Merge ~roadmr/canonical-identity-provider:2fa-update-last-nag-paper-only into canonical-identity-provider:master
Status: | Merged |
---|---|
Approved by: | Daniel Manrique |
Approved revision: | 10fc368079e608c655182efc725719d831aa5529 |
Merge reported by: | Otto Co-Pilot |
Merged at revision: | not available |
Proposed branch: | ~roadmr/canonical-identity-provider:2fa-update-last-nag-paper-only |
Merge into: | canonical-identity-provider:master |
Diff against target: |
96 lines (+53/-3) 3 files modified
src/identityprovider/models/twofactor.py (+5/-0) src/webui/tests/test_views_ui.py (+48/-1) src/webui/views/ui.py (+0/-2) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Maximiliano Bertacchini | Approve | ||
Review via email: mp+386053@code.launchpad.net |
Commit message
Update last_nag only for codes from paper device.
This is described in the spec as the desired behavior, but was incorrectly implemented, updating last_nag for *any* valid 2fa authentication.
With this we'll keep nagging the user on every 2fa request until they do effectively enter a code from a backup device, which resets the counter to 6 weeks from now for the next nag.
Description of the change
How to QA:
- set the account's last_nag to either None or a date 8 weeks in the past.
- Ensure account has a real device and no paper devices.
- Log in, there should be no nag on the 2fa screen, enter a real code.
- (Maybe ensure the account last_nag was not updated at this point)
- Add a paper device
- Log out
- Log in
- a nag should appear in the 2fa screen
- Enter a code from the real device
- Log out
- Log in
- The nag should again appear (since user has never used their backup device as far as we know)
- Enter code from backup device
- log out
- log in
- nag is now gone
- account last_nag should now be 6 weeks in the future for the next nag.
LGTM, thanks!