Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

do not allow multiple uses of the same key #61

Closed
wants to merge 2 commits into from
Closed

do not allow multiple uses of the same key #61

wants to merge 2 commits into from

Conversation

karakayasemi
Copy link
Contributor

resolves #59 .
I tested it in my local. I would like to add unit test for Totp service, but, IMHO it needs some bigger refactoring. There is an object that is violating dependency injection.

@karakayasemi karakayasemi self-assigned this Sep 13, 2018
@individual-it
Copy link
Member

will this only store the last token or multiple of the past?

@patrickjahns
Copy link
Contributor

Once this is merged - we need to setup a prior version ( before mandatory confirmation of otp secret ) and play upgrades to ensure the migrations work correctly and do not lock out users

@individual-it
Copy link
Member

tested. this fixes the issue, by saving the last token, still its possible to use the pre-last token to login again (obviously within the time limits)
Is that a problem?

@karakayasemi
Copy link
Contributor Author

karakayasemi commented Sep 14, 2018
edited
Loading

Hmm, we are also validating before and next token. https://github.com/owncloud/twofactor_totp/blob/master/lib/Service/Totp.php#L115 I thought only last used token is enough. Actually, since we are implementing this for the case of violation of user-server communication privacy, preventing consecutive usage of the same token is enough. IMHO, it is not a problem.

@individual-it
Copy link
Member

@PVince81 @DeepDiver1975 if you have a minute during the conference you maybe could have a look here

PVince81
PVince81 reviewed Sep 24, 2018
View reviewed changes
Copy link

@PVince81 PVince81 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any unit tests to update or write ?

lib/Db/TotpSecret.php
@@ -39,6 +42,9 @@ class TotpSecret extends Entity {
/** @var string */
protected $secret;

/** @var string */
protected $lastValidatedKey;
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

indent

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the file was indented with 4 spaces instead of tab. I opened an issue for php-cs-fixer #62

lib/Service/Totp.php
$secret = $this->crypto->decrypt($dbSecret->getSecret());
$otp = new Otp();

if ($otp->checkTotp(Base32::decode($secret), $key, 3) === true) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add some PHPDoc comment, it is not clear what and why we are doing this

@PVince81
Copy link

I tested it in my local. I would like to add unit test for Totp service

if really not possible, please make a technical debt ticket and explain what needs to be refactored

is this at least covered by acceptance tests ? @individual-it

@patrickjahns
Copy link
Contributor

@PVince81
No - there are no acceptance tests for this app - this app has always been tested manually

@PVince81
Copy link

so we have at least four options:

  1. wait for @karakayasemi to refactor and add unit tests
  2. refactor and add unit tests ourselves
  3. add acceptance tests
  4. ignore automated tests and merge as is and rely on manual testing to validate (with tech debt ticket)

@PVince81
Copy link

  1. release the current app without this PR, so we get the important fix and @karakayasemi has more time to do this properly

thoughts ?

@karakayasemi
Copy link
Contributor Author

@PVince81 let me refactor it, I will make it today, after work hours.

@karakayasemi karakayasemi force-pushed the prevent-second-usage branch 2 times, most recently from 8e950a9 to b20b8a3 Compare September 25, 2018 16:31
@karakayasemi karakayasemi mentioned this pull request Sep 25, 2018
Merged
@karakayasemi
Copy link
Contributor Author

I converted spaces to tabs in the files to follow ownCloud code style, now it became difficult to review. I am closing this PR, and creating new PR with the app's code style. We can fix cs mistakes by introducing php-cs-fixer later. Let's continue in here: #63

@karakayasemi karakayasemi deleted the prevent-second-usage branch September 26, 2018 17:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PVince81 PVince81 PVince81 left review comments

@individual-it individual-it Awaiting requested review from individual-it

@DeepDiver1975 DeepDiver1975 Awaiting requested review from DeepDiver1975

Assignees

@karakayasemi karakayasemi

Labels
3 - To review bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

token can be used several times
4 participants
@karakayasemi @individual-it @patrickjahns @PVince81