Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Harden login nonces #473

Merged
merged 3 commits into from
Oct 24, 2022
Merged

Harden login nonces #473

merged 3 commits into from
Oct 24, 2022

Conversation

iandunn
Copy link
Member

@iandunn iandunn commented Oct 13, 2022
edited
Loading

I noticed a few comments on a closed PR and didn't want them to fall through the cracks:

I'd appreciate some extra eyes on this one to make sure everything with the HMAC is correct.

@iandunn iandunn added Enhancement PHP Pull requests that update Php code labels Oct 13, 2022
@iandunn iandunn self-assigned this Oct 13, 2022
@calvinalkan
Copy link
Contributor

HMAC logic looks good to be, only change would be to fail hard If wp_json_encode returns false.

The return type is string|false.

Tokens not being deleted should be fixed ASAP.

@iandunn
Copy link
Member Author

iandunn commented Oct 14, 2022

Doh, good catch, thanks! Fixed in 87fdce0

@jeffpaul jeffpaul added this to the 0.8.0 milestone Oct 14, 2022
@iandunn iandunn mentioned this pull request Oct 14, 2022
Merged
3 tasks
kasparsd
kasparsd reviewed Oct 17, 2022
View reviewed changes
Copy link
Collaborator

@kasparsd kasparsd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some initial feedback. Looks good overall!

class-two-factor-core.php Outdated Show resolved Hide resolved
class-two-factor-core.php Show resolved Hide resolved
class-two-factor-core.php Outdated Show resolved Hide resolved
@iandunn iandunn requested a review from kasparsd October 19, 2022 20:13
@iandunn
Copy link
Member Author

iandunn commented Oct 24, 2022

I'm gonna go ahead and merge this since it seems like everything has been resolved. We can definitely iterate if anyone has any more thoughts though.

@iandunn
Core: Shorten login nonce expiration to 10 minutes
dab71d4 
This shortens the attack window, but should still be plenty of time for normal use.
@iandunn
Core: Include user ID and expiration in login nonce
75a4095 
This guarantees that the nonce can only be used by the user it was generated for, and that it can only be used within the same expiration window.
@iandunn
Core: Rename nonce verification test for clarity
c129c05 
The test only verifies that failing to verify a nonce will delete the valid nonce. It doesn't test that a valid nonce can't be reused.
@iandunn iandunn merged commit 269a987 into master Oct 24, 2022
@iandunn iandunn deleted the harden-login-nonce branch October 24, 2022 22:46
@iandunn iandunn mentioned this pull request Nov 3, 2022
Closed
15 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@calvinalkan calvinalkan calvinalkan left review comments

@dd32 dd32 Awaiting requested review from dd32

@georgestephanis georgestephanis Awaiting requested review from georgestephanis

@kasparsd kasparsd Awaiting requested review from kasparsd

Assignees

@iandunn iandunn

Labels
Enhancement PHP Pull requests that update Php code
Projects
None yet
Milestone
0.8.0
Development

Successfully merging this pull request may close these issues.
5 participants
@iandunn @calvinalkan @kasparsd @dd32 @jeffpaul