-
Notifications
You must be signed in to change notification settings - Fork 384
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: clean up expired factors #1371
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Probably add a test for this and then send for review |
Let me write a test |
J0
force-pushed
the
j0/cleanup_stale_factors
branch
3 times, most recently
from
February 1, 2024 09:17
5521d51
to
edd4540
Compare
J0
commented
Feb 1, 2024
hf
reviewed
Feb 2, 2024
J0
commented
Feb 2, 2024
hf
approved these changes
Mar 13, 2024
J0
commented
Mar 13, 2024
Tests needs to be modified so that there's a valid AAL1 token when |
J0
force-pushed
the
j0/cleanup_stale_factors
branch
from
March 13, 2024 02:57
22c8505
to
22519c1
Compare
J0
pushed a commit
that referenced
this pull request
Mar 26, 2024
🤖 I have created a release *beep* *boop* --- ## [2.145.0](v2.144.0...v2.145.0) (2024-03-26) ### Features * add error codes ([#1377](#1377)) ([e4beea1](e4beea1)) * add kakao OIDC ([#1381](#1381)) ([b5566e7](b5566e7)) * clean up expired factors ([#1371](#1371)) ([5c94207](5c94207)) * configurable NameID format for SAML provider ([#1481](#1481)) ([ef405d8](ef405d8)) * HTTP Hook - Add custom envconfig decoding for HTTP Hook Secrets ([#1467](#1467)) ([5b24c4e](5b24c4e)) * refactor PKCE FlowState to reduce duplicate code ([#1446](#1446)) ([b8d0337](b8d0337)) ### Bug Fixes * add http support for https hooks on localhost ([#1484](#1484)) ([5c04104](5c04104)) * cleanup panics due to bad inactivity timeout code ([#1471](#1471)) ([548edf8](548edf8)) * **docs:** remove bracket on file name for broken link ([#1493](#1493)) ([96f7a68](96f7a68)) * impose expiry on auth code instead of magic link ([#1440](#1440)) ([35aeaf1](35aeaf1)) * invalidate email, phone OTPs on password change ([#1489](#1489)) ([960a4f9](960a4f9)) * move creation of flow state into function ([#1470](#1470)) ([4392a08](4392a08)) * prevent user email side-channel leak on verify ([#1472](#1472)) ([311cde8](311cde8)) * refactor email sending functions ([#1495](#1495)) ([285c290](285c290)) * refactor factor_test to centralize setup ([#1473](#1473)) ([c86007e](c86007e)) * refactor mfa challenge and tests ([#1469](#1469)) ([6c76f21](6c76f21)) * Resend SMS when duplicate SMS sign ups are made ([#1490](#1490)) ([73240a0](73240a0)) * unlink identity bugs ([#1475](#1475)) ([73e8d87](73e8d87)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Closed
uxodb
pushed a commit
to uxodb/auth
that referenced
this pull request
Nov 13, 2024
## What kind of change does this PR introduce? Currently, unverified MFA factors can build up in the database quickly. Supabase developers can toggle Maximum unverified factors ( `Maximum number of per-user MFA factors`) via the dashboard but developers will have to look for the toggle. Developers can also call `unenroll` but it requires an additional step. This PR proposes periodic cleanup of stale factors on each request. A stale factor is: - Unverified - Has no associated Challenges - Older than five minutes Why five minutes? - Most enrolment or verification flow should be completed within the five minute window Factors which are unverified but have associated challenges will be cleaned up [after the developer makes successful verification](https://github.com/supabase/gotrue/blob/master/internal/api/mfa.go#L314) Alternatives considered: - Return the same factor and QR code if the same user calls `/enroll` twice. We unfortunately can't reuse the QR code as it poses a security risk. - Increase the initial number of default unverified factors (currently 10) - Drop the unverified factor check. I think this was initially introduced to prevent a malicious user from creating excessive entries in the database Address supabase#979. --------- Co-authored-by: joel@joellee.org <joel@joellee.org> Co-authored-by: joel <joel@joels-MacBook-Pro.local>
uxodb
pushed a commit
to uxodb/auth
that referenced
this pull request
Nov 13, 2024
🤖 I have created a release *beep* *boop* --- ## [2.145.0](supabase/auth@v2.144.0...v2.145.0) (2024-03-26) ### Features * add error codes ([supabase#1377](supabase#1377)) ([e4beea1](supabase@e4beea1)) * add kakao OIDC ([supabase#1381](supabase#1381)) ([b5566e7](supabase@b5566e7)) * clean up expired factors ([supabase#1371](supabase#1371)) ([5c94207](supabase@5c94207)) * configurable NameID format for SAML provider ([supabase#1481](supabase#1481)) ([ef405d8](supabase@ef405d8)) * HTTP Hook - Add custom envconfig decoding for HTTP Hook Secrets ([supabase#1467](supabase#1467)) ([5b24c4e](supabase@5b24c4e)) * refactor PKCE FlowState to reduce duplicate code ([supabase#1446](supabase#1446)) ([b8d0337](supabase@b8d0337)) ### Bug Fixes * add http support for https hooks on localhost ([supabase#1484](supabase#1484)) ([5c04104](supabase@5c04104)) * cleanup panics due to bad inactivity timeout code ([supabase#1471](supabase#1471)) ([548edf8](supabase@548edf8)) * **docs:** remove bracket on file name for broken link ([supabase#1493](supabase#1493)) ([96f7a68](supabase@96f7a68)) * impose expiry on auth code instead of magic link ([supabase#1440](supabase#1440)) ([35aeaf1](supabase@35aeaf1)) * invalidate email, phone OTPs on password change ([supabase#1489](supabase#1489)) ([960a4f9](supabase@960a4f9)) * move creation of flow state into function ([supabase#1470](supabase#1470)) ([4392a08](supabase@4392a08)) * prevent user email side-channel leak on verify ([supabase#1472](supabase#1472)) ([311cde8](supabase@311cde8)) * refactor email sending functions ([supabase#1495](supabase#1495)) ([285c290](supabase@285c290)) * refactor factor_test to centralize setup ([supabase#1473](supabase#1473)) ([c86007e](supabase@c86007e)) * refactor mfa challenge and tests ([supabase#1469](supabase#1469)) ([6c76f21](supabase@6c76f21)) * Resend SMS when duplicate SMS sign ups are made ([supabase#1490](supabase#1490)) ([73240a0](supabase@73240a0)) * unlink identity bugs ([supabase#1475](supabase#1475)) ([73e8d87](supabase@73e8d87)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
LashaJini
pushed a commit
to LashaJini/auth
that referenced
this pull request
Nov 13, 2024
## What kind of change does this PR introduce? Currently, unverified MFA factors can build up in the database quickly. Supabase developers can toggle Maximum unverified factors ( `Maximum number of per-user MFA factors`) via the dashboard but developers will have to look for the toggle. Developers can also call `unenroll` but it requires an additional step. This PR proposes periodic cleanup of stale factors on each request. A stale factor is: - Unverified - Has no associated Challenges - Older than five minutes Why five minutes? - Most enrolment or verification flow should be completed within the five minute window Factors which are unverified but have associated challenges will be cleaned up [after the developer makes successful verification](https://github.com/supabase/gotrue/blob/master/internal/api/mfa.go#L314) Alternatives considered: - Return the same factor and QR code if the same user calls `/enroll` twice. We unfortunately can't reuse the QR code as it poses a security risk. - Increase the initial number of default unverified factors (currently 10) - Drop the unverified factor check. I think this was initially introduced to prevent a malicious user from creating excessive entries in the database Address supabase#979. --------- Co-authored-by: joel@joellee.org <joel@joellee.org> Co-authored-by: joel <joel@joels-MacBook-Pro.local>
LashaJini
pushed a commit
to LashaJini/auth
that referenced
this pull request
Nov 13, 2024
🤖 I have created a release *beep* *boop* --- ## [2.145.0](supabase/auth@v2.144.0...v2.145.0) (2024-03-26) ### Features * add error codes ([supabase#1377](supabase#1377)) ([e4beea1](supabase@e4beea1)) * add kakao OIDC ([supabase#1381](supabase#1381)) ([b5566e7](supabase@b5566e7)) * clean up expired factors ([supabase#1371](supabase#1371)) ([5c94207](supabase@5c94207)) * configurable NameID format for SAML provider ([supabase#1481](supabase#1481)) ([ef405d8](supabase@ef405d8)) * HTTP Hook - Add custom envconfig decoding for HTTP Hook Secrets ([supabase#1467](supabase#1467)) ([5b24c4e](supabase@5b24c4e)) * refactor PKCE FlowState to reduce duplicate code ([supabase#1446](supabase#1446)) ([b8d0337](supabase@b8d0337)) ### Bug Fixes * add http support for https hooks on localhost ([supabase#1484](supabase#1484)) ([5c04104](supabase@5c04104)) * cleanup panics due to bad inactivity timeout code ([supabase#1471](supabase#1471)) ([548edf8](supabase@548edf8)) * **docs:** remove bracket on file name for broken link ([supabase#1493](supabase#1493)) ([96f7a68](supabase@96f7a68)) * impose expiry on auth code instead of magic link ([supabase#1440](supabase#1440)) ([35aeaf1](supabase@35aeaf1)) * invalidate email, phone OTPs on password change ([supabase#1489](supabase#1489)) ([960a4f9](supabase@960a4f9)) * move creation of flow state into function ([supabase#1470](supabase#1470)) ([4392a08](supabase@4392a08)) * prevent user email side-channel leak on verify ([supabase#1472](supabase#1472)) ([311cde8](supabase@311cde8)) * refactor email sending functions ([supabase#1495](supabase#1495)) ([285c290](supabase@285c290)) * refactor factor_test to centralize setup ([supabase#1473](supabase#1473)) ([c86007e](supabase@c86007e)) * refactor mfa challenge and tests ([supabase#1469](supabase#1469)) ([6c76f21](supabase@6c76f21)) * Resend SMS when duplicate SMS sign ups are made ([supabase#1490](supabase#1490)) ([73240a0](supabase@73240a0)) * unlink identity bugs ([supabase#1475](supabase#1475)) ([73e8d87](supabase@73e8d87)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
LashaJini
pushed a commit
to LashaJini/auth
that referenced
this pull request
Nov 15, 2024
## What kind of change does this PR introduce? Currently, unverified MFA factors can build up in the database quickly. Supabase developers can toggle Maximum unverified factors ( `Maximum number of per-user MFA factors`) via the dashboard but developers will have to look for the toggle. Developers can also call `unenroll` but it requires an additional step. This PR proposes periodic cleanup of stale factors on each request. A stale factor is: - Unverified - Has no associated Challenges - Older than five minutes Why five minutes? - Most enrolment or verification flow should be completed within the five minute window Factors which are unverified but have associated challenges will be cleaned up [after the developer makes successful verification](https://github.com/supabase/gotrue/blob/master/internal/api/mfa.go#L314) Alternatives considered: - Return the same factor and QR code if the same user calls `/enroll` twice. We unfortunately can't reuse the QR code as it poses a security risk. - Increase the initial number of default unverified factors (currently 10) - Drop the unverified factor check. I think this was initially introduced to prevent a malicious user from creating excessive entries in the database Address supabase#979. --------- Co-authored-by: joel@joellee.org <joel@joellee.org> Co-authored-by: joel <joel@joels-MacBook-Pro.local>
LashaJini
pushed a commit
to LashaJini/auth
that referenced
this pull request
Nov 15, 2024
🤖 I have created a release *beep* *boop* --- ## [2.145.0](supabase/auth@v2.144.0...v2.145.0) (2024-03-26) ### Features * add error codes ([supabase#1377](supabase#1377)) ([e4beea1](supabase@e4beea1)) * add kakao OIDC ([supabase#1381](supabase#1381)) ([b5566e7](supabase@b5566e7)) * clean up expired factors ([supabase#1371](supabase#1371)) ([5c94207](supabase@5c94207)) * configurable NameID format for SAML provider ([supabase#1481](supabase#1481)) ([ef405d8](supabase@ef405d8)) * HTTP Hook - Add custom envconfig decoding for HTTP Hook Secrets ([supabase#1467](supabase#1467)) ([5b24c4e](supabase@5b24c4e)) * refactor PKCE FlowState to reduce duplicate code ([supabase#1446](supabase#1446)) ([b8d0337](supabase@b8d0337)) ### Bug Fixes * add http support for https hooks on localhost ([supabase#1484](supabase#1484)) ([5c04104](supabase@5c04104)) * cleanup panics due to bad inactivity timeout code ([supabase#1471](supabase#1471)) ([548edf8](supabase@548edf8)) * **docs:** remove bracket on file name for broken link ([supabase#1493](supabase#1493)) ([96f7a68](supabase@96f7a68)) * impose expiry on auth code instead of magic link ([supabase#1440](supabase#1440)) ([35aeaf1](supabase@35aeaf1)) * invalidate email, phone OTPs on password change ([supabase#1489](supabase#1489)) ([960a4f9](supabase@960a4f9)) * move creation of flow state into function ([supabase#1470](supabase#1470)) ([4392a08](supabase@4392a08)) * prevent user email side-channel leak on verify ([supabase#1472](supabase#1472)) ([311cde8](supabase@311cde8)) * refactor email sending functions ([supabase#1495](supabase#1495)) ([285c290](supabase@285c290)) * refactor factor_test to centralize setup ([supabase#1473](supabase#1473)) ([c86007e](supabase@c86007e)) * refactor mfa challenge and tests ([supabase#1469](supabase#1469)) ([6c76f21](supabase@6c76f21)) * Resend SMS when duplicate SMS sign ups are made ([supabase#1490](supabase#1490)) ([73240a0](supabase@73240a0)) * unlink identity bugs ([supabase#1475](supabase#1475)) ([73e8d87](supabase@73e8d87)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
Currently, unverified MFA factors can build up in the database quickly. Supabase developers can toggle Maximum unverified factors (
Maximum number of per-user MFA factors
) via the dashboard but developers will have to look for the toggle. Developers can also callunenroll
but it requires an additional step.This PR proposes periodic cleanup of stale factors on each request. A stale factor is:
Why five minutes?
Factors which are unverified but have associated challenges will be cleaned up after the developer makes successful verification
Alternatives considered:
/enroll
twice. We unfortunately can't reuse the QR code as it poses a security risk.Address #979.