Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix unable to see the first set of backup codes after enabling the 2FA #217

Merged
merged 2 commits into from
Jun 22, 2023
Merged

Fix unable to see the first set of backup codes after enabling the 2FA #217

merged 2 commits into from
Jun 22, 2023

Conversation

renintw
Copy link
Contributor

@renintw renintw commented Jun 8, 2023
edited
Loading

Fixes #216, and the behavior of #190 is changed.

This PR adds isSetupFinished to record.
It could fix the issue - Unable to see the first set of backup codes after enabling the 2FA,
and also somewhat change the problem raised in #190, as the flow after the fix here is something like

  • If users don't click the All finish button and go back to account screen -> the backup code button status is updated as enabled and clickable (This wasn't fixed by this PR, and actually this is related to the issue of this PR - the root cause for "as soon as the codes are generated, the screen gets directed to Manage screen" is that the backupCodesEnabled here has already been set to true, and this makes the issue in Handle the case that If "I have printed or saved these codes" in backupCodes is not clicked #190 go away. i.e., the backup code button status is updated as enabled and clickable)
    However, even though the issue from Handle the case that If "I have printed or saved these codes" in backupCodes is not clicked #190 is resolved, another similar problem has popped up. The status on the account-status screen should not be set to enabled. This is because, after the fix implemented in this PR, there might be some confusion. For instance, (1) if users don't click All finish and directly navigate back to the account screen, they would see that the backup codes are enabled. This could be misleading. Similarly, (2) if users have already activated their backup codes once, they might out of curiosity or by accident click the generate new codes button. At this point, since they don't really intend to generate new codes, they might just click Back to leave the screen, or even log out, thinking they could still use the backup codes that they activated earlier - which they couldn't. Therefore, the status shouldn't be set to enabled, but at the same time, it shouldn't prevent users from clicking it as well. We could handle this in another PR.

  • If users click the All finish button and go back to account screen -> the status is correctly updated (enabled and clickable)

For more details about flow please see the screencast below.

This workaround may not seem ideal, but other methods like adding state or using the apiFetch middleware don't really handle all the cases quite well. Once the upstream PR is fixed, this can be removed. At that point, we will have the ability to decide when backupCodesEnabled should be enabled and control the state.

Screencast

Screen.Capture.on.2023-06-09.at.05-50-48.mp4

Testing Step

  1. Set up 2FA while sandboxed.
  2. When 2FA is successfully activated, see if it redirects to backup codes screen and stays there, if so, this issue is fixed.

@renintw renintw requested review from iandunn and adamwoodnz June 8, 2023 22:53
@renintw renintw self-assigned this Jun 8, 2023
@renintw renintw added the bug Something isn't working label Jun 8, 2023
renintw
renintw commented Jun 8, 2023
View reviewed changes
settings/src/components/backup-codes.js
} );
userRecord.record.isSetupFinished = true;
// The codes have already been saved to usermeta, see `generateCodes()` above.
await refreshRecord( userRecord ); // This has the intended side-effect of redirecting to the Manage screen.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not so sure about the meaning of the comment in this line, does it make sense to remove it now?

@renintw renintw force-pushed the fix/Unable-to-see-the-first-set-of-backup-codes branch from c66c577 to 9abb760 Compare June 8, 2023 23:03
@renintw renintw mentioned this pull request Jun 8, 2023
Closed
@renintw renintw force-pushed the fix/Unable-to-see-the-first-set-of-backup-codes branch from 9abb760 to 2ed2b4e Compare June 9, 2023 15:04
@StevenDufresne
Copy link
Contributor

accident click the generate new codes button

Accidentally clicking a button, provided it's a standard button, isn't something to worry about. I think anytime that button is clicked, it's fair and expected that new codes are created. I don't think we need to complicate things by having extra confirmations provided we have recourse for unblocking locked accounts (which we do).

I would argue that we can always show the backup codes on the code view (we have them saved right?). I'm not quite sure why we treat them as temporary and never show them again?

@renintw
Copy link
Contributor Author

renintw commented Jun 21, 2023
edited
Loading

I would argue that we can always show the backup codes on the code view (we have them saved right?). I'm not quite sure why we treat them as temporary and never show them again?

I'm not so sure about how it was decided as is in the first place, and I couldn't easily find a best practice for this argument. So I asked chatGPT about it, and here's what it said, it seems to make sense:

Two-factor authentication (2FA) backup codes are typically shown to the user only once, at the time they are generated. The idea is that the user should make a copy of these codes and keep them in a safe place, separate from their primary device. This is a security measure to prevent unauthorized access to the backup codes.

If the backup codes were always visible in the user interface, then anyone who managed to gain access to your account could also see and use these backup codes. This would defeat the purpose of having a second factor of authentication.

Therefore, it's standard practice to treat backup codes as temporary and only show them once. If the user loses their backup codes, they should have an option to generate a new set, which will invalidate the old ones. This way, if the old codes were discovered by someone else, they could not be used to access the account.

That being said, I can see that Google always shows the backup codes like you mentioned and put the re-generate button on the same page. But I also can remember there are some services hiding the codes right away after users leave the page.

image

Accidentally clicking a button, provided it's a standard button, isn't something to worry about. I think anytime that button is clicked, it's fair and expected that new codes are created. I don't think we need to complicate things by having extra confirmations provided we have recourse for unblocking locked accounts (which we do).

This was brought up here, and it was confirmed as an edge case. If we're not changing to always show the backup codes on the code view, I assume it's still a good-to-have feature, but with low priority, though.

@renintw
Copy link
Contributor Author

renintw commented Jun 21, 2023
edited
Loading

Any further concerns about not merging this PR? If not, I'll squash merge it first and we can come back to revert it anytime we'd like to. Changes here are rather simple, only isSetupFinished is added, and there's a clear TODO comment about it.

@StevenDufresne
Copy link
Contributor

If the backup codes were always visible in the user interface, then anyone who managed to gain access to your account could also see and use these backup codes. This would defeat the purpose of having a second factor of authentication

I think this is mostly incorrect, if a bad actor can access the backup codes, they can also access the regenerate button which kills the backup codes and gives them new ones and since we don't have logging you wouldn't know. That is a bigger topic thought.

Also, Github also shows them provided you re-auth.

At any rate, I'm okay with this to merge in the meantime.

@renintw renintw force-pushed the fix/Unable-to-see-the-first-set-of-backup-codes branch from 2ed2b4e to f016d99 Compare June 22, 2023 17:02
@renintw renintw merged commit 0cbad52 into trunk Jun 22, 2023
@renintw renintw deleted the fix/Unable-to-see-the-first-set-of-backup-codes branch June 22, 2023 17:05
@renintw renintw restored the fix/Unable-to-see-the-first-set-of-backup-codes branch June 22, 2023 17:57
@renintw renintw deleted the fix/Unable-to-see-the-first-set-of-backup-codes branch June 22, 2023 18:11
renintw added a commit that referenced this pull request Jun 22, 2023
@renintw
Revert "Fix unable to see the first set of backup codes after enablin…
8bd33aa 
…g the 2FA (#217)"

This reverts commit 0cbad52.
@renintw renintw mentioned this pull request Jun 22, 2023
Merged
@iandunn
Copy link
Member

iandunn commented Jun 22, 2023

In our case at least, it's not possible to show the backup codes after the initial generation, because they're hashed before being stored in the database, similar to passwords.

renintw added a commit that referenced this pull request Jun 26, 2023
@renintw
Fix unable to see the first set of backup code - using localStroage (#…
5cd6e01 
…221)

* Revert "Fix unable to see the first set of backup codes after enabling the 2FA (#217)"

This reverts commit 0cbad52.

* add hasSetupCompleted

* Add {browser: true} to fix eslint error
@iandunn iandunn mentioned this pull request Sep 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iandunn iandunn Awaiting requested review from iandunn

@adamwoodnz adamwoodnz Awaiting requested review from adamwoodnz

Assignees

@renintw renintw

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Unable to see the first set of backup codes after completing the 2FA application
3 participants
@renintw @StevenDufresne @iandunn