Closed dd32 closed 1 year ago
Examples of this PR:
Example | |
---|---|
Just logged in | |
Past 2FA grace period | |
revalidate flow |
The UI is "ugly" in that it's just an alert box that sends you off to a wp-login page, it's not a pretty inline thickbox iframe or anything. This fulfils the basic requirements of the issue, but obviously needs UX, design, and other design work done on it. Before that can start though, I think it needs some technical agreement on the direction.
Based on my testing, provided the page is not refreshed, actions can still be carried out, is that correct?
@StevenDufresne I'm not sure I follow, you'll need to explain it better.
Here's what I did.
wp-admin/profile.php
So if a user leaves their profile page open, a third party could modify data provided they don't reload the page?
So if a user leaves their profile page open, a third party could modify data provided they don't reload the page?
Ahh, gotcha.
I suspect this is that you were still within the grace-period, The notice shows up at $time
but you can save forms for $time * 2
.
* 2
is possibly too long, and maybe it should be simply + MINUTE_IN_SECONDS
, or + 2 * MINUTE_IN_SECONDS
.
https://github.com/WordPress/two-factor/pull/529/files#diff-ee04f1d323104504c6bfa38dd11ef43e78d1dbac2883293af0b5c310d16e9519R1133-R1143
The reasoning for that is that you should be able to view the form at $expiry - 1 second
and save the form. $time * 2
is something that WordPress has in a few places as the grace between generation and save.
I suspect this is that you were still within the grace-period
I tested this a bit and that's what it seems like to me too.
Changes in the commits above that are notable since reviews:
Two_Factor_Core::current_user_can_update_two_factor_options()
. d3e024c This should really be used in addition to a current_user_can()
check, but better to include a check here.
What?
This PR requires that the user "revalidate" their two-factor details prior to changing their two-factor settings. The grace-time from last-2fa-validation to changes is 10 minutes (Twice this for the save, so you can start editing at minute 9, and save at 18 minutes).
Why?
It's generally accepted that a user should not be able to change their 2FA settings without validating that the user currently has their 2FA token. For example, consider an account left logged in on a public computer (or left unattended in an office), a malicious user should not be able to add a new key or create new backup codes.
How?
This works by building off #528 to track when the user last validated their 2FA tokens, and preventing updates unless the session is 2fa'd recently.
Testing Instructions
two_factor_revalidate_time
to a lower time)Screenshots or screencast
Changelog Entry
Added Security - Validate the user has access to their 2FA keys prior to changing 2FA details.
Tickets
Fixes #484.
527 and #528 have been split out of this, but are included in the git commit history of this branch.