Remember device for 30 days option #14194
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
miketheman
reviewed
Jul 24, 2023
ristomcgehee
force-pushed
the
remember-device
branch
from
eb0d81d to
557ef2d
Compare
miketheman
added
feature request
security
miketheman
approved these changes
Jul 25, 2023
There was a problem hiding this comment.
I'm pretty good with this, but would appreciate a second review from @di as well.
Comment on lines
+247
to
+249
| "REMEMBER_DEVICE_DAYS", | ||
| coercer=int, | ||
| default=30, |
There was a problem hiding this comment.
praise: I like this even more, since then we don't even need to set a value unless we want to override the default of 30 days.
|
random |
ristomcgehee
force-pushed
the
remember-device
branch
from
fa103c1 to
d7db58d
Compare
|
@di It looks like this PR is waiting for your review. Btw, if you re-run the failed checks, they should pass (temporary github issue). |
di
approved these changes
Aug 23, 2023
- Also cleaned up tests - Also changed cookie to strict
ristomcgehee
force-pushed
the
remember-device
branch
from
d7db58d to
c84da1e
Compare
|
Thanks, all! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This gives the user the option to not have to provide 2nd factor authentication on a device for 30 days. A new cookie
remember_devicewill contain a signed token that allows the user to skip two-factor authentication (assuming the token is valid). To minimize data being sent by the browser, this cookie is only sent for requests with the pathaccounts/login.This is how the 2FA page looks:
With authenticator app and webauthn
With only webauthn
By default "Remember this device for 30 days" will not be checked.
I originally created a different PR for this issue (#13166) but since we decided to take a substantially different approach, I figured this merited a new, clean PR.
This change requires adding a
TOKEN_REMEMBER_DEVICE_SECRETenvironment variable to the production configuration.Closes #5867
I'll create a new issue for how these tokens can be revoked. One approach could be to invalidate the tokens when the user changes their password.