Add expiration time to user otp_secrets (!84985) · Merge requests · GitLab.org / GitLab

Brian Williams requested to merge bwill/add-otp-secret-ttl into master Apr 12, 2022

What does this MR do and why?

Describe in detail what your merge request does and why.

As a corrective action for the issues observed in gitlab-com/gl-infra/production#6818 (closed) and gitlab-com/gl-infra/production#6728 (closed), this MR adds a time-based expiration for OTP secrets instead of regenerating them on every page load. This will allow multiple requests to be made to the two factor auth page without regenerating the OTP secret in the background. This should make it much less likely to have a background request regenerate the OTP secret and break the two factor onboarding.

💾 Database Migrations

Up

./bin/rails db:migrate:up VERSION=20220412171810
== 20220412171810 AddOtpSecretExpiresAt: migrating ============================
-- add_column(:users, :otp_secret_expires_at, :datetime_with_timezone)
   -> 0.0027s
== 20220412171810 AddOtpSecretExpiresAt: migrated (0.0028s) ===================

Down

./bin/rails db:migrate:down VERSION=20220412171810
== 20220412171810 AddOtpSecretExpiresAt: reverting ============================
-- remove_column(:users, :otp_secret_expires_at, :datetime_with_timezone)
   -> 0.0029s
== 20220412171810 AddOtpSecretExpiresAt: reverted (0.0046s) ===================

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Apr 13, 2022 by Brian Williams

Add expiration time to user otp_secrets

What does this MR do and why?

💾 Database Migrations

Up

Down

MR acceptance checklist

Merge request reports