Merge lp:~maxiberta/canonical-identity-provider/2fa-readonly into lp:canonical-identity-provider/release
Status: | Merged |
---|---|
Approved by: | Maximiliano Bertacchini |
Approved revision: | no longer in the source branch. |
Merge reported by: | Otto Co-Pilot |
Merged at revision: | not available |
Proposed branch: | lp:~maxiberta/canonical-identity-provider/2fa-readonly |
Merge into: | lp:canonical-identity-provider/release |
Prerequisite: | lp:~maxiberta/canonical-identity-provider/readonly-improvements |
Diff against target: |
292 lines (+129/-17) 8 files modified
src/identityprovider/forms.py (+6/-2) src/identityprovider/models/twofactor.py (+7/-7) src/identityprovider/tests/test_forms.py (+8/-2) src/identityprovider/tests/test_models_twofactor.py (+70/-1) src/webui/templates/registration/twofactor.html (+4/-0) src/webui/tests/test_views_registration.py (+23/-0) src/webui/tests/test_views_ui.py (+9/-4) src/webui/views/registration.py (+2/-1) |
To merge this branch: | bzr merge lp:~maxiberta/canonical-identity-provider/2fa-readonly |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Daniel Manrique (community) | Approve | ||
Review via email: mp+374530@code.launchpad.net |
Commit message
Read-only mode 2FA: allow TOTP devices only, disable sync.
Description of the change
2FA is currently bypassed in readonly mode, lowering the security requirements of accounts with 2FA devices. This branch should improve the situation by allowing TOTP devices in readonly mode, while counter based devices (HOTP and text codes) are not allowed to authenticate. A warning message is shown next to the 2FA input when in readonly mode, and non-TOTPs will just be rejected as invalid.
Counter based device sync is disabled in readonly mode, as well.
Screenshots:
Readwrite (unchanged): https:/
Read-only: https:/
Note this depends on a prerequisite branch with general readonly improvements.
LGTM!