Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix 2FA challenge and password challenge for non-database users #11831

Merged
merged 2 commits into from
Sep 15, 2019
Merged

Fix 2FA challenge and password challenge for non-database users #11831

merged 2 commits into from
Sep 15, 2019

Conversation

Gargron
Copy link
Member

@Gargron Gargron commented Sep 13, 2019
edited
Loading

Fix #11685

Previous code (inspired by GitLab) handled 2FA before Devise performed its own authentication, duplicating the work, and, in case of non-database users (LDAP, PAM), doing the wrong kind of work. Now authentication is delegated to Devise/Warden, then once we have the user, we check the 2FA requirement, and handle OTP/recovery token.

Fix #11691

It is not possible to re-authenticate non-database users just from password input when confirming account deletion. So, for those users, use a simple username repetition challenge instead of confirming password.

@Gargron Gargron added the bug Something isn't working label Sep 13, 2019
@Gargron
Copy link
Member Author

Gargron commented Sep 13, 2019

How did this break PAM authentication...

@Gargron Gargron added the security Security issues and fixes, vulnerabilities label Sep 14, 2019
@Gargron Gargron changed the title Fix 2FA challenge not appearing for non-database users Fix 2FA challenge and password challenge for non-database users Sep 14, 2019
@Gargron Gargron merged commit c707ef4 into master Sep 15, 2019
@Gargron Gargron deleted the fix-2fa branch September 15, 2019 19:08
@Gargron Gargron mentioned this pull request Sep 24, 2019
Merged
Gargron added a commit that referenced this pull request Sep 24, 2019
@Gargron
Fix authentication before 2FA challenge
9d2bf12 
Regression from #11831
Gargron added a commit that referenced this pull request Sep 24, 2019
@Gargron
Fix authentication before 2FA challenge (#11943)
a1f04c1 
Regression from #11831
hiyuki2578 pushed a commit to ProjectMyosotis/mastodon that referenced this pull request Oct 2, 2019
@Gargron @hiyuki2578
Fix 2FA challenge and password challenge for non-database users (mast…
b561a7a 
…odon#11831)

* Fix 2FA challenge not appearing for non-database users

Fix mastodon#11685

* Fix account deletion not working when using external login

Fix mastodon#11691
hiyuki2578 pushed a commit to ProjectMyosotis/mastodon that referenced this pull request Oct 2, 2019
@Gargron @hiyuki2578
Fix authentication before 2FA challenge (mastodon#11943)
6eed19b 
Regression from mastodon#11831
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ClearlyClaire ClearlyClaire ClearlyClaire approved these changes

Assignees
No one assigned
Labels
bug Something isn't working security Security issues and fixes, vulnerabilities
Projects
None yet
Milestone
No milestone
2 participants
@Gargron @ClearlyClaire