New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
馃殌 Feature: TOTP (two-factor) Authentication #55
Conversation
Note: The tests were failing before. I checked out the commit before I touched anything and the tests were still failing |
Thanks again for your awesome work!
|
I agree, I think TOTP is probably sufficient. Maybe in the future, if U2F is a requested feature, we can add it, but TOTP should be enough for most people. Also, I personally think the TOTP attributes should be part of the user table. It is ALWAYS a 1:1 relationship and I don't think there's enough data to be its own table. Maybe if we supported U2F/other 2FA methods, maybe having a dedicated 2FA table would keep the user model clean, but I don't think its necessary in its current form. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Everything looks fine for me!
Thank you very much 馃槏馃憤馃徎 |
This pull request adds a new feature: Two-factor authentication supporting TOTP, and closes #28
What Changed (Technical)
LoginToken
(used for TOTP procedure)User
modelloginTokens
(link to all the user's login tokens)totpEnabled
(if the user has started enabling TOTP)totpVerified
(if the user has fully enabled TOTP and should be used for login)totpSecret
(16 base64 encoded random bytes used to generate the 6-digit TOTP code)How Enabling TOTP Works
/auth/totp/enable
/auth/totp/verify
). If the TOTP code matches, TOTP is enabled, otherwise, an error is returned to the user.How Disabling TOTP Works
/auth/totp/disable
New Login Procedure
/auth/signIn
/auth/signIn/totp
Technical Notes
Why do all the TOTP related routes/functions require the user's password
In order to securely store the user's TOTP secret, we can't hash it because we need to be able to get it back when it is time to check the user's password. Instead of using a global encryption key (which can be stolen in the case of a server breach), we encrypt the user's secret using the user's password as it is never stored anywhere (in plain text). The only downside to this is that the user's must enter their password before performing any TOTP related activities (but we can just say its a "security feature" 馃槄)
Refresh page after TOTP is enabled/disabled
Once the user finishes enabling/disabling their TOTP authenticator, the page refreshes. I would like the form to change from the enable form to the disable form, but I couldn't get it to change without the refresh. I tried to get the user service to update the user object (which should store the new status of TOTP), but I couldn't get it to work.