stages/authenticator_validate: remember

[BeryJu]

Add option only validate MFA when device has not been used in x time

[codecov]

Codecov Report

Merging #2828 (d7f5b8d) into master (4d755dc) will increase coverage by 0.06%.
The diff coverage is 99.53%.

@@            Coverage Diff             @@
##           master    #2828      +/-   ##
==========================================
+ Coverage   91.76%   91.81%   +0.06%     
==========================================
  Files         455      459       +4     
  Lines       20040    20196     +156     
==========================================
+ Hits        18387    18541     +154     
- Misses       1653     1655       +2     

Impacted Files	Coverage Δ
authentik/flows/tests/test_executor.py	100.00% <ø> (ø)
authentik/policies/password/tests/test_flows.py	100.00% <ø> (ø)
authentik/stages/authenticator_validate/api.py	100.00% <ø> (ø)
authentik/stages/deny/tests.py	100.00% <ø> (ø)
authentik/stages/identification/tests.py	100.00% <ø> (ø)
authentik/stages/invitation/tests.py	100.00% <ø> (ø)
authentik/stages/password/tests.py	100.00% <ø> (ø)
authentik/stages/user_delete/tests.py	100.00% <ø> (ø)
authentik/stages/user_login/tests.py	100.00% <ø> (ø)
authentik/stages/user_write/tests.py	100.00% <ø> (ø)
... and 19 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4d755dc...d7f5b8d. Read the comment docs.

[netlify]

✅ Deploy Preview for authentik ready!

Name	Link
🔨 Latest commit	d7f5b8d
🔍 Latest deploy log	https://app.netlify.com/sites/authentik/deploys/627ab0baed7155000860f669
😎 Deploy Preview	https://deploy-preview-2828--authentik.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[Matchlighter]

@BeryJu It looks like the last 2FA verification timestamp is being stored in the DB (as the last_t column)? It should be stored in the/a cookie so that it is scoped to a single client/browser. Otherwise it creates a security implication that if the true user logs in and completes MFA, a malicious device has an opportunity to login as that user without being impeded by 2FA. Am I seeing things right or did I miss something?

[BeryJu]

@Matchlighter you raise a good point, it would have to be stored in a separate, signed/encrypted cookie that lasts longer than the session (maybe no expiry at all?), but yes, the way you've described it is what would currently happen. I'll add a note to the docs to make this clear to people configuring it, since the above solution is not an easy fix

[BeryJu]

Actually we could set a cookie with an expiry of the configure threshold in the stage, save which device the user used to authenticate that session and then simply check for it's existence (and check the device belongs to the current user and the current stage, etc), but that should be pretty simple

[Matchlighter]

T'would need to have the expiration baked in to the signed-part of the cookie (and not just rely on a browser mechanism that could be circumvented if the cookie was stolen) (which could all be a given with Django - it's been a while for me).

[BeryJu]

Yeah true the expiration would also be saved in the cookie, or alternatively the timestamp of when the verification was done, which would make changing of the threshold easier