Clear / refresh 2FA backup codes · nextcloud/server#9036

(9 comments) (0 reactions) (0 assignees)PHP (34,953 stars) (4,865 forks)batch import

1. to developenhancementfeature: authenticationgood first issuehelp wanted

説明

as already mentioned in https://github.com/nextcloud/twofactor_totp/issues/244, maybe just a question... but shouldn't the Backup-Codes be cleared/deleted after an user disables his 2FA?

in the database they are still present, also for users which were completely deleted ages ago.

i'm not sure if this may even become a security issue, especially if a user enables 2FA again...

技術スタック: なし
領域: securityauthentication
Issue 種別: feature
難度: 3
推定時間: 1-3 hours
活動状況: stale
明確さ: clear
前提条件: PHPNextcloud 2FA conceptDatabase migrations
初心者向け度: 60
調査方針: Look at the twofactor totp app (apps/twofactor totp/) and its database schema. Review issue #244 for prior discussion. Implement cleanup logic to delete backup codes when 2FA is disabled, and also remove codes for deleted users. Check the existing event hooks and migration files.