to go through the process again. This is an OWASP recommendation for improving the overall UX (see https://cheatsheetseries.owasp.org/cheatsheets/Multifactor_Authentication_Cheat_Sheet.html)
Added 3 configuration options
SECURITY_TWO_FACTOR_ALWAYS_VALIDATE,SECURITY_TWO_FACTOR_VALIDITY_SALTandSECURITY_TWO_FACTOR_LOGIN_VALIDITY. In the event of a compromise, the cookies can be invalidated by resetting a user'sfs_uniquifier.Also, tests were failing due to Black reformatting them so all files were ran through Black as well.