Block enabled 2fa in the UI without cookie consent

aspnet / Identity

[Archived] ASP.NET Core Identity is the membership system for building ASP.NET Core web applications, including membership, login, and user data. Project moved to https://github.com/aspnet/AspNetCore

Apache License 2.0

1.97k stars 871 forks source link

Block enabled 2fa in the UI without cookie consent #2035

Closed HaoK closed 5 years ago

HaoK commented 5 years ago

Fix for https://github.com/aspnet/Identity/issues/2034

HaoK commented 5 years ago

I tried out the code via scaffolding the fix into a 2.1 app and it seems fine:

This broke a bunch of functional tests so we actually do have coverage, the tests now have some minimal coverage for enabling 2fa behavior with and without cookie consent now.

@Eilon @blowdart @ajcvickers

blowdart commented 5 years ago

What happens if the dev removed all the consent code?

HaoK commented 5 years ago

They would need to remove this as well I assume? Or does CanTrack cover that case?

blowdart commented 5 years ago

I don't know, that's what I'm asking. I would have hoped the check defaulted to true if there was no consent feature, but ...

HaoK commented 5 years ago

Are you telling me CanTrack returns false by default? @Tratcher any insight into the behavior?

HaoK commented 5 years ago

Updated to assume if no consent feature is there, that means we are good to go (and to allow 2fa)