parse-server
parse-server copied to clipboard
Published
20 hours ago •
parse-community
parse-community
Disable MFA without TOTP
trafficstars
New Issue Checklist
- Report security issues confidentially.
- Any contribution is under this license.
- Before posting search existing issues.
Issue Description
Originally posted by @SteffenKeller:
A logged-in user can disable MFA for their account without entering a valid verification code by simply calling the unlink function or saving null for the MFA auth data.
The TOTP auth adapter prevents setting a new secret without a valid code (AuthenticationAdapters.spec.js line 2413), but it does not prevent clearing the secret first and then setting a new one.
This may not be critical, but since the TOTP auth adapter was designed to require a valid code to disable mfa, I thought it was worth mentioning.
Steps to reproduce
JS SDK:
await user._unlinkFrom('mfa');
or
await user.save(
{ authData: { mfa: null } },
{ sessionToken: user.getSessionToken() }
);
Environment
Server
- Parse Server version:
FILL_THIS_OUT
Thanks for opening this issue!
- ❌ Please fill out all fields with a placeholder
FILL_THIS_OUT, otherwise your issue will be closed. If a field does not apply to the issue, fill inn/a.
![parse-github-assistant[bot] avatar](https://avatars.githubusercontent.com/in/136195?v=4 "Published by a pub.dev verified publisher"){kind=small}