[Bug 30842] New: Two-factor authentication code should be valid longer
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 Bug ID: 30842 Summary: Two-factor authentication code should be valid longer Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: ASSIGNED Severity: normal Priority: P5 - low Component: Authentication Assignee: jonathan.druart+koha@gmail.com Reporter: jonathan.druart+koha@gmail.com QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org Depends on: 28787 So far it's valid only 30 second, it should be extended. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28787 [Bug 28787] Send a notice with the TOTP token -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 Jonathan Druart <jonathan.druart+koha@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=28787 Depends on|28787 |28786 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28786 [Bug 28786] Two-factor authentication for staff client - TOTP https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28787 [Bug 28787] Send a notice with the TOTP token -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 Jonathan Druart <jonathan.druart+koha@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 --- Comment #1 from Jonathan Druart <jonathan.druart+koha@gmail.com> --- Created attachment 135333 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=135333&action=edit Bug 30842: 2FA - Allow at least one old TOTP We allow one old token when we are setting the two-factor auth, we should reuse the same settings when validation the authentication itself. Test plan: Setup 2FA for your logged-in user Logout/Login Have a look at the code and wait for 30 sec before using it (< 1min however) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 Jonathan Druart <jonathan.druart+koha@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |30843 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30843 [Bug 30843] TOTP expiration delay should be configurable -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m.de.rooy@rijksmuseum.nl -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #135333|0 |1 is obsolete| | --- Comment #2 from David Nind <david@davidnind.com> --- Created attachment 135414 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=135414&action=edit Bug 30842: 2FA - Allow at least one old TOTP We allow one old token when we are setting the two-factor auth, we should reuse the same settings when validation the authentication itself. Test plan: Setup 2FA for your logged-in user Logout/Login Have a look at the code and wait for 30 sec before using it (< 1min however) Signed-off-by: David Nind <david@davidnind.com> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |david@davidnind.com --- Comment #3 from David Nind <david@davidnind.com> --- Testing notes (koha-testing-docker). Enabling two-factor authentication (from test plan for Bug 28786): 1. Enable two faction authentication: TwoFactorAuthentication system preference. 2. Go to your account, click 'More' > 'Manage Two-Factor authentication'. 3. Click Enable, scan the QR code with the app, insert the pin code and register. 4. Your account now requires 2FA to login! Notes: - Used andOTP to test. - Waited for code to change, then entered old code: success! - Waited for code to change twice, and then entered old code: fail (as expected). - Entered code before it changed: success (as expected)! - Disabled 2FA and setup again: worked as expected.
From my experience with 2FA, I've never had any problems with the short period of time (for other services, not Koha).
-- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Failed QA --- Comment #4 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- I dont think that this oneliner patch should go on its own. It is just hardcoding a 1 in the verify call in Auth. This 1 should be a parameter from koha-conf (imo). We should merge this with 30843 and add a parameter too for the interval that GoogleAuth gets from us in ->code and ->verify. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 --- Comment #5 from Jonathan Druart <jonathan.druart+koha@gmail.com> --- It's fixing a bug, an inconsistency. Bug 30843 is an enhancement. IMO it makes sense to have it pushed now and backported. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 --- Comment #6 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- (In reply to Jonathan Druart from comment #5)
It's fixing a bug, an inconsistency. Bug 30843 is an enhancement. IMO it makes sense to have it pushed now and backported.
The backport argument wins. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 --- Comment #7 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- The title of this report could be more specific btw. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Failed QA |Passed QA Patch complexity|--- |Trivial patch -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #135414|0 |1 is obsolete| | --- Comment #8 from Marcel de Rooy <m.de.rooy@rijksmuseum.nl> --- Created attachment 135417 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=135417&action=edit Bug 30842: 2FA - Allow at least one old TOTP We allow one old token when we are setting the two-factor auth, we should reuse the same settings when validation the authentication itself. Test plan: Setup 2FA for your logged-in user Logout/Login Have a look at the code and wait for 30 sec before using it (< 1min however) Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- QA Contact|testopia@bugs.koha-communit |m.de.rooy@rijksmuseum.nl |y.org | -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tomascohen@gmail.com Version(s)| |22.11.00 released in| | Status|Passed QA |Pushed to master --- Comment #9 from Tomás Cohen Arazi <tomascohen@gmail.com> --- Pushed to master for 22.11. Nice work everyone, thanks! -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 Lucas Gass <lucas@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Version(s)|22.11.00 |22.11.00, 22.05.01 released in| | CC| |lucas@bywatersolutions.com Status|Pushed to master |Pushed to stable --- Comment #10 from Lucas Gass <lucas@bywatersolutions.com> --- Pushed to 22.05.x for 22.05.01 -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 Arthur Suzuki <arthur.suzuki@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |arthur.suzuki@biblibre.com Status|Pushed to stable |RESOLVED Resolution|--- |FIXED --- Comment #11 from Arthur Suzuki <arthur.suzuki@biblibre.com> --- depends on 28786 which is an enhancement. not backporting to 21.11. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30842 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Text to go in the| |This extends the time a release notes| |two-factor authentication | |code is valid for, in case | |it is not entered quickly | |enough. (Example: wait for | |the code to change, then | |enter the previous code - | |this should still work, but | |will not work when the code | |changes again.) -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org