Closed nicolas-besnard closed 4 years ago
Thank you for the report. I'm not sure exactly how AJAX exactly bypasses this, but I think I see the issue, which is that the remember cookie is created when the user has logged in via password, but not yet two-factor authenticated. This means, even if we put AJAX aside, we still have the following vulnerability:
after_load_memory
hook makes the session two-factor authenticatedThe AJAX probably triggers a similar behaviour. We should definitely remove this from default RodauthApp
configuration, and I want to remove the auto-remembering as well.
I would like to add a guide at some point showing people how they can auto-authenticate 2FA when remembering (like GitHub does). I believe in this case we just need to call #remember_login
only after 2FA (instead of after login):
after_two_factor_authentication { remember_login }
Do you see any issues with that?
After uncommenting this line (
after_load_memory { two_factor_update_session("totp") if two_factor_authentication_setup? }
), I realised that I can access protected resource via ajax even though I never entered the TOTP code. Trying to manually go to a protected page (by changing the URL) will redirect me to/otp-auth
After looking at the code,
two_factor_authentication_setup?
will returntrue
ifTOTP
is configured, thus we will update theauthenticated_by
content even though we never really performed it.To reproduce it, you just need to add a lit
I might have misconfigured something though
My
rodauth_app.rb
: