Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent deleting last passwordless device with no password #47592

Merged
merged 1 commit into from
Oct 16, 2024
Merged

Prevent deleting last passwordless device with no password #47592

merged 1 commit into from
Oct 16, 2024

Conversation

Joerger
Copy link
Contributor

@Joerger Joerger commented Oct 15, 2024
edited
Loading

Prevent users from deleting their last passwordless device if they have no other means of logging in, even if passwordless is currently disabled. This way, if passwordless is re-enabled, the user will be able to log in.

I found this small logic edge case while creating #47426 and figured it may as well be covered.

Honestly, after giving this more thought and seeing the change on its merit, this may be a distinction without a difference. In practice the user will probably need to be reset anyways, except for the hard to imagine edge case:

  1. admin temporarily disabled passwordless login
  2. the user has an active login session
  3. the user deletes their passkey in, due to confusion or otherwise
  4. admin re-enables passworldess, user is now locked out, which could have been avoided

Changelog: Update logic around deleting last passkey to prevent edge case lockouts.

codingllama
codingllama approved these changes Oct 16, 2024
View reviewed changes
Copy link
Contributor

@codingllama codingllama left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the small, focused PR.

lib/auth/auth.go
@@ -3880,11 +3880,11 @@ func (a *Server) deleteMFADeviceSafely(ctx context.Context, user, deviceName str
// Check whether the device to delete is the last passwordless device,
// and whether deleting it would lockout the user from login.
//
// TODO(Joerger): the user may already be locked out from login if a password
// Note: the user may already be locked out from login if a password
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As you said, it's a pretty weird edge case, but I think I'm OK with the if essentially saying "is last passkey && has no password".

@codingllama
Copy link
Contributor

Note: depends on #47426. Please wait for the base PR to be merged before merging this one (naturally).

Base automatically changed from joerger/use-second-factors to master October 16, 2024 19:40
@Joerger Joerger force-pushed the joerger/prevent-transitory-passwordless-lockout branch from 3c36234 to 4baf9f6 Compare October 16, 2024 21:54
@Joerger Joerger enabled auto-merge October 16, 2024 21:54
@Joerger Joerger added this pull request to the merge queue Oct 16, 2024
Merged via the queue into master with commit 98c11b6 Oct 16, 2024
39 checks passed
@Joerger Joerger deleted the joerger/prevent-transitory-passwordless-lockout branch October 16, 2024 22:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smallinsky smallinsky smallinsky approved these changes

@codingllama codingllama codingllama approved these changes

Assignees
No one assigned
Labels
size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Joerger @codingllama @smallinsky