New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User Validation on MFA Level #3905
Conversation
Codecov Report
@@ Coverage Diff @@
## master #3905 +/- ##
=======================================
Coverage 98.79% 98.79%
=======================================
Files 217 217
Lines 5406 5414 +8
=======================================
+ Hits 5341 5349 +8
Misses 65 65
|
@ericherscovich I did some initial checks.
User.where.not(mfa_level: 'disabled').each_with_object(0) {|u,m| m=m+1 if u.webauthn_credentials.none?}
#=> 0 # yes, I was lazy to write JOIN logic in here
User.where(mfa_level: 'disabled').joins(:webauthn_credentials).count
#=> 0 |
Thank you! Could you do a more generic check that would check for TOTP as well? You should be able to check something along the lines of
|
@ericherscovich like this?
User.where.not(mfa_level: 'disabled').each_with_object(0) {|u,m| m=m+1 if u.no_mfa_devices?}
=> 0
User.where(mfa_level: 'disabled').each_with_object(0) {|u,m| m=m+1 if !u.no_mfa_devices?}
=> 0 |
Yes that looks like what I was looking for! Thank you for doing this check :D |
|
240db75
to
38e97d9
Compare
Remove comments Fix tests Fix test
c255e8b
to
3486573
Compare
Contributes to #3800
What problem are you solving?
MFA Level could be set without having any MFA device, such as not having a
mfa_seed
(->totp_seed
) set, nor webauthn credentials. Users could also have MFA disabled while still having devices. This could lead to data inconsistencies.What approach did you choose and why?
Adds a validation on a user to ensure that
mfa_level
can only be set if there is a MFA device present and can only be disabled if there is no MFA device.What should reviewers focus on?
The approach to validating that MFA level is set in the correct scenarios.
Testing
Can attempt to set MFA impromperly, for example by doing
create(:user, mfa_level: :ui_and_api)
and observing it fails validation.We should validate if this is somehow present in production. Specifically, we should check if there exists any user that has
mfa_level
somehow set while not having any MFA devices. We should also check that there isn't any user that hasmfa_level
set to disabled, but has an MFA device present. It's possible that merging this would cause some funky behaviour for users if they somehow got into a weird state like this. I don't have the ability to check production in this way, so will have to defer to other maintainers to validate this before merging.