Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

And i also found another issue with insert two_factor_auth to database #1173

Closed
greenape opened this issue Aug 19, 2019 · 3 comments · Fixed by #1229
Closed

And i also found another issue with insert two_factor_auth to database #1173

greenape opened this issue Aug 19, 2019 · 3 comments · Fixed by #1229
Labels
bug Something isn't working FlowAuth Issues related to FlowAuth

Comments

@greenape
Copy link
Member

And i also found another issue with insert two_factor_auth to database

This code block in user_setting.py

    auth = TwoFactorAuth(user=current_user)
    auth.secret_key = secret

    auth.validate(code)
    auth.enabled = True
    db.session.add(auth)

and validate() function declared:

      def validate(code: str) -> bool:
        if is_valid:
            if (
                self.last_used_two_factor_code == code
            ):  # Reject if the code is being reused
                raise Unauthorized("Code not valid.")
            else:
                self.last_used_two_factor_code = code
            db.session.add(self)
            db.session.commit()
            return True
        else:
            raise Unauthorized("Code not valid.")

So when execute. At beginning when user try to confirm two_factor, there is a database insertion conflict.
auth object already inserted to database during validate. Then after that when we try to update auth enabled attribute and insert again:

 auth.validate(code)
 auth.enabled = True
 db.session.add(auth)

That will throw error. because auth object already gone

Originally posted by @hprobotic in #1170 (comment)
@greenape greenape added bug Something isn't working FlowAuth Issues related to FlowAuth labels Aug 19, 2019
@greenape
Copy link
Member Author

Hi @hprobotic, thanks for the report!

I think I see what you mean - bad place for that logic to be really. I haven't encountered this actually raising an error though. But, we aren't testing against MySQL, so possible it causes an issue there.

Have you got a minimal example which causes an error by any chance?

@greenape
Copy link
Member Author

Gave this a bit more thought. I think the right solution here is to bump the last used code portion out of the database, and use dogpilecache or similar to handle tracking the last used codes. That should allow us to avoid the scenario described here, and also allow for a ttl on the last used codes, without causing us issues because of our use of uwsgi.

@hprobotic
Copy link

hprobotic commented Aug 21, 2019
edited
Loading

Yeah, but i think will be better if we can add auth 1 time only. Inside validate function or in user_settings.py instead of duplicating it

Another thing is i found auth object being delete and recreating when ever user authenticate with TOTP code.

@greenape greenape mentioned this issue Sep 2, 2019
Merged
8 tasks
@mergify mergify bot closed this as completed in #1229 Jan 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working FlowAuth Issues related to FlowAuth
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Dogpile cache Flowminder/FlowKit
2 participants
@greenape @hprobotic