New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix 1623 #1777
Fix 1623 #1777
Conversation
What is with this? :P |
Fixed some of the issues mentioned above (or not). This should be ready now |
What about failed login attempts? Haven't tested yet, but by looking at the code I don't think it works in this case. |
I've added the 2fa checks after all login/logout etc checks so it should work normally. |
I've renamed the directoy. I've also tested the lock/unlock feature and it works as expected. The only thing to decide now is the recovery codes: IMHO it's okay if the same recovery code is generated twice. |
Well as long as it is not regenerated twice for the same user I suppose it is not a big deal. |
It may happen but it's very very unlikely. And no problem neither, that user has simply only 9 usable codes than (both occurrences will be deleted if the code is used). |
For the same user the fix is very simple though (so I don't see any reason to not include it), just change the for loop in the generate function to a while loop which checks the element Also, what if all codes were used someday and the user forgets to visit the page? Shouldn't the generate function be used after |
It'd be useless to generate the codes and tell the user that he needs to visit the page where the codes are regenerated. But a normal message should be displayed, yes. Going to implement it later today. About the same code: I can change the loop but IMHO it's so unlikely that the same code will be generated twice for the same user that we don't need to consider the case. |
Fixed both |
I test with Authy and WinAuth and works good. @JN-Jones I test lock out after X guesses for Authentication code but It doesn't work for me. |
There isn't any limit of code guesses. It would require more changes as I'd also need to modify parts of the login handling. And tbh I don't think it's necessary. |
@JN-Jones I think this change can fix it: https://www.diffchecker.com/w2418f6b |
You can log any failing input too. Or send e-mails about it. IMO 2fa and security codes should be treated just as passwords and blocked after X attempts, keep logging of those, and send notifications about it. |
@ATofighi you only need to select @Sama34 emailing when wrong codes are entered is pretty annoying imho and I've never seen a site doing that. Logging would be nice but I need to look how we're logging locked out users, probably it'd break that. |
you're right... |
I've modified your changes to work correctly. The lock out feature works now:
|
Some suggestions:
I used Google Authenticator for android BTW. I'm now going to update my live board to test all the software. |
Does this asks for 2FA during the upgrade process BTW? I will check this later but it should. |
Definitely agreed.
IIrc the upgrade uses (well, not anymore, now only its parts) the front-end session/cookie system and there is no 2FA for front-end - we should still think about including it in 1.8.5. |
Didn't know it uses the front-end, interesting choice.. |
I'm against this. I've only seen two things so far: either they're regenerated on every load or never. I've never seen a manual regenerate button (and tbh I doubt it has any use: who will ever regenerate the recovery codes?). And a browser shouldn't reload a page once it has been loaded completly.
We don't log wrong passwords so we shouldn't log wrong codes.
Which one? Play Store (Android), iOS Store, Windows Store,....? The user should be smart enough to search in his app store. We can always include links in the docs and link to them. Would also allow us to maintain them easier. |
A link to a documentation page should suffice yes.
But how do we diferenciate what was the incorrect input? Password/2FA
You sure? I have seen this on quite some sites already, and, "refresh to regenerate" is not user friendly at all. |
Do we really need to know that? We could include the info probably in the locked out item but as said: logging wrong codes is useless imho.
Yep, sure. Otherwise all banking (or other things like that) would also screw up.
The whole 2FA thing isn't user friendly imho but it's security related.
Will add it later then. |
I've ran some tests and this works fine. My only suggestion is on the Recovery Codes page, there should be a 'Print This Page' link. |
@PaulBender - I agree with you! Or download into PC (.pdf) |
@CU8ER Storing them on the PC is not the best idea in case you have malware on it. |
@stefan-st - yeah, you are right :) Anyway you can easily print in (or save it as pdf in print window). So just add "print this page" and it would be enough |
It's also pretty easy to get the file after it has been printed, most printer save them internally. Also I don't think a special link is necessary, you can easily print/save the codes without a special link. |
Looks good. If no one else fines any problems I'll merge this later today. |
Looks good to me too. |
#1623