feat: Prevent secret submission from the client when adding TOTP devices

justinmayer / kagi

WebAuthn security keys and TOTP multi-factor authentication for Django

BSD 2-Clause "Simplified" License

91 stars 10 forks source link

feat: Prevent secret submission from the client when adding TOTP devices #72

Closed MarkusH closed 1 year ago

MarkusH commented 1 year ago

Previously, a client could submit the secret for a TOTP device when adding it, through a hidden base32_key form field. With this commit, the secret is kept in a user session to remove a client's control over the secret.

Let's leave the PR open until we've issued a new version.

apollo13 commented 1 year ago

Given that this is somewhat security sensitive, any objections to put this into the next release as opposed to the one with all the new webauthn library?

MarkusH commented 1 year ago

Given that this is somewhat security sensitive, any objections to put this into the next release as opposed to the one with all the new webauthn library?

I'd be fine having that in the next release.