Files accessible after logout/login in same browser session

pondersource / nextcloud-mfa-awareness

Make Nextcloud aware of whether the current user is logged in with Multi-Factor Authentication

MIT License

0 stars 2 forks source link

Files accessible after logout/login in same browser session #89

Open michielbdejong opened 1 year ago

michielbdejong commented 1 year ago

using https://github.com/SUNET/nextcloud-custom
log in with MFA and create an MFA Zone
log out and, in the same browser session, log in without MFA

Expected: The folder should not be accessible Actual: The folder is accessible

I'm setting up our dev environment to reproduce this; would be good to try if it also happens when using a private browsing tab, and to see what the values of the session variables are (maybe install MFA Checker for this in the dev setup)

michielbdejong commented 1 year ago

I'm now trying to rebuild a dev env starting from an older version of this repo -> https://github.com/pondersource/dev-stock/issues/50

michielbdejong commented 1 year ago

I'll try this out using:

docker exec -it sunet-ssp-mdb mysql -u root -pr00tp@ssw0rd
use saml;
select * from users;

I think I reproduced the issue! After clicking "log out", I'm not actually logged out and it still shows MFA verified:

however if I open a new session in a private browsing tab then I do correctly see the MFA Zones as inaccessible:

michielbdejong commented 1 year ago

So based on that observation, I think we're safe!

michielbdejong commented 1 year ago

@mickenordin and [Richard Freitag (?)] what do you think?

mickenordin commented 1 year ago

Ok, that is a good observation, I can reproduce the behaviour. How come the mfa provisioning is not triggered though, so I can give a second factor?