Closed KevinMulhern closed 2 months ago
Note, this can only be tested locally, we can't send emails from review apps.
Setting up 2fa
/admin_v2
and sign in with - admin@odin.com, password123Using 2fa
QA:
key_derivation_salt
and primary_key
set. There should either be a step in the installation guide to add these, or they should just get set in developement.rb
, given that leaking development keys isn't dangerous as there is no private info stored in themThe Odin Project: The Odin Project_admin@odin.com
, which is long enough that in the grid mode I can't see which account is whichLeft some feedback above, otherwise LGTM
Thanks for the feedback @Asartea, really good suggestions.
Currently, I can reset the 2FA of any number of admin accounts without relogging. Both resetting 2FA and other sensitive actions (anything that modified the state of another admin account: currently this also includes (re/de)activating an account) should IMO be locked behind a full relogin for the admin account, to ensure this isn't a session left open somewhere
Just to clarify this one, do you mean the admin account that is performing these actions should require a login challenge before performing them? - or the other admin account that the actions are being performed against should be logged out?
Just to clarify this one, do you mean the admin account that is performing these actions should require a login challenge before performing them
This one
I can see what you mean. I'll have a think about password challenges. But we have a fairly aggressive 30 minute session timeout that should mitigate most issues with sessions being left open.
Got these done, thanks again for the feedback @Asartea!
While trying to test this locally I ran into trouble with not having key_derivation_salt and primary_key set. There should either be a step in the installation guide to add these, or they should just get set in developement.rb, given that leaking development keys isn't dangerous as there is no private info stored in them
✅
Is it possible to make the default "account name" for 2FA slightly shorter? With Authy I ended up with a monstrosity of The Odin Project: The Odin Project_admin@odin.com, which is long enough that in the grid mode I can't see which account is which
✅
The "please enable two-factor authentication" alert is currently green: is it possible to change this to red to accurately represent the fact its an error, not a confirmation of success?
✅
Because
This commit: