Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add challenge to 2FA settings, e-mail notifications #11878

Merged
merged 1 commit into from
Sep 18, 2019
Merged

Add challenge to 2FA settings, e-mail notifications #11878

merged 1 commit into from
Sep 18, 2019

Conversation

Gargron
Copy link
Member

@Gargron Gargron commented Sep 17, 2019
edited

Fix #3961

Adds a "challenge" page which asks for current password if the user has a password. If the challenge is passed, that is remembered for the next hour so the user is not asked again.

This is added on top of:

  1. Enabling 2FA
  2. The 2FA recover codes re-generation

image

There are a few other places that ask for confirmation using different UX, most notably account settings (e-mail/password) and account deletion, but it probably makes sense to keep those as they are now.

Changes "Generate recovery codes" link from looking like a text link to looking like a button to make it clearer that it's an action rather than just a page to be viewed.

image

Adds e-mail notifications about changes to 2FA settings and recovery code re-generation.

image

@Gargron Gargron added the security Security issues and fixes, vulnerabilities label Sep 17, 2019
@Gargron Gargron added the work in progress Not to be merged, currently being worked on label Sep 17, 2019
@Gargron Gargron force-pushed the feature-challenge branch 3 times, most recently from be3d7ad to 9e5d2ee Compare September 17, 2019 21:52
@Gargron Gargron added work in progress Not to be merged, currently being worked on and removed work in progress Not to be merged, currently being worked on labels Sep 17, 2019
@Gargron Gargron force-pushed the feature-challenge branch 2 times, most recently from 7034101 to e1282bf Compare September 18, 2019 00:43
@Gargron Gargron removed the work in progress Not to be merged, currently being worked on label Sep 18, 2019
@Gargron Gargron changed the title Add (password) challenge before 2FA recovery codes re-generation Add challenge to 2FA settings, e-mail notifications Sep 18, 2019
@Gargron Gargron force-pushed the feature-challenge branch 2 times, most recently from ddae2db to c2857dc Compare September 18, 2019 13:44
@Gargron Gargron merged commit e1066cd into master Sep 18, 2019
@Gargron Gargron deleted the feature-challenge branch September 18, 2019 14:37
hiyuki2578 pushed a commit to ProjectMyosotis/mastodon that referenced this pull request Oct 2, 2019
@Gargron @hiyuki2578
Add password challenge to 2FA settings, e-mail notifications (mastodo…
16ba81a 
…n#11878)

Fix mastodon#3961
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ClearlyClaire ClearlyClaire ClearlyClaire approved these changes

Assignees
No one assigned
Labels
security Security issues and fixes, vulnerabilities
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

2FA recovery codes shouldn’t be regenerable
2 participants
@Gargron @ClearlyClaire