allura-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dave Brondsema" <d...@brondsema.net>
Subject [allura:tickets] #8117 Implement core 2FA
Date Wed, 31 Aug 2016 19:06:27 GMT
- **status**: in-progress --> review
- **Comment**:

First pass of this is available in branch `db/8117`.  There is some polish and email notifications
I want to do for sure, and possibly some logic changes.  

* you'll need to run `pip install -r requirements.txt` to get new packages (do this within
docker, if using docker)
* you'll need to run `python setup.py develop` in the Allura dir, for it to know of new TOTP
entry points (again, within docker if using it)

Overall I'm not super happy about using a session variable for `multifactor-username`, but
we need some way to store the current partially-auth'd username and we can't just put it as
a hidden form field or something like that since the client could change it. We could do an
encrypted form field, which would have the benefit of not having to clear out the session
var when you go to other pages (which is there so a partial login doesn't stay partially auth'd).
But it would mean setting up a good encrypt/decrypt logic for the form field. Maybe worth
it?



---

** [tickets:#8117] Implement core 2FA**

**Status:** review
**Milestone:** unreleased
**Labels:** security 
**Created:** Mon Aug 15, 2016 03:54 PM UTC by Dave Brondsema
**Last Updated:** Fri Aug 19, 2016 07:55 PM UTC
**Owner:** Dave Brondsema


This ticket is for the essential functionality for TOTP 2FA, separate tickets for other aspects

Some details at http://mail-archives.apache.org/mod_mbox/allura-dev/201608.mbox/%3C28c7a399-86c5-5d75-dde4-2ab54fe7b3e4%40brondsema.net%3E


---

Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options.
 Or, if this is a mailing list, you can unsubscribe from the mailing list.
Mime
  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message