Skip to content

Email verification for new devices #1931

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 1, 2022
Merged

Email verification for new devices #1931

merged 3 commits into from
Apr 1, 2022

Conversation

@fedemkr
Copy link
Member

@fedemkr fedemkr commented Mar 30, 2022
edited
Loading

Type of change

  • Bug fix
  • New feature development
  • Tech debt (refactoring, code cleanup, dependency upgrades, etc)
  • Build/deploy pipeline (DevOps)
  • Other

Objective

Given: a user does not have 2FA set up AND the user is not logging in with SSO
When: the user logs in on a new device AND this is not the first device the user has logged in on
Then: required Email 2FA

Code changes

  • User.cs: Added method to clear 2FA
  • BaseRequestValidator: Added logic to require and send email 2FA when there is a login on a new device that is not SSO and has no 2FA configured.
  • NewDeviceLoginTwoFactorEmail.text.hbs: Added text template for the new email
  • NewDeviceLoginTwoFactorEmail.html.hbs: Added html template for the new email
  • HandlebarsMailService: Added method to send the new email with the email 2FA for new device's login
  • UserService: Added logic to send the correct 2FA email depending on if that is because of a new device's login or of a configured email 2FA
  • UserServiceTests: Added unit tests for the new logic on SendTwoFactorEmailAsync

Testing requirements

Test that on users that don't have SSO and don't have any 2FA set up, when login in new devices a 2FA is required and an email is received with the 2FA token and explaining why they are receiving that.
This shouldn't happen if the user has any 2FA set up or if they are login in with SSO.

Additional notes

Maybe it'd be a good idea to refactor the TwoFactorProvider set up to be done in some other object like a factory or a static method (or extension method) that builds the provider given the type and some additional arguments. On what I did I just copied the Email KeyValuePair<TwoFactorProviderType, TwoFactorProvider> as I saw it was done on other parts just not to refactor the other parts and tackle that all at once with some planning beforehand given that it may break core stuff.

Before you submit

  • I have checked for formatting errors (dotnet tool run dotnet-format --check) (required)
  • If making database changes - I have also updated Entity Framework queries and/or migrations
  • I have added unit tests where it makes sense to do so (encouraged but not required)
  • This change requires a documentation update (notify the documentation team)
  • This change has particular deployment requirements (notify the DevOps team)

fedemkr added 2 commits March 29, 2022 21:17
@fedemkr
PS-56 Added Email 2FA on login with new devices that don't have any 2…
a1186f1 
…FA enabled
@fedemkr
Merge branch 'master' into require-email-2fa
f42bfc9 
* master:
  Update SETUP.md (#1924)
  add some european takeaway domains to global domains (#1915)
  Fix swapped launch settings default (#1925)
@fedemkr fedemkr requested a review from a team March 30, 2022 01:21
@fedemkr fedemkr changed the title Require Email 2FA on new devices that don't have any 2FA enabled Email verification for new devices Mar 30, 2022
@micahblut
Copy link
Member

micahblut commented Mar 30, 2022

Additional testing notes:
A user who has SSO but does not use would go through the email flow for a new device.
Also, users who do not have email verified are excluded.

@kspearrin
Copy link
Member

kspearrin commented Mar 30, 2022

Also, users who do not have email verified are excluded.

I suspect this is a pretty low percentage of users. Not sure we will have much effect with this requirement.

@fedemkr fedemkr merged commit 6f60d24 into master Apr 1, 2022
@fedemkr fedemkr deleted the PS-56-require-email-2fa branch April 1, 2022 20:08
eliykat added a commit that referenced this pull request Apr 12, 2022
@eliykat
Revert "Email verification for new devices (#1931)"
d620402 
This reverts commit 6f60d24.
@fedemkr fedemkr mentioned this pull request Apr 28, 2022
Merged
10 tasks
@fedemkr fedemkr mentioned this pull request Jan 19, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jlf0dev jlf0dev jlf0dev approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@fedemkr @micahblut @kspearrin @jlf0dev