Closed MarkusH closed 1 year ago
Given that this is somewhat security sensitive, any objections to put this into the next release as opposed to the one with all the new webauthn library?
Given that this is somewhat security sensitive, any objections to put this into the next release as opposed to the one with all the new webauthn library?
I'd be fine having that in the next release.
Previously, a client could submit the secret for a TOTP device when adding it, through a hidden
base32_key
form field. With this commit, the secret is kept in a user session to remove a client's control over the secret.Let's leave the PR open until we've issued a new version.