Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option to disable two factor auth in admin accounts panel. #2584

Merged
merged 2 commits into from
May 2, 2017
Merged

Add option to disable two factor auth in admin accounts panel. #2584

merged 2 commits into from
May 2, 2017

Conversation

cattebune
Copy link

Closes #2578, adds an option to disable 2FA in the accounts panel. UI change displayed below.

This will require updated translations, if anyone can help translate that would be awesome.

UI Change

wxcafe
wxcafe approved these changes Apr 28, 2017
View reviewed changes
Copy link
Contributor

@wxcafe wxcafe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@thurloat
Copy link
Contributor

should the otp_backup_codes not be emptied out as well?

Once a user gets to log in without their 2FA code, I think we should completely invalidate existing 2FA data for that user, since it's no longer a valid form of identification.

@wxcafe
Copy link
Contributor

wxcafe commented Apr 28, 2017

we could, but I don't think it matters too much? how could these codes be used if 2fa is disabled?

@thurloat
Copy link
Contributor

thurloat commented Apr 28, 2017
edited
Loading

yeah I suppose that's right. they'll get regenerated again when the user re-enables 2FA on their account.

and aren't really useful for authentication at all if the account already has 2FA disabled.

the auditor inside of me still thinks it should be purged, for the sake of a clean DB.

@cattebune
Copy link
Author

To be honest, it totally slipped my mind to purge those. Probably should clear the backup codes, just in case. I'll go ahead and update the pr after lunch 😄

@cattebune
Copy link
Author

Updated, now runs @account.user.otp_backup_codes.clear before saving.
Functionality is still fine on my end, passes tests apart from the one failure brought in by 01c2063

mjankowski
mjankowski previously requested changes Apr 28, 2017
View reviewed changes
app/controllers/admin/two_factor_authentications_controller.rb Outdated
before_action :set_account

def destroy
@account.user.otp_required_for_login = false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you do at least some and maybe all of:

  • Roll all of this up into a method like User#disable_two_factor! or something (which would set required to false, clear the backups, and attempt save!)
  • Add spec coverage for this controller action which shows that it does what it says
  • Add model coverage for that method on User, if you create one like that

app/controllers/admin/two_factor_authentications_controller.rb Outdated
private

def set_account
@account = Account.find(params[:account_id])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could probably hit an admin/users/:id/two_factor_authentication#destroy route, since it's only doing things to the user record and not the account record.

@cattebune
Copy link
Author

cattebune commented Apr 28, 2017
edited
Loading

I think that's correct now, @mjankowski can you take another look for us and let me know if I should update anything?

Add @mjankowski's suggestions.
1dc3e75 
* Moves destroy actions behind User#disable_two_factor!
* Adds spec coverage for Admin:TwoFactorAuthenticationsController and User#disable_two_factor!
@Gargron Gargron merged commit 7880671 into mastodon:master May 2, 2017
@cattebune cattebune deleted the issue-2578 branch May 2, 2017 20:47
treby added a commit to treby/mastodon that referenced this pull request May 16, 2017
@treby
feat(ja): add missing ja translation.
f939590 
ref: mastodon#2584
@treby treby mentioned this pull request May 16, 2017
Merged
Gargron pushed a commit that referenced this pull request May 16, 2017
@treby @Gargron
feat(ja): add missing ja translation. (#3083)
9bddb94 
ref: #2584
ClearlyClaire added a commit to ClearlyClaire/mastodon that referenced this pull request Jan 26, 2024
@ClearlyClaire
Merge pull request mastodon#2584 from ClearlyClaire/glitch-soc/merge-…
108fb33 
…upstream

Merge upstream changes up to 7a1f087
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Gargron Gargron Gargron approved these changes

@wxcafe wxcafe wxcafe approved these changes

@mjankowski mjankowski mjankowski left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@cattebune @thurloat @wxcafe @mjankowski @Gargron