Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(users): add support to verify 2FA using recovery code #4737

Merged
merged 12 commits into from
May 23, 2024
Merged

feat(users): add support to verify 2FA using recovery code #4737

merged 12 commits into from
May 23, 2024

Conversation

apoorvdixit88
Copy link
Contributor

@apoorvdixit88 apoorvdixit88 commented May 22, 2024
edited
Loading

Type of Change

  • Bugfix
  • New feature
  • Enhancement
  • Refactoring
  • Dependency updates
  • Documentation
  • CI/CD

Description

The PR adds support to verify 2FA using recovery code, in case TOTP is lost

Additional Changes

  • This PR modifies the API contract
  • This PR modifies the database schema
  • This PR modifies application configuration/environment variables

Motivation and Context

Closes #4736

How did you test it?

First Sign in for user for which 2FA is already set.
Then to verify 2FA:

Use the below curl to test it

curl --location 'http://localhost:8080/user/recovery_code/verify' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer SPT' \
--header 'Cookie: Cookie_1=value' \
--data '{
    "recovery_code": "j4Az-W7Fk"
}'

If the recovery code is correct then response will be 200 ok.
Else proper error would be thrown

{
    "error": {
        "type": "invalid_request",
        "message": "Invalid Recovery Code",
        "code": "UR_39"
    }
}

Checklist

  • I formatted the code cargo +nightly fmt --all
  • I addressed lints thrown by cargo clippy
  • I reviewed the submitted code
  • I added unit tests for my changes where possible

@apoorvdixit88 apoorvdixit88 added C-feature Category: Feature request or enhancement S-waiting-on-review Status: This PR has been implemented and needs to be reviewed M-api-contract-changes Metadata: This PR involves API contract changes A-users Area: Users labels May 22, 2024
@apoorvdixit88 apoorvdixit88 self-assigned this May 22, 2024
@apoorvdixit88 apoorvdixit88 requested review from a team as code owners May 22, 2024 19:54
apoorvdixit88
apoorvdixit88 commented May 22, 2024
View reviewed changes
crates/router/src/routes/app.rs Outdated
Comment on lines 1215 to 1218
.service(web::resource("/recovery_codes/verify").route(web::post().to(recovery_code_verify)))
.service(
web::resource("/recovery_codes/generate")
.route(web::get().to(generate_recovery_codes)),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#recovery_code or recovery_codes ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@racnan

ThisIsMani
ThisIsMani reviewed May 23, 2024
View reviewed changes
config/config.example.toml Show resolved Hide resolved
crates/api_models/src/user.rs Outdated
@@ -258,6 +258,11 @@ pub struct VerifyTotpRequest {
pub totp: Option<Secret<String>>,
}

#[derive(Debug, serde::Deserialize, serde::Serialize)]
pub struct VerifyAccessCodeRequest {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rename to recovery code.

crates/router/src/routes/lock_utils.rs Outdated
@@ -215,6 +215,7 @@ impl From<Flow> for ApiIdentifier {
| Flow::UpdateUserAccountDetails
| Flow::TotpBegin
| Flow::TotpVerify
| Flow::AccessCodeVerify
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rename

crates/router/src/utils/user/password.rs Outdated
Comment on lines 47 to 52
Ok(recovery_codes
.into_iter()
.map(|recovery_code| is_correct_password(candidate.clone(), recovery_code))
.collect::<Result<Vec<_>, _>>()?
.into_iter()
.position(|x| x))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Ok(recovery_codes
.into_iter()
.map(|recovery_code| is_correct_password(candidate.clone(), recovery_code))
.collect::<Result<Vec<_>, _>>()?
.into_iter()
.position(|x| x))
for (index, recovery_code) in recovery_codes.enumerate() {
let is_match = is_correct_password(candidate, recovery_code)?;
if is_match {
return Ok(Some(index));
}
}
return Ok(None)

crates/router/src/core/user.rs Outdated
Comment on lines 1793 to 1798
let matching_index =
password::get_index_for_correct_recovery_code(req.recovery_code, recovery_codes.clone())?;

if matching_index.is_none() {
return Err(UserErrors::InvalidRecoveryCode.into());
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
let matching_index =
password::get_index_for_correct_recovery_code(req.recovery_code, recovery_codes.clone())?;
if matching_index.is_none() {
return Err(UserErrors::InvalidRecoveryCode.into());
}
let matching_index =
password::get_index_for_correct_recovery_code(req.recovery_code, recovery_codes.clone())?
.ok_or(UserErrors::InvalidRecoveryCode.into())?;

crates/router/src/core/user.rs Outdated
return Err(UserErrors::TotpNotSetup.into());
}

let recovery_codes = user_from_db
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make this mut directly.

ThisIsMani
ThisIsMani previously approved these changes May 23, 2024
View reviewed changes
racnan
racnan approved these changes May 23, 2024
View reviewed changes
config/config.example.toml
@@ -351,7 +351,8 @@ email_role_arn = "" # The amazon resource name ( arn ) of the role which
sts_role_session_name = "" # An identifier for the assumed role session, used to uniquely identify a session.

[user]
password_validity_in_days = 90 # Number of days after which password should be updated
password_validity_in_days = 90 # Number of days after which password should be updated
two_factor_auth_expiry_in_secs = 300 # Number of seconds after which 2FA should be done again if doing update/change from inside
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

imo, if we've two different keys in redis for totp and recovery codes then the expiry for them should be different.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can consider this when will be adding other 2FA methods, for now anyways value for all of them will be same

@likhinbopanna likhinbopanna added this pull request to the merge queue May 23, 2024
Merged via the queue into main with commit f04c6ac May 23, 2024
13 checks passed
@likhinbopanna likhinbopanna deleted the verify-access-code branch May 23, 2024 13:56
@SanchithHegde SanchithHegde removed the S-waiting-on-review Status: This PR has been implemented and needs to be reviewed label May 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ThisIsMani ThisIsMani ThisIsMani approved these changes

@racnan racnan racnan approved these changes

Assignees

@apoorvdixit88 apoorvdixit88

Labels
A-users Area: Users C-feature Category: Feature request or enhancement M-api-contract-changes Metadata: This PR involves API contract changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat: add support to verify using recovery code
5 participants
@apoorvdixit88 @racnan @ThisIsMani @SanchithHegde @likhinbopanna