2FA login prompts can cause application errors
If a user has TOTP enabled, they can go to the 2FA prompt path during login (/account/auth/2fa/u2f/prompt
). They can't login since they have no tokens enabled, but they should be redirected away from the page.
My current computer borks U2F so I cannot test the other way around (that is, U2F w/o TOTP or recovery codes still lets you visit the TOTP path), but I would expect the same behavior to occur.
If a person who has not logged in goes to the U2F or TOTP paths, it causes problems in the SessionsController because session[:user_id]
is nil, causing the user to be nil. During 2FA, the user is not fully logged in, but they do have a user ID stored in the session variable. I can check this variable to ensure the user has gotten this far the login stage. However, I also need to check to ensure the user is not logged in on these paths since the user should not be able to revisit the 2FA login paths.
In addition, if a user goes to the manage TOTP with U2F path (/account/security/2fa/totp/u2f
), it also causes errors.
I have gone through the rest of the paths and all behave as expected when a logged out user accesses them.
-
Prevent TOTP-only users from accessing U2F prompt during login -
Prevent U2F-only users from accessing TOTP prompt during login -
Ensure U2F users with recovery codes can still use recovery codes -
Prevent logged-out users accessing TOTP and U2F prompt paths from causing errors -
Prevent logged-out users accessing manage TOTP with U2F path -
Prevent logged-in users from accessing 2FA login paths -
Write tests for all this