Skip to content

User session identity and 2FA

ADmadrequested to merge
phoenix/feature/login-2fa into phoenix/develop
  • Upon login, only the user's ID is now stored in the session. The full user record (and related roles) are now fetched on each request. This means any changes done to the user profile by the admin will take affect on the next request the user makes (the current hack of directly modifying the session files is not needed anymore).
  • The 2FA code is overhauled to a more robust implementation.
  • To reduce friction, new user registration is now completed without 2FA setup.
  • After registration the new user is logged in and redirected to the 2FA setup page. But they can navigate away to any other page.
  • New users have a grace period of 5 (configurable) days to setup 2FA. A "Setup 2FA" button is added on the profile page. After the grace period trying to access any protected page will redirect the user to the 2FA setup page.
  • The users index page for admin now has a column displaying 2FA status and also an action to delete the user record.

Merge request reports