New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
stages/authenticator_validate: remember #2828
Conversation
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
Codecov Report
@@ Coverage Diff @@
## master #2828 +/- ##
==========================================
+ Coverage 91.76% 91.81% +0.06%
==========================================
Files 455 459 +4
Lines 20040 20196 +156
==========================================
+ Hits 18387 18541 +154
- Misses 1653 1655 +2
Continue to review full report at Codecov.
|
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
✅ Deploy Preview for authentik ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
@BeryJu It looks like the last 2FA verification timestamp is being stored in the DB (as the |
@Matchlighter you raise a good point, it would have to be stored in a separate, signed/encrypted cookie that lasts longer than the session (maybe no expiry at all?), but yes, the way you've described it is what would currently happen. I'll add a note to the docs to make this clear to people configuring it, since the above solution is not an easy fix |
Actually we could set a cookie with an expiry of the configure threshold in the stage, save which device the user used to authenticate that session and then simply check for it's existence (and check the device belongs to the current user and the current stage, etc), but that should be pretty simple |
T'would need to have the expiration baked in to the signed-part of the cookie (and not just rely on a browser mechanism that could be circumvented if the cookie was stolen) (which could all be a given with Django - it's been a while for me). |
Yeah true the expiration would also be saved in the cookie, or alternatively the timestamp of when the verification was done, which would make changing of the threshold easier |
Add option only validate MFA when device has not been used in x time