This ticket is for the essential functionality for TOTP 2FA, separate tickets for other aspects
Some details at http://mail-archives.apache.org/mod_mbox/allura-dev/201608.mbox/%3C28c7a399-86c5-5d75-dde4-2ab54fe7b3e4%40brondsema.net%3E
Some nuances to consider:
Bitbucket requires 2FA resubmission to view/update settings, not just password reconfirmation.
Reconfiguration vs (re)adding a phone with the same key as before.
Many sites will show you the text form of the key, so you can enter it manually. Not sure if this is really needed for anyone? Phones/apps without camera support?
First pass of this is available in branch db/8117. There is some polish and email notifications I want to do for sure, and possibly some logic changes.
pip install -r requirements.txt
python setup.py develop
Overall I'm not super happy about using a session variable for multifactor-username, but we need some way to store the current partially-auth'd username and we can't just put it as a hidden form field or something like that since the client could change it. We could do an encrypted form field, which would have the benefit of not having to clear out the session var when you go to other pages (which is there so a partial login doesn't stay partially auth'd). But it would mean setting up a good encrypt/decrypt logic for the form field. Maybe worth it?
As a first rev, this is looking solid in my view.
I have pushed several more commits just now that include email notifications, and visual cleanup. That covers everything I was planning on for this ticket.
Visual polish, notifications, test coverage, and general improvements all look good. Clear to merge IMO.
Log in to post a comment.