Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[PM-15614] Allow Users to opt out of new device verification #5176

Open
wants to merge 6 commits into
base: main
Choose a base branch
from

Conversation

ike-kottlowski
Copy link
Contributor

@ike-kottlowski ike-kottlowski commented Dec 21, 2024

🎟️ Tracking

PM-15614

📔 Objective

Some users would like to be able to turn off the new device verification feature. This PR is to enable that decision.

However, turning this off will reduce overall security of your account if you do not already have 2FA enabled.

📸 Screenshots

User is able to login when dbo.User.VerifyDevices is set to false (0)

PRRh7o4c8a.mp4

Transcript

User tries to login and is met with New Device Verification prompt. dbo.User.VerifyDevices is changed to false (0); user attempts to login again and are allowed to authenticate this time. dbo.User.VerifyDevices is set back to true (1); User tries to authenticate again and is successful again because the device has been saved as a knowndevice.

⏰ Reminders before review

  • Contributor guidelines followed
  • All formatters and local linters executed and passed
  • Written new unit and / or integration tests where applicable
  • Protected functional changes with optionality (feature flags)
  • Used internationalization (i18n) for all UI strings
  • CI builds passed
  • Communicated to DevOps any deployment requirements
  • Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

  • 👍 (:+1:) or similar for great changes
  • 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
  • ❓ (:question:) for questions
  • 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
  • 🎨 (:art:) for suggestions / improvements
  • ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
  • 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
  • ⛏ (:pick:) for minor or nitpick changes

…r has opted out of device verification.

Added endpoint to AccountsController.cs to allow editing of new User.VerifyDevices property.
…t. Removed Anon attribute from the POST account/verify-devices endpoint.
…fyDevices.

Added update to verify email to the new device verification flow.
Copy link
Contributor

github-actions bot commented Dec 21, 2024

Logo
Checkmarx One – Scan Summary & Details2a78ead1-aa43-429f-acf4-dfd9cada32d3

New Issues

Severity Issue Source File / Package Checkmarx Insight
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 967 Attack Vector
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 975 Attack Vector
LOW Log_Forging /src/Api/Auth/Controllers/AccountsController.cs: 967 Attack Vector

Fixed Issues

Severity Issue Source File / Package
MEDIUM CSRF /src/Api/Auth/Controllers/AccountsController.cs: 967
MEDIUM CSRF /src/Api/NotificationCenter/Controllers/NotificationsController.cs: 67
MEDIUM CSRF /src/Api/NotificationCenter/Controllers/NotificationsController.cs: 61
LOW Log_Forging /src/Api/Auth/Controllers/AccountsController.cs: 967

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant