shellhub icon indicating copy to clipboard operation
shellhub copied to clipboard
verified publisher icon shellhub-io

refactor: mfa store

Open heiytor opened this issue 1 year ago • 0 comments

Currently, when a user attempts to log in with 2FA enabled, the API returns a stateful token along with the user's information. This can lead to two issues:

  1. Information leak: Since 2FA requires a code in addition to the password for authentication, returning user information without full authentication may pose a security risk.

  2. Violation of RFC 7519: JWT standards mandate stateless tokens. By adding an mfa.validate field to determine token validity, the API contradicts this standard.

To address these issues, the login route now returns a 401 status code with an X-MFA-Token header, indicating whether the user must authenticate using a 2FA method. As a result, the JWT will no longerinclude the mfa attribute. Authentication for these users will be handled exclusively on the cloud side with the token returned in the header.

Additionally, a security issue involving JSON binding in the User struct, where the secret and recovery codes for MFA were returned, has been resolved. The gateway will no longer provide the X-MFA and X-Validate-MFA headers; the protection around the /mfa/auth and /mfa/recovery endpoints has been removed.

heiytor avatar May 03 '24 16:05 heiytor