claudiodekker / laravel-auth Goto Github PK
View Code? Open in Web Editor NEWRich authentication logic for your Laravel applications.
License: MIT License
Rich authentication logic for your Laravel applications.
License: MIT License
This is a very minor bug, but essentially when you enter a recovery code with a dash separator (as it is displayed during code generation), the code will be 11 characters long instead of 10, while the recovery code input itself only allows 10 characters exactly.
The obvious workaround is to simply enter the code without the separator, but the problem there is that those who store their recovery codes in a password manager, will likely copy-paste the code as-is with the separator, in which case the browser likely truncates the input field, making the code one character too short, causing the code to be considered invalid.
To fix this, we'll want to keep the "min" length as-is, but make the "max" length 11.
Initially, I considered recovery codes to be mandatory:
After talking to @valorin and thinking things over, I've changed my position on this slightly. This issue serves to track as a reminder to myself, as well as a specification as to what I intend to change and to what.
First of all, I will adjust the recovery code flow, so the system will 'skip' the recovery code challenge in the situation that you did not generate recovery codes, similar to what would happen when you did not configure 2FA and try to authenticate. This puts the responsibility as to generate recovery codes with the user.
Secondly, I will add a "account security" indicator class, with the following levels:
No 2FA | With 2FA | |
---|---|---|
No recovery | Weak & at-risk (RED) | At-risk (ORANGE) |
With recovery | Weak (RED) | Strong (GREEN) |
The colors (red, orange, green) serve as the actual levels, and can be checked against in-code. You can feed it the user object, call a check method, and get the level-code back. By default, the goal is to use this in the UI of the adapter packages, as to display a "security alert" on both the dashboard ("home") as well as the account security overview page.
Hey @claudiodekker,
I'd like to help a little bit with the package and thought about how I could contribute the best for now.
So I'd like to propose to use a stricter type system which would mean:
declare(strict_types=1)
at the top of all filesWhy is that change important in my opinion?
A stricter type system would mean catching more unexpected bugs / type conversions. There are a lot of cases were an integer is passed but a string is expected. Because for Authentication Security is an important aspect this should be an explicit instead of an implicit type conversion.
If you want I would work on these things in multiple smaller iterations so that it would be better to review:
declare(strict_types=1)
to all files (maybe 10 - 20 files per iteration) and fix the type conversionsNote
If I am talking about all files I mean currently only internal files and not the stubs
What is your opinion on this?
(I could also work on this in one large PR, but this would make it quite hard to review)
Right now, whenever you register an account using a passkey, the first step is to "claim" the user by creating it in the database. Once the user record exists, the system can use this record to generate the passkey / WebAuthn "creation options" (challenge), which once confirmed essentially gets added to that record in order to "complete" registration.
However, when an user does not confirm this, you end up with an account that does not have a valid authentication method. To solve this, I have come up with two solutions:
laravel-auth
it means adding a new route.The library currently implements (amongst others) per-username rate limiting. While traditionally rate limiting an IP-address would have been mostly sufficient, these days it is fairly trivial for attackers to proxy their requests and to simply switch to 'fresh' IP address once a rate limit / block has been reached. As such, we also want to rate-limit on the username itself, making this 'brute force' attack significantly less effective.
Now, we already do have tests that ensure an username gets rate limited, and we currently also already do make sure that usernames and emails such as [email protected]
, [email protected]
(casing) and fฯฯ@example.com
(transliteration) are treated the same, but we don't specifically have tests that cover these edge-cases.
As such, if an user decides to override and remove/change this functionality, they might expose themselves to risk, and it is for this reason that we want to ensure that two additional tests exist.
Then I would say we leave the stricter type system open for now. (Maybe use larastan on level 0 for now to already find smaller problems and then later on improve incrementally the type system.)
Originally posted by @Jubeki in #25 (comment)
Hi,
I've come across a re-accruing bug I wanted to bring to your attention.
I'll explain the steps below on how to get to it.
When I hit back and refresh, I am logged in.
This has happened to me on Safari and Brave. I'm on a Mac if this helps -- unlikely.
Due to an oversight, it's currently only possible to use recovery codes / account reset links to regain access to the account, but it not to reset your credentials once authenticated (as changing your password at that point requires your current password to be provided)
To solve this, I'll change the way account recovery works. Instead of directly authenticating the user and sending them to the account settings page, I will make it so that the user enters a "confirmed recovery state" (similar to the 2FA challenges) where the user can then (depending on the account type) either register a new passkey, or choose a new password.
Once a new credential has been registered and the recovery mode cleared, the user will be returned to the login page.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.