[Bug 30843] New: TOTP expiration delay should be configurable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 Bug ID: 30843 Summary: TOTP expiration delay should be configurable Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Authentication Assignee: koha-bugs@lists.koha-community.org Reporter: jonathan.druart+koha@gmail.com QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org Depends on: 30842 It's valid 60 seconds, it could be a configuration option. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 [Bug 30842] Two-factor authentication code should be valid longer -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m.de.rooy@rijksmuseum.nl -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 --- Comment #1 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Jonathan Druart from comment #0)
It's valid 60 seconds, it could be a configuration option.
The interval is default 30 seconds in GoogleAuth. 30842 adds 1 older token. Note that GoogleAuth does not take the interval in the new method, but allows you to pass interval both to ->code as well as ->verify. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 Bug 30843 depends on bug 30842, which changed state. Bug 30842 Summary: Two-factor authentication code should be valid longer https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to stable |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 --- Comment #2 from David Cook <dcook@prosentient.com.au> --- I'm getting reports that 60 seconds isn't long enough for some users. As I noted on https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28787#c12 it seems that other systems support up to 5 minutes. I reckon we should be using a different "range" for emailed tokens versus app tokens, but it looks like we'd need some extra session state to be able to know what method to expect. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 --- Comment #3 from David Cook <dcook@prosentient.com.au> --- Sorry I meant "interval" not "range". -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|koha-bugs@lists.koha-commun |dcook@prosentient.com.au |ity.org | -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 --- Comment #4 from David Cook <dcook@prosentient.com.au> --- Created attachment 155253 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=155253&action=edit Bug 30843: Add mfa_range configuration option for TOTP This change adds a mfa_range configuration option for TOTP to koha-conf.xml Test plan: 0. Apply the patch 1. koha-plack --restart kohadev 2. Go to http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=TwoFactorAuthentication 3. Change the syspref to "Enable" 4. Go to http://localhost:8081/cgi-bin/koha/members/moremember.pl?borrowernumber=51 5. Click "More" and "Manage two-factor authentication" 6. Register using an app 7. In an Incognito window, go to http://localhost:8081/cgi-bin/koha/mainpage.pl 8. Sign in with the "koha" user 9. Note down a code from your Authenticator app 10. Wait until after 60 seconds and try it 11. Note it says "Invalid two-factor code" 12. Try a new code from the app 13. Note that it works 14. Add <mfa_range>10</mfa_range> to /etc/koha/sites/kohadev/koha-conf.xml 15. Clear memcached and koha-plack --restart kohadev 16. Sign in with the "koha" user 17. Note down a code from your Authenticator app 18. Wait 4 minutes and then try it 19. Note that it works -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 --- Comment #5 from David Cook <dcook@prosentient.com.au> --- Note this change affects both app-based and emailed passwords. It would be way too much work to just do it for emailed passwords. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 --- Comment #6 from Jonathan Druart <jonathan.druart+koha@gmail.com> --- Why don't you set it in Koha/Auth/TwoFactorAuth.pm to also affect the call from Koha/REST/V1/TwoFactorAuth.pm (used for the registration)? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 --- Comment #7 from David Cook <dcook@prosentient.com.au> --- (In reply to Jonathan Druart from comment #6)
Why don't you set it in Koha/Auth/TwoFactorAuth.pm to also affect the call from Koha/REST/V1/TwoFactorAuth.pm (used for the registration)?
Funny you mention it... I did write a version where I overrode verify() but then I thought maybe we wouldn't want to embed C4::Context in Koha/Auth/TwoFactorAuth.pm, so I opted for this version instead. Both options seemed to have their pros and cons, and I was fine with both really. Happy to do the override version instead if folk prefer that. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 --- Comment #8 from Jonathan Druart <jonathan.druart+koha@gmail.com> --- (In reply to David Cook from comment #7)
(In reply to Jonathan Druart from comment #6)
Why don't you set it in Koha/Auth/TwoFactorAuth.pm to also affect the call from Koha/REST/V1/TwoFactorAuth.pm (used for the registration)?
Funny you mention it... I did write a version where I overrode verify() but then I thought maybe we wouldn't want to embed C4::Context in Koha/Auth/TwoFactorAuth.pm, so I opted for this version instead.
That's not a problem. % git grep -l 'use C4::Context' Koha|wc -l 93 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 Jonathan Druart <jonathan.druart+koha@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |ASSIGNED -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #155253|0 |1 is obsolete| | --- Comment #9 from David Cook <dcook@prosentient.com.au> --- Created attachment 155348 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=155348&action=edit Bug 30843: [alternate] Add mfa_range configuration option for TOTP This change adds a mfa_range configuration option for TOTP to koha-conf.xml, and overrides the "verify" method from Auth::GoogleAuth in order to provide a new default for "range" Test plan: 0. Apply the patch 1. koha-plack --restart kohadev 2. Go to http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=TwoFactorAuthentication 3. Change the syspref to "Enable" 4. Go to http://localhost:8081/cgi-bin/koha/members/moremember.pl?borrowernumber=51 5. Click "More" and "Manage two-factor authentication" 6. Register using an app 7. In an Incognito window, go to http://localhost:8081/cgi-bin/koha/mainpage.pl 8. Sign in with the "koha" user 9. Note down a code from your Authenticator app 10. Wait until after 60 seconds and try it 11. Note it says "Invalid two-factor code" 12. Try a new code from the app 13. Note that it works 14. Add <mfa_range>10</mfa_range> to /etc/koha/sites/kohadev/koha-conf.xml 15. Clear memcached and koha-plack --restart kohadev 16. Sign in with the "koha" user 17. Note down a code from your Authenticator app 18. Wait 4 minutes and then try it 19. Note that it works 20. Disable your two-factor authentication and click to re-enable it 21. Use a code older than 60 seconds when registering for the two factor authentication 22. Note that the code works -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 --- Comment #10 from David Cook <dcook@prosentient.com.au> --- Created attachment 155349 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=155349&action=edit Bug 30843: Add unit test for Koha::Auth::TwoFactorAuth::verify This change adds a unit test to test Koha::Auth::TwoFactorAuth::verify -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 --- Comment #11 from David Cook <dcook@prosentient.com.au> --- (In reply to Jonathan Druart from comment #6)
Why don't you set it in Koha/Auth/TwoFactorAuth.pm to also affect the call from Koha/REST/V1/TwoFactorAuth.pm (used for the registration)?
Done 👍 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off Patch complexity|--- |Trivial patch -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #155348|0 |1 is obsolete| | --- Comment #12 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 155354 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=155354&action=edit Bug 30843: [alternate] Add mfa_range configuration option for TOTP This change adds a mfa_range configuration option for TOTP to koha-conf.xml, and overrides the "verify" method from Auth::GoogleAuth in order to provide a new default for "range" Test plan: 0. Apply the patch 1. koha-plack --restart kohadev 2. Go to http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=TwoFactorAuthentication 3. Change the syspref to "Enable" 4. Go to http://localhost:8081/cgi-bin/koha/members/moremember.pl?borrowernumber=51 5. Click "More" and "Manage two-factor authentication" 6. Register using an app 7. In an Incognito window, go to http://localhost:8081/cgi-bin/koha/mainpage.pl 8. Sign in with the "koha" user 9. Note down a code from your Authenticator app 10. Wait until after 60 seconds and try it 11. Note it says "Invalid two-factor code" 12. Try a new code from the app 13. Note that it works 14. Add <mfa_range>10</mfa_range> to /etc/koha/sites/kohadev/koha-conf.xml 15. Clear memcached and koha-plack --restart kohadev 16. Sign in with the "koha" user 17. Note down a code from your Authenticator app 18. Wait 4 minutes and then try it 19. Note that it works 20. Disable your two-factor authentication and click to re-enable it 21. Use a code older than 60 seconds when registering for the two factor authentication 22. Note that the code works Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #155349|0 |1 is obsolete| | --- Comment #13 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 155355 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=155355&action=edit Bug 30843: Add unit test for Koha::Auth::TwoFactorAuth::verify This change adds a unit test to test Koha::Auth::TwoFactorAuth::verify Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@ptfs-europe | |.com QA Contact|testopia@bugs.koha-communit |martin.renvoize@ptfs-europe |y.org |.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 --- Comment #14 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 155356 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=155356&action=edit Bug 30843: Add mfa_range configuration option for TOTP This change adds a mfa_range configuration option for TOTP to koha-conf.xml, and overrides the "verify" method from Auth::GoogleAuth in order to provide a new default for "range" Test plan: 0. Apply the patch 1. koha-plack --restart kohadev 2. Go to http://localhost:8081/cgi-bin/koha/admin/preferences.pl?op=search&searchfield=TwoFactorAuthentication 3. Change the syspref to "Enable" 4. Go to http://localhost:8081/cgi-bin/koha/members/moremember.pl?borrowernumber=51 5. Click "More" and "Manage two-factor authentication" 6. Register using an app 7. In an Incognito window, go to http://localhost:8081/cgi-bin/koha/mainpage.pl 8. Sign in with the "koha" user 9. Note down a code from your Authenticator app 10. Wait until after 60 seconds and try it 11. Note it says "Invalid two-factor code" 12. Try a new code from the app 13. Note that it works 14. Add <mfa_range>10</mfa_range> to /etc/koha/sites/kohadev/koha-conf.xml 15. Clear memcached and koha-plack --restart kohadev 16. Sign in with the "koha" user 17. Note down a code from your Authenticator app 18. Wait 4 minutes and then try it 19. Note that it works 20. Disable your two-factor authentication and click to re-enable it 21. Use a code older than 60 seconds when registering for the two factor authentication 22. Note that the code works Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #155355|0 |1 is obsolete| | --- Comment #15 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Created attachment 155357 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=155357&action=edit Bug 30843: Add unit test for Koha::Auth::TwoFactorAuth::verify This change adds a unit test to test Koha::Auth::TwoFactorAuth::verify Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #155354|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA --- Comment #16 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- This is a solid improvement, works well and is unit tested.. no regressions and qa scripts are happy. Passing QA -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 --- Comment #17 from Martin Renvoize <martin.renvoize@ptfs-europe.com> --- Though strictly and enhancement, I'd be tempted to treat this as a bugfix and have it backported a few versions personally. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |rel_22_11_candidate, | |rel_23_05_candidate -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)| |23.11.00 released in| | Status|Passed QA |Pushed to master -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 --- Comment #18 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Pushed to master for 23.11. Nice work everyone, thanks! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fridolin.somers@biblibre.co | |m --- Comment #19 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- ping Fridolin -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 Fridolin Somers <fridolin.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|23.11.00 |23.11.00,23.05.05 released in| | Status|Pushed to master |Pushed to stable --- Comment #20 from Fridolin Somers <fridolin.somers@biblibre.com> --- Pushed to 23.05.x for 23.05.05 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|23.11.00,23.05.05 |23.11.00,23.05.05,22.11.11 released in| | Status|Pushed to stable |Pushed to oldstable -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 --- Comment #21 from Matt Blenkinsop <matt.blenkinsop@ptfs-europe.com> --- Nice work everyone! Pushed to oldstable for 22.11.x -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Text to go in the| |The mfa_range element in release notes| |the koha-conf.xml file can | |now be used to change the | |default "range". Keywords|rel_22_11_candidate, |release-notes-needed |rel_23_05_candidate | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 Lisette Scheer <lisette@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|release-notes-needed | -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org