near-contract-helper icon indicating copy to clipboard operation
near-contract-helper copied to clipboard

Published 20 hours ago verified publisher icon near

Insert, Send, Query & Delete 2FA Codes

Open mattlockyer opened this issue 5 years ago • 3 comments

  1. Endpoint where server will need to create a code and insert a record into the database - e.g. A user has 2FA enabled, initiates a transaction from the web wallet and requests this endpoint
  2. After the code is created, the server will need to send the appropriate SMS @kcole16 copy
  3. Endpoint to query and verify that the code exists (and it's within a time limit?)
  4. When the user types the code into the web wallet 2FA confirmation screen (TBD link issue from wallet repo) the endpoint in (3) is requested with the code
  5. Upon request with POST body of the correct code in endpoint (3) we will sign and send the transaction to the network

Questions:

  • Is the transaction sent to the server in (1) or (5)
  • What should the table schema be?
  • Do we have a timeout on the code?

mattlockyer avatar May 21 '20 03:05 mattlockyer

Is the transaction sent to the server in (1) or (5)

it has to be sent in (1), otherwise we won't be able to display it in SMS (which is a crucial step to prevent from wallet web UI being hijacked)

What should the table schema be?

up to you to

Do we have a timeout on the code?

We didn't have any issues handling request for at least 10 seconds (nearcore timeout). Twilio / SendGrid should be much faster than that so I wouldn't worry much about timeout.

vgrichina avatar May 21 '20 03:05 vgrichina

Points make sense. Thanks.

For the timeout, I was asking if we have a time limit to how long we will accept a code. i.e. we create the code, but it's not used for 1h or more, we should probably not accept this code anymore.

Another example would be removing old codes when we issue a new code? This means that all tx initiated by user with 2FA must be accepted sequentially by user entering in correct codes.

mattlockyer avatar May 21 '20 14:05 mattlockyer

For the timeout, I was asking if we have a time limit to how long we will accept a code. i.e. we create the code, but it's not used for 1h or more, we should probably not accept this code anymore.

Got it now – let's make it about 10 minutes.

Another example would be removing old codes when we issue a new code? This means that all tx initiated by user with 2FA must be accepted sequentially by user entering in correct codes.

All transactions initiated by user have to be sent sequentially irregardless of 2FA. So it's enough to just keep one code per contact method.

vgrichina avatar May 22 '20 21:05 vgrichina