mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-18 12:52:42 +01:00
17709bc167
Summary: Ref T4398. This is still pretty rough and isn't exposed in the UI yet, but basically works. Some missing features / areas for improvement: - Rate limiting attempts (see TODO). - Marking tokens used after they're used once (see TODO), maybe. I can't think of ways an attacker could capture a token without also capturing a session, offhand. - Actually turning this on (see TODO). - This workflow is pretty wordy. It would be nice to calm it down a bit. - But also add more help/context to help users figure out what's going on here, I think it's not very obvious if you don't already know what "TOTP" is. - Add admin tool to strip auth factors off an account ("Help, I lost my phone and can't log in!"). - Add admin tool to show users who don't have multi-factor auth? (so you can pester them) - Generate QR codes to make the transfer process easier (they're fairly complicated). - Make the "entering hi-sec" workflow actually check for auth factors and use them correctly. - Turn this on so users can use it. - Adding SMS as an option would be nice eventually. - Adding "password" as an option, maybe? TOTP feels fairly good to me. I'll post a couple of screens... Test Plan: - Added TOTP token with Google Authenticator. - Added TOTP token with Authy. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T4398 Differential Revision: https://secure.phabricator.com/D8875
13 lines
586 B
SQL
13 lines
586 B
SQL
CREATE TABLE {$NAMESPACE}_auth.auth_factorconfig (
|
|
id INT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
|
|
phid VARCHAR(64) NOT NULL COLLATE utf8_bin,
|
|
userPHID VARCHAR(64) NOT NULL COLLATE utf8_bin,
|
|
factorKey VARCHAR(64) NOT NULL COLLATE utf8_bin,
|
|
factorName LONGTEXT NOT NULL COLLATE utf8_general_ci,
|
|
factorSecret LONGTEXT NOT NULL COLLATE utf8_bin,
|
|
properties LONGTEXT NOT NULL COLLATE utf8_bin,
|
|
dateCreated INT UNSIGNED NOT NULL,
|
|
dateModified INT UNSIGNED NOT NULL,
|
|
KEY `key_user` (userPHID),
|
|
UNIQUE KEY `key_phid` (phid)
|
|
) ENGINE=InnoDB, COLLATE utf8_general_ci;
|