[Koha-bugs] [Bug 28786] Two-factor authentication for staff client - TOTP
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Thu Sep 9 15:57:46 CEST 2021
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28786
Martin Renvoize <martin.renvoize at ptfs-europe.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |martin.renvoize at ptfs-europe
| |.com
Status|Signed Off |Failed QA
--- Comment #27 from Martin Renvoize <martin.renvoize at ptfs-europe.com> ---
I've finally found a moment to look at this.
Whilst I like Tomas's proposal to normalise the database by having a distinct
table.. I think that can certainly come as a followup later.
I do wonder why you've chosen a super new cpan module for this,
Auth::GoogleAuth. I had considered Authen::OAth myself, because although it's a
little smaller (you'de need something to generate QR codes on top), it's
further up the CPAN river and is written by a trusted author... might even
already have a debian package.
Finally, and what I would consider a QA failure.. the secret is stored in plain
text in the database. I feel this should be stored encrypted using the a
passphrase stored in the config file (we could re-use api_secret_passphrase or
add a new field to the config.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list