Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revalidate two factor settings prior to allowing any two-factor changes to an account. #529

Merged
merged 57 commits into from
May 11, 2023
Merged

Revalidate two factor settings prior to allowing any two-factor changes to an account. #529

merged 57 commits into from
May 11, 2023

Conversation

dd32
Copy link
Member

@dd32 dd32 commented Feb 20, 2023
edited
Loading

What?

This PR requires that the user "revalidate" their two-factor details prior to changing their two-factor settings.
The grace-time from last-2fa-validation to changes is 10 minutes (Twice this for the save, so you can start editing at minute 9, and save at 18 minutes).

Why?

It's generally accepted that a user should not be able to change their 2FA settings without validating that the user currently has their 2FA token.
For example, consider an account left logged in on a public computer (or left unattended in an office), a malicious user should not be able to add a new key or create new backup codes.

How?

This works by building off #528 to track when the user last validated their 2FA tokens, and preventing updates unless the session is 2fa'd recently.

Testing Instructions

  1. Login
  2. Validate you can change 2FA settings
  3. Wait 15 minutes (Or change the grace time via two_factor_revalidate_time to a lower time)
  4. Validate you can't change 2FA settings after the grace-time is expired
  5. Revalidate your 2FA, check you can change 2FA settings again.

Screenshots or screencast

Changelog Entry

Added Security - Validate the user has access to their 2FA keys prior to changing 2FA details.

Tickets

Fixes #484.

#527 and #528 have been split out of this, but are included in the git commit history of this branch.

dd32 added 30 commits February 17, 2023 16:26
@dd32
Store the two factor login timestamp and provider in the user session.
9b59073
@dd32
Create the user session directly attaching data to it, rather than us…
0749b4a 
…ing filters.
@dd32
DEBUG: Add a notice to profile.php which shows the current users logi…
67da4ae 
…n session & 2FA times.
@dd32
Remove the need for the backup_2fa route, it appears to work without it.
f3e2299
@dd32
Add a route that prompts for 2FA details for a logged in user.
aa5e716
@dd32
Tests: Fix tests after removing the backup_2fa method.
1cf3606
@dd32
Move Provider validation out of the main form handler and into a seco…
9c9b467 
…ndary method for re-use.
@dd32
Use the users primary provider when revalidating the 2FA.
96edeec
@dd32
When revalidating 2FA, prompt with the provider which the user is cur…
e7edaa7 
…rently logged in with, not their primary method.
@dd32
Validate and update the session with the newly verified two-factor de…
5f53d9e 
…tails.
@dd32
Add a note as to why $_POST is checked for.
1b7da24
@dd32
Remove filter_input() in preference for $_REQUEST for future testab…
6258cba 
…ility.
@dd32
Move the pre_process_authentication out of process_provider.
318418d
@dd32
Only show the last-login-failure alert on login, not on revalidation.
60624c8
@dd32
Remove sanitize_key() and sanitize_text_field() from input variables,…
851f333 
… these are not fields that need sanitization. Either they match an expected value or they don't.
@dd32
Move login_form_revalidate_2fa() to be closer to login_form_validate_…
8d86049 
…2fa().
@dd32
Dummy Two Factor: Require that the form is actually submitted before …
f6f5dfd 
…returning truthful, this closer matches the expectation from other providers.
@dd32
Move pre_process_authentication() back inside process_provider().
0cf4670
@dd32
Simplify the 'backup' methods links when re-validating, ensure that t…
5f846c8 
…he interim-login parameter is passed through.
@dd32
Add a method to determine if the current login session is two factored.
4b856c6
@dd32
DEBUG: Only show the current user session is 2fa notice when editing …
6229fe3 
…the current user.
@dd32
Only process the provider if there's POST data to process.
cd5dd5e
@dd32
Add a getter for the revalidate url.
c378bc1
@dd32
Sanitize the URL for the revalidate flow.
a098362
@dd32
Make is_current_user_session_two_factor() more readable.
6ed2293
@dd32
Add a function that can be used to check if the current session can u…
11e33c9 
…pdate 2FA options.
@dd32
Check the user can alter the two factor settings upon alterations.
803c160
@dd32
Disable the entire two factor options section with a <fieldset disabl…
bdf4032 
…ed=disabled> when appropriate
@dd32
TOTP: Switch the reset TOTP button from an <a> to a <button> so that …
aa2f578 
…it disables with :disabled
@dd32
DEBUG: include more information in the admin alert
0b63439
iandunn
iandunn approved these changes Apr 21, 2023
View reviewed changes
Copy link
Member

@iandunn iandunn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great, kudos!

Increasing the test coverage would be nice, but not necessarily a blocker.

class-two-factor-core.php Show resolved Hide resolved
class-two-factor-core.php Outdated Show resolved Hide resolved
providers/class-two-factor-backup-codes.php Show resolved Hide resolved
class-two-factor-core.php Outdated Show resolved Hide resolved
class-two-factor-core.php Show resolved Hide resolved
class-two-factor-core.php Show resolved Hide resolved
class-two-factor-core.php Show resolved Hide resolved
dd32 and others added 7 commits April 27, 2023 14:50
@dd32
Copy link
Member Author

dd32 commented Apr 27, 2023
edited
Loading

Changes in the commits above that are notable since reviews:

  • Disabling revalidation by setting a false/0 time: 6502d24
  • When initially setting 2FA, mark the session as 2FA so that the users current session can continue to edit their 2FA settings. 6721a41 Without this, if you login without 2FA, setup 2FA, and save, the next page load prompted for 2FA revalidation, annoying if you hadn't properly setup your 2FA settings yet.
  • Don't return true for logged out requests to Two_Factor_Core::current_user_can_update_two_factor_options(). d3e024c This should really be used in addition to a current_user_can() check, but better to include a check here.

@StevenDufresne StevenDufresne mentioned this pull request May 2, 2023
Closed
@dd32 dd32 mentioned this pull request May 4, 2023
Merged
2 tasks
@jeffpaul jeffpaul modified the milestones: Future Release, 0.9.0 May 8, 2023
@dd32 dd32 merged commit 9032f2d into WordPress:master May 11, 2023
@dd32 dd32 deleted the add/2fa-revalidation-for-changes branch May 11, 2023 06:47
This was referenced May 12, 2023
Closed
Closed
@dd32 dd32 mentioned this pull request May 25, 2023
Open
@iandunn iandunn mentioned this pull request Jun 1, 2023
Closed
14 tasks
This was referenced Apr 23, 2024
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iandunn iandunn iandunn approved these changes

@ravinderk ravinderk ravinderk approved these changes

Assignees

@dd32 dd32

Labels
None yet
Projects
None yet
Milestone
0.9.0
Development

Successfully merging this pull request may close these issues.

Reauth 2nd factor to change 2FA settings
5 participants
@dd32 @StevenDufresne @iandunn @ravinderk @jeffpaul