[Koha-bugs] [Bug 28786] Two-factor authentication for staff client - TOTP

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28786

Martin Renvoize <martin.renvoize at ptfs-europe.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |martin.renvoize at ptfs-europe
                   |                            |.com
             Status|Signed Off                  |Failed QA

--- Comment #27 from Martin Renvoize <martin.renvoize at ptfs-europe.com> ---
I've finally found a moment to look at this.

Whilst I like Tomas's proposal to normalise the database by having a distinct
table.. I think that can certainly come as a followup later.

I do wonder why you've chosen a super new cpan module for this,
Auth::GoogleAuth. I had considered Authen::OAth myself, because although it's a
little smaller (you'de need something to generate QR codes on top), it's
further up the CPAN river and is written by a trusted author... might even
already have a debian package.

Finally, and what I would consider a QA failure.. the secret is stored in plain
text in the database. I feel this should be stored encrypted using the a
passphrase stored in the config file (we could re-use api_secret_passphrase or
add a new field to the config.

-- 
You are receiving this mail because:
You are watching all bug changes.