Require verified email before allowing user to enable 2FA #5866
Labels
documentation
feature request
help needed
We'd love volunteers to advise on or help fix/implement this.
Milestone
Comments
brainwane
added
documentation
help needed
This was referenced May 16, 2019
|
Working on this now. |
woodruffw
added a commit
to trail-of-forks/warehouse
that referenced
this issue
May 20, 2019
|
Opened #5889 for this. |
di
pushed a commit
that referenced
this issue
May 30, 2019
* [WIP] warehouse: Require a verified email for 2FA Closes #5866. * warehouse: Fix import order * warehouse: Simplify services check The method within the User model does the work here. * fix account factory * warehouse: Update docstring * tests: Fix tests * tests: Coverage for two_factor_allowed * warehouse: two_factor_allowed -> two_factor_provisioning_allowed We should never disable 2FA for authentication just because a user's primary email has changed to unverified. * tests: Update tests * warehouse: Nice warning flashes * tests: Update tests * tests, warehouse: Remove two_factor_prohibited * warehouse: Remove unused migrations
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What's the problem this feature will solve?
Sometimes people enable two-factor auth and then run into some kind of problem like losing access to their provisioned TOTP-generating app. We want to make it easier for PyPI admins to check the legitimacy of users' requests for account recovery in such circumstances.
Describe the solution you'd like
Prohibit users from enabling any 2FA until the user has verified at least one email address on their account.
Additional context
(followup to #5661, filed on @di's behalf)
The text was updated successfully, but these errors were encountered: