-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TOTP login support #56
Conversation
This reverts commit d96e516.
@@ -198,6 +199,7 @@ class AccountsStore extends ChangeNotifier { | |||
final response = await lemmy.run(Login( | |||
usernameOrEmail: usernameOrEmail, | |||
password: password, | |||
totp2faToken: totp2faToken, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if totp isn't enabled and the user doesnt have a token to enter?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If they don't enter a token, right now what happens is the add_account_page sends either an empty String or a null value (I'm not entirely sure how that's treated in this language) to the lemmy_api_client and that ultimately sends out an HTTP post with key value pairs for username_or_email, password, and totp_2fa_token (whose value is either a null or an empty string value depending on how that's treated in this language).
This appears to be similar to how Jerboa is doing it.
And I think lemmy-ui is doing the same thing.
From what I can tell, those two clients don't appear to be bothering to check whether the token is blank or not and adjusting their HTTP post command, they just include a blank/null value for totp_2fa_token regardless. Without tearing into the lemmy server code, my guess is that on versions < v0.18.x the server will just ignore a key value pair it doesn't recognize, whether its value is blank/null or not, and versions v0.18.x and above appear to disregard the key value pair entirely if TOTP is disabled on an account. On v0.18.x and up, if TOTP is enabled on the account and the token value is missing, the server responds with a "missing_totp_token" error and if the token value is incorrect, it responds with a "incorrect_totp_token" error.
So based on all of the above, I think it is okay to send a null/blank value for the TOTP token in the HTTP post. From what I can tell, the lemmy server handles it appropriately.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🪂
Fixes #33