search

codidact / qpixel

Q&A-based community knowledge-sharing software
https://codidact.com
GNU Affero General Public License v3.0
393 stars 68 forks source link

Include recovery codes #1164

Closed ArtOfCode- closed 1 year ago

ArtOfCode- commented 1 year ago

Fixes #266

Adds recovery codes for 2FA accounts. This instructs the user to save their recovery code before enabling 2FA.

Signing in with a recovery code disables 2FA on the account so the user can reconfigure it with a new app.

Also includes an email and script to set recovery codes on existing 2FA accounts, which can be manually run.

cellio commented 1 year ago

If I understand correctly, the "we've added codes" email is effectively sending a password in the clear in email not expected by the recipient. (As opposed to when you make a request and you're monitoring what's coming in.) Could we, instead, give the user a way to look up the code while logged in?

trichoplax commented 1 year ago

Signing in with a recovery code disables 2FA on the account so the user can reconfigure it with a new app.

If a user considers the security of their account sufficiently important to switch on 2FA, could we avoid disabling it until they explicitly request it? Is it possible to make the reconfiguration with a new app the step that disables the previous 2FA, rather than having a period during which there is no 2FA?

trichoplax commented 1 year ago

Could we, instead, give the user a way to look up the code while logged in?

I like the idea of this, perhaps combined with the ability to send an email saying "Here is where you can find your recovery codes". The page displaying the recovery codes could perhaps also have a <details> section to avoid displaying them immediately, similar to the recent change to the mobile sign in QR code page.

ArtOfCode- commented 1 year ago

Is it possible to make the reconfiguration with a new app the step that disables the previous 2FA, rather than having a period during which there is no 2FA?

Not as easily. It'd be doable, but it's a bit of a pain to carry that state through and ensure the user actually goes through with resetting 2FA - easier to just disable it with a reminder to reconfigure it.

ArtOfCode- commented 1 year ago

Could we, instead, give the user a way to look up the code while logged in?

Done - I've changed the email to direct the user to where to find it, and added the code to the 2FA settings behind a <details> section.

Taeir commented 1 year ago

It also seems that I cannot enter a backup code because it contains letters and the UI wants me to input a number only. We need to remove that restriction (the feature works when I change the 2FA code field to be of type text rather than number).

ArtOfCode- commented 1 year ago

Should all be fixed.