b876e02c3a
TOTP enrollment previously round-tripped the generated secret through a hidden form field and saved whatever the client submitted, letting an attacker with session access enroll a 2FA device they control by posting their own secret plus a matching code. Stash the secret in the session at GET /totp/new, read it only from the session at POST /totp, and drop the hidden field from the view. Notify the user by email on successful enrollment so unauthorized activations are visible even if a new vector appears later. Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>
17 lines
372 B
Plaintext
17 lines
372 B
Plaintext
<p>Hello,</p>
|
|
|
|
<p>
|
|
Two-factor authentication was just enabled on the Clinch account for
|
|
<strong><%= @user.email_address %></strong>.
|
|
</p>
|
|
|
|
<p>
|
|
If you did this, you can ignore this email.
|
|
</p>
|
|
|
|
<p>
|
|
If you did <strong>not</strong> do this, your account may have been
|
|
accessed by someone else. Reset your password immediately and contact
|
|
your administrator.
|
|
</p>
|