Improved user management #438
Conversation
- Implemented translations for 2FA in English, German, French. - Created migration to add `two_factor_enabled` and `two_factor_backup_codes` fields to users table. - Developed tests for enabling, disabling, and verifying 2FA. - Added integration tests for 2FA login flow in the auth controller. - Created controller tests for 2FA setup, enable, disable, challenge, and verification processes.
…eactivate user functionalities; enhance two-factor authentication handling; and update translations.
- Updated account edit template to improve styling and accessibility for subscription and credits sections. - Enhanced two-factor authentication challenge template to conditionally display verification methods based on user settings. - Refactored two-factor setup template to provide clearer options for email-based 2FA and WebAuthn security keys. - Improved user admin edit template to display and manage security keys and email 2FA status. - Added WebAuthn credentials array to users table in the database. - Introduced JavaScript functions for registering and authenticating with WebAuthn security keys. - Updated translation files to include new strings related to WebAuthn and email 2FA. - Added necessary dependencies for WebAuthn functionality in mix.exs.
- Implement comprehensive tests for WebAuthn registration and authentication flows in `auth_webauthn_test.exs`. - Enhance `two_factor_controller_test.exs` to include WebAuthn options in 2FA challenges. - Create `webauthn_controller_test.exs` to validate WebAuthn controller actions. - Add integration tests in `webauthn_integration_test.exs` for complete WebAuthn registration and authentication scenarios. - Introduce `webauthn_router_test.exs` to ensure proper routing and accessibility for WebAuthn endpoints. - Validate error handling for malformed requests and database errors in WebAuthn flows.
|
Video walkthrough of changes: 0620.1.mp4 |
|
Hey there, thank you for this PR! Like with the other PR, I'd ask you to break it into smaller bits. I think the most straightforward part is improving the admin page and allowing the root user to change a user's email, name, and resend the activation email. Not entirely sure if it makes sense to allow manually changing the status - when would you want to do that? I can't accept the 2FA changes right now because I'll have to read up on best practices for 2FA first and this will take some time. Just some thoughts: The main method I'd want to support is TOTP, so if we add 2FA, that must be supported. Then there is usually some sort of fallback code. |
|
I realize it's a bit of a big PR - TOTP can be easily added, but with WebAuthn, I feel that TOTP is deprecated nowadays. I mainly use it to be able to create users without an actual email behind the scenes. You could for example create users like It was particularly useful during development. But it seems that the root user should be able to override activation status, in case of support requests, for example. Perhaps they are not receiving the email, the SMTP server is down, or whatever other reason. It's only something the root user can do. Also I do not have a valid SMTP server to use for the system mailer and would rather not expose one, so it was a workaround to be able to confirm users. (see #436) |
wmnnd
force-pushed
the
main
branch
2 times, most recently
from
f9adb61 to
455250a
Compare
2 participants
This adds many things:
It has been mostly written with the help of Claude Sonnet 4, but under supervision. I have tested it manually as well and things seem to work just fine.