[Koha-bugs] [Bug 28786] Two-factor authentication for staff client - TOTP

[bugzilla-daemon at bugs.koha-community.org]

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28786

--- Comment #33 from Martin Renvoize <martin.renvoize at ptfs-europe.com> ---
QA looking here.

So far I'm reasonably happy. I think I would have prefered more isolation of
the verification step myself, but I can follow on with that in a follow-up bug.

So, personally, I would pass around a 'varified' state linked to the session
(as you do I believe). Then, for any get_template_and_user calls I'd have
checked the verification status and redirected to a self-contained verification
controller for the MFA check... rather than folding the check into Auth.pm and
the login pages themselves.  In this way you open up the option to invalidate
the verification without invalidating the session entirely for things like
patron modification for example (when we add this to the opac.. I can see it
being most helpful to not require the verification step at first login but
rather upon taking higher privilege actions).

Anywho.. I'll continue down the QA route but wanted to flag it in case you had
any feedback as to why you took this particular route rather than any others?

-- 
You are receiving this mail because:
You are watching all bug changes.