Hold TOTP enrollment secret server-side and email user on activation
TOTP enrollment previously round-tripped the generated secret through a hidden form field and saved whatever the client submitted, letting an attacker with session access enroll a 2FA device they control by posting their own secret plus a matching code. Stash the secret in the session at GET /totp/new, read it only from the session at POST /totp, and drop the hidden field from the view. Notify the user by email on successful enrollment so unauthorized activations are visible even if a new vector appears later. Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>
This commit is contained in:
Dan Milne
19
test/mailers/totp_mailer_test.rb
Normal file
19
test/mailers/totp_mailer_test.rb
Normal file
@@ -0,0 +1,19 @@
|
||||
require "test_helper"
|
||||
|
||||
class TotpMailerTest < ActionMailer::TestCase
|
||||
test "enabled email addresses the user and names the event" do
|
||||
user = User.create!(email_address: "totp_mailer_test@example.com", password: "password123")
|
||||
|
||||
email = TotpMailer.enabled(user)
|
||||
|
||||
assert_equal ["totp_mailer_test@example.com"], email.to
|
||||
assert_equal "Two-factor authentication enabled on your account", email.subject
|
||||
text_body = email.text_part.body.to_s
|
||||
html_body = email.html_part.body.to_s
|
||||
assert_match "totp_mailer_test@example.com", text_body
|
||||
assert_match "totp_mailer_test@example.com", html_body
|
||||
assert_match(/Reset your password/i, text_body)
|
||||
|
||||
user.destroy
|
||||
end
|
||||
end
|
||||
Reference in New Issue
Block a user