Remove usage of alreadyAcceptedCode()/storeAccepedCode() in the TOTP,HOTP, Recovery Code plugins.

Open on Drupal.org →

Created on 22 November 2023, over 1 year ago

Updated 29 May 2025, 30 days ago

Remove usage of alreadyAcceptedCode()/storeAccepedCode() in the TOTP,HOTP, Recovery Code plugins.

Problem/Motivation

TOTP, and HOTP plugins are able to validate a token based on an increasing counter
The Recovery Code plugin removes accepted codes from its configuration once accepted.

Not all configured TOTP tokens will have yet reached this configuration state as it was just added to 8.x-1.3. While initial thoughts would be that we could make an assumption that the users last login time is the latest code used we can’t actually guarantee that as the service_tfa pl ugin may have consumed tokens without updating the user login time. What we can assume is that now() + timeSkew have been used. We could use a mass update hook to use this upper bound.

Site owners would be encouraged to run >=8.x-1.3 for some time with their user base to allow as many accounts as possible to obtain the timeSlice, however if sites use a short time skew (such as the default of 2 which is ~1minute in the future) they may determine on their own that the blackout window is small enough to not be of concern.

Steps to reproduce

N/A

Proposed resolution

Remove usage of alreadyAcceptedCode()/storeAccepedCode() but leave the methods in the base plugin.

Remaining tasks

Patch

User interface changes

None

API changes

None

Data model changes

Internal only.

📌 Task

Status

Active

Version

2.0

Component

Code

Created by

🇺🇸United States cmlara

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Merge Requests

!139Remove usage of alreadyAcceptedCode()/storeAccepedCode() in the TOTP,HOTP, Recovery Code plugins.
Merged
🇺🇸United States cmlara
updated 16 days ago

Comments & Activities

Issue created by @cmlara
Merge request !139Issue #3403462 by cmlara: Remove usage of alreadyAcceptedCode()/storeAccepedCode() in the TOTP,HOTP, Recovery Code plugins → (Merged) created by cmlara
Comment 30 days ago →
🇺🇸United States cmlara
Since 8.x-1.3 has been out for over a year we likely do not need to be as worried about the token window field being present.

Should have a CR for site owners to understand the impact of this change.
Comment 29 days ago →
🇺🇸United States cmlara
CR created https://www.drupal.org/node/3527375 →

A functional test of the update hook is in the branch.
Comment 18 days ago →
🇺🇸United States cmlara
Failed to consdier the tfa_service module and older versions mentioned in the IS, as such yes this should still fall back and add a timestamp when one is missing to add immediate protection.
Comment 17 days ago →
🇺🇸United States cmlara
Comment 16 days ago →
🇺🇸United States cmlara
Committed to Dev on 2.x, no backport due to changing the plugins architecture (generally all internal however API not well defined in 8.x-1.x)

Comment 16 days ago →

cmlara → committed dae64df3 on 2.x

Issue #3403462 by cmlara: Remove usage of alreadyAcceptedCode()/...

Comment 2 days ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024