nextcloud/server

Clear / refresh 2FA backup codes

Open

#9,036 opened on Mar 30, 2018

View on GitHub
 (9 comments) (0 reactions) (0 assignees)PHP (34,953 stars) (4,865 forks)batch import
1. to developenhancementfeature: authenticationgood first issuehelp wanted

Description

as already mentioned in https://github.com/nextcloud/twofactor_totp/issues/244, maybe just a question... but shouldn't the Backup-Codes be cleared/deleted after an user disables his 2FA?

in the database they are still present, also for users which were completely deleted ages ago.

i'm not sure if this may even become a security issue, especially if a user enables 2FA again...

Contributor guide

Tech stack
None
Domain
securityauthentication
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
PHPNextcloud 2FA conceptDatabase migrations
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
Look at the twofactor totp app (apps/twofactor totp/) and its database schema. Review issue #244 for prior discussion. Implement cleanup logic to delete backup codes when 2FA is disabled, and also remove codes for deleted users. Check the existing event hooks and migration files.