Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insert, Send, Query & Delete 2FA Codes #150

Open
mattlockyer opened this issue May 21, 2020 · 3 comments
Open

Insert, Send, Query & Delete 2FA Codes #150

mattlockyer opened this issue May 21, 2020 · 3 comments
Labels
enhancement New feature or request
Milestone
Web Wallet 2FA

Comments

@mattlockyer
Copy link
Contributor

  1. Endpoint where server will need to create a code and insert a record into the database - e.g. A user has 2FA enabled, initiates a transaction from the web wallet and requests this endpoint
  2. After the code is created, the server will need to send the appropriate SMS @kcole16 copy
  3. Endpoint to query and verify that the code exists (and it's within a time limit?)
  4. When the user types the code into the web wallet 2FA confirmation screen (TBD link issue from wallet repo) the endpoint in (3) is requested with the code
  5. Upon request with POST body of the correct code in endpoint (3) we will sign and send the transaction to the network

Questions:

  • Is the transaction sent to the server in (1) or (5)
  • What should the table schema be?
  • Do we have a timeout on the code?
@mattlockyer mattlockyer added the enhancement New feature or request label May 21, 2020
@mattlockyer mattlockyer added this to the Web Wallet 2FA milestone May 21, 2020
@vgrichina
Copy link
Contributor

Is the transaction sent to the server in (1) or (5)

it has to be sent in (1), otherwise we won't be able to display it in SMS (which is a crucial step to prevent from wallet web UI being hijacked)

What should the table schema be?

up to you to

Do we have a timeout on the code?

We didn't have any issues handling request for at least 10 seconds (nearcore timeout). Twilio / SendGrid should be much faster than that so I wouldn't worry much about timeout.

@mattlockyer
Copy link
Contributor Author

Points make sense. Thanks.

For the timeout, I was asking if we have a time limit to how long we will accept a code. i.e. we create the code, but it's not used for 1h or more, we should probably not accept this code anymore.

Another example would be removing old codes when we issue a new code? This means that all tx initiated by user with 2FA must be accepted sequentially by user entering in correct codes.

@vgrichina
Copy link
Contributor

For the timeout, I was asking if we have a time limit to how long we will accept a code. i.e. we create the code, but it's not used for 1h or more, we should probably not accept this code anymore.

Got it now – let's make it about 10 minutes.

Another example would be removing old codes when we issue a new code? This means that all tx initiated by user with 2FA must be accepted sequentially by user entering in correct codes.

All transactions initiated by user have to be sent sequentially irregardless of 2FA. So it's enough to just keep one code per contact method.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
Web Wallet 2FA
Development

No branches or pull requests
2 participants
@vgrichina @mattlockyer