Make the skip two factor authentication time period configurable.

The setting in defaults.config which can be overidden in localOverrides.conf is $twoFA{skip_verification_code_interval}. The default value is set to one year.
openwebwork · Mar 17, 2024 · 3d27aaa · 3d27aaa
1 parent a878478
commit 3d27aaa
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 9 deletions.
diff --git a/conf/defaults.config b/conf/defaults.config
@@ -975,7 +975,7 @@ $twoFA{enabled} = 1;
 # the user, or can be directly displayed in the browser on the next page that is
 # shown after password verification succeeds.
 #
-# If $twoFA{email_sender} is set, then the email approach will be used.  In this
+# If $twoFA{email_sender} is set, then the email approach will be used. In this
 # case, after a user signs in and the password is verified, the user will be
 # sent an email containing a QR code and instructions on how to set up a OTP
 # generator app. This is probably a more secure way to set up two factor
@@ -995,6 +995,16 @@ $twoFA{enabled} = 1;
 # better to find a valid email address to use for this.
 $twoFA{email_sender} = '';
 
+# When a user signs in and enters the two factor authentication code, the user
+# has the option to skip two factor verification on a given device for
+# subsequent logins. That will only last for the amount of time set as the
+# skip_verification_code_interval. By default this is set to one year. However,
+# good security practices most likely recommend a shorter time interval for
+# this. So change this value if you want to require a shorter and thus more
+# secure time interval before users will need to enter the two factor
+# authentication code again.
+$twoFA{skip_verification_code_interval} = 3600 * 24 * 365;
+
 ################################################################################
 # WeBWorK Caliper
 ################################################################################

diff --git a/conf/localOverrides.conf.dist b/conf/localOverrides.conf.dist
@@ -605,7 +605,7 @@ $mail{feedbackRecipients}    = [
 # the user, or can be directly displayed in the browser on the next page that is
 # shown after password verification succeeds.
 #
-# If $twoFA{email_sender} is set, then the email approach will be used.  In this
+# If $twoFA{email_sender} is set, then the email approach will be used. In this
 # case, after a user signs in and the password is verified, the user will be
 # sent an email containing a QR code and instructions on how to set up a OTP
 # generator app. This is probably a more secure way to set up two factor
@@ -625,8 +625,18 @@ $mail{feedbackRecipients}    = [
 # better to find a valid email address to use for this.
 #$twoFA{email_sender} = '[email protected]';
 
+# When a user signs in and enters the two factor authentication code, the user
+# has the option to skip two factor verification on a given device for
+# subsequent logins. That will only last for the amount of time set as the
+# skip_verification_code_interval. By default this is set to one year. However,
+# good security practices most likely recommend a shorter time interval for
+# this. So change this value if you want to require a shorter and thus more
+# secure time interval before users will need to enter the two factor
+# authentication code again.
+#$twoFA{skip_verification_code_interval} = 3600 * 24 * 7;
+
 # By default all users with the role of "student" or higher are required to use
-# two factor authentication when signing in with a username and password.  If
+# two factor authentication when signing in with a username and password. If
 # you want to disable two factor authentication for students, but require it for
 # instructors then set the permission level below to "login_proctor" (or
 # higher).

diff --git a/lib/WeBWorK/Authen.pm b/lib/WeBWorK/Authen.pm
@@ -325,7 +325,6 @@ sub get_credentials {
 	}
 
 	my ($cookieUser, $cookieKey, $cookieTimeStamp) = $self->fetchCookie;
-	$c->log->info('"' . $cookieUser . '"') if $cookieUser;
 
 	if (defined $cookieUser && defined $c->param('user')) {
 		$self->maybe_kill_cookie if $cookieUser ne $c->param('user');
@@ -497,8 +496,8 @@ sub verify_normal_user {
 					$c->signed_cookie(
 						'WeBWorK.2FA.' . $c->ce->{courseName} => b64_encode($user_id) =~ s/\n//gr,
 						{
-							max_age  => 3600 * 24 * 365,            # This cookie is valid for one year.
-							expires  => time + 3600 * 24 * 365,
+							max_age  => $c->ce->{twoFA}{skip_verification_code_interval},
+							expires  => time + $c->ce->{twoFA}{skip_verification_code_interval},
 							path     => $c->ce->{webworkURLRoot},
 							samesite => $c->ce->{CookieSameSite},
 							secure   => $c->ce->{CookieSecure},

diff --git a/templates/ContentGenerator/TwoFactorAuthentication.html.ep b/templates/ContentGenerator/TwoFactorAuthentication.html.ep
@@ -47,9 +47,9 @@
 			<%= label_for skip_2fa => maketext('Skip two factor verification on this device.') =%>
 		</div>
 		<div class="alert alert-warning mb-2">
-			<%= maketext('If you check the box above, then two factor verification will be skipped from now on when '
-				. 'signing in with this browser. This feature is not safe for public workstations, untrusted machines, '
-				. 'and machines over which you do not have direct control.') =%>
+			<%= maketext('If you check the box above, then two factor verification will be skipped for a limited '
+				. 'time when signing in with this browser. This feature is not safe for public workstations, '
+				. 'untrusted machines, and machines over which you do not have direct control.') =%>
 		</div>
 		% if ($authen_error) {
 			<div class="alert alert-danger" tabindex="0"><%= $authen_error =%></div>