Reset webauthn devices in reset 2FA action #6125
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #6125 +/- ##
=======================================
Coverage 97.24% 97.24%
=======================================
Files 476 476
Lines 9785 9787 +2
=======================================
+ Hits 9515 9517 +2
Misses 270 270 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| end | ||
|
|
||
| def disable_user_mfa | ||
| return unless user.no_mfa_devices? |
There was a problem hiding this comment.
For some reason, when calling destroy_all, the webauthn credential still persists in the association so destroying the last credential would not result in disabling mfa.
I called reset_mfa_attributes in the admin action itself, even though it is repetitive, it ensures the action actually correctly removed all MFA methods.
|
Fix for CI: #6126 |
jenshenny
force-pushed
the
reset-webauthn-admin
branch
from
56825c5 to
754a423
Compare
| def handle_record(user) | ||
| user.disable_totp! | ||
| user.disable_totp! if user.totp_enabled? | ||
| user.webauthn_credentials.destroy_all if user.webauthn_enabled? |
There was a problem hiding this comment.
Using destroy_all is going to trigger the disable_user_mfa & send_deletion_email callback for each webauthn device. Considering this is an admin action, should we switch this to be delete_all to skip the callbacks? (I suspect this will also resolve your comment below)
There was a problem hiding this comment.
Should we consider moving the idea of resetting MFA (OTP + WebAuthN) into a User#reset_all_mfa method to better capture everything and test for it?
There was a problem hiding this comment.
Should we also consider wrapping this all in a transaction?
There was a problem hiding this comment.
The avo action is wrapped in a transaction so I think we're fine on that part.
I tried to move everything into reset_all_mfa , have a delete_all, and only send one email instead of one per device. However, the audits are subscribed to active_record.sql events and won't capture the delete_all webauthn cred records in the audit. It's going to take me a bit longer to implement getting these deleted records in the audit so I'm going to ship this as is to unblock the support request and come back to this after.
github-project-automation
bot
moved this from Todo
to Ready
in RubyGems.org Pull Requests
jenshenny
force-pushed
the
reset-webauthn-admin
branch
from
754a423 to
2c6ad2d
Compare
github-project-automation
bot
moved this from Ready
to Merged
in RubyGems.org Pull Requests
2 participants
A support request came in to reset their 2FA. I noticed that the admin action doesn't reset Webauthn devices so if a user has a passkey set up, the action won't completely reset their MFA.