From 2b182ab28da5943cf898c499c4edfde9b63ade46 Mon Sep 17 00:00:00 2001
From: Glenn Rice <grice1@missouriwestern.edu>
Date: Sat, 16 Mar 2024 16:09:57 -0500
Subject: [PATCH] Make the skip two factor authentication time period
 configurable.

The setting in defaults.config which can be overidden in
localOverrides.conf is $twoFA{skip_verification_code_interval}.  The
default value is set to one year.
---
 conf/defaults.config          | 12 +++++++++++-
 conf/localOverrides.conf.dist | 14 ++++++++++++--
 lib/WeBWorK/Authen.pm         |  4 ++--
 3 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/conf/defaults.config b/conf/defaults.config
index 7648ba58eb..6936fc6a04 100644
--- a/conf/defaults.config
+++ b/conf/defaults.config
@@ -975,7 +975,7 @@ $twoFA{enabled} = 1;
 # the user, or can be directly displayed in the browser on the next page that is
 # shown after password verification succeeds.
 #
-# If $twoFA{email_sender} is set, then the email approach will be used.  In this
+# If $twoFA{email_sender} is set, then the email approach will be used. In this
 # case, after a user signs in and the password is verified, the user will be
 # sent an email containing a QR code and instructions on how to set up a OTP
 # generator app. This is probably a more secure way to set up two factor
@@ -995,6 +995,16 @@ $twoFA{enabled} = 1;
 # better to find a valid email address to use for this.
 $twoFA{email_sender} = '';
 
+# When a user signs in and enters the two factor authentication code, the user
+# has the option to skip two factor verification on a given device for
+# subsequent logins. That will only last for the amount of time set as the
+# skip_verification_code_interval. By default this is set to one year. However,
+# good security practices most likely recommend a shorter time interval for
+# this. So change this value if you want to require a shorter and thus more
+# secure time interval before users will need to enter the two factor
+# authentication code again.
+$twoFA{skip_verification_code_interval} = 3600 * 24 * 365;
+
 ################################################################################
 # WeBWorK Caliper
 ################################################################################
diff --git a/conf/localOverrides.conf.dist b/conf/localOverrides.conf.dist
index d0a5d8ba54..d3e2e5c529 100644
--- a/conf/localOverrides.conf.dist
+++ b/conf/localOverrides.conf.dist
@@ -605,7 +605,7 @@ $mail{feedbackRecipients}    = [
 # the user, or can be directly displayed in the browser on the next page that is
 # shown after password verification succeeds.
 #
-# If $twoFA{email_sender} is set, then the email approach will be used.  In this
+# If $twoFA{email_sender} is set, then the email approach will be used. In this
 # case, after a user signs in and the password is verified, the user will be
 # sent an email containing a QR code and instructions on how to set up a OTP
 # generator app. This is probably a more secure way to set up two factor
@@ -625,8 +625,18 @@ $mail{feedbackRecipients}    = [
 # better to find a valid email address to use for this.
 #$twoFA{email_sender} = 'noreply@your.school.edu';
 
+# When a user signs in and enters the two factor authentication code, the user
+# has the option to skip two factor verification on a given device for
+# subsequent logins. That will only last for the amount of time set as the
+# skip_verification_code_interval. By default this is set to one year. However,
+# good security practices most likely recommend a shorter time interval for
+# this. So change this value if you want to require a shorter and thus more
+# secure time interval before users will need to enter the two factor
+# authentication code again.
+#$twoFA{skip_verification_code_interval} = 3600 * 24 * 7;
+
 # By default all users with the role of "student" or higher are required to use
-# two factor authentication when signing in with a username and password.  If
+# two factor authentication when signing in with a username and password. If
 # you want to disable two factor authentication for students, but require it for
 # instructors then set the permission level below to "login_proctor" (or
 # higher).
diff --git a/lib/WeBWorK/Authen.pm b/lib/WeBWorK/Authen.pm
index e3781b6af0..6581bd5c69 100644
--- a/lib/WeBWorK/Authen.pm
+++ b/lib/WeBWorK/Authen.pm
@@ -497,8 +497,8 @@ sub verify_normal_user {
 					$c->signed_cookie(
 						'WeBWorK.2FA.' . $c->ce->{courseName} => b64_encode($user_id) =~ s/\n//gr,
 						{
-							max_age  => 3600 * 24 * 365,            # This cookie is valid for one year.
-							expires  => time + 3600 * 24 * 365,
+							max_age  => $c->ce->{twoFA}{skip_verification_code_interval},
+							expires  => time + $c->ce->{twoFA}{skip_verification_code_interval},
 							path     => $c->ce->{webworkURLRoot},
 							samesite => $c->ce->{CookieSameSite},
 							secure   => $c->ce->{CookieSecure},