Clear / refresh 2FA backup codes · nextcloud/server#9036

(9 评论) (0 反应) (0 负责人)PHP (34,953 star) (4,865 fork)batch import

1. to developenhancementfeature: authenticationgood first issuehelp wanted

描述

as already mentioned in https://github.com/nextcloud/twofactor_totp/issues/244, maybe just a question... but shouldn't the Backup-Codes be cleared/deleted after an user disables his 2FA?

in the database they are still present, also for users which were completely deleted ages ago.

i'm not sure if this may even become a security issue, especially if a user enables 2FA again...

技术栈: 无
领域: securityauthentication
议题类型: feature
难度: 3
预计时间: 1-3 hours
活动状态: stale
清晰度: clear
前置要求: PHPNextcloud 2FA conceptDatabase migrations
新手友好度: 60
研究方向: Look at the twofactor totp app (apps/twofactor totp/) and its database schema. Review issue #244 for prior discussion. Implement cleanup logic to delete backup codes when 2FA is disabled, and also remove codes for deleted users. Check the existing event hooks and migration files.