Compare commits

...

1 Commits

Author SHA1 Message Date
James Edington
21fe97fa16 Saner TOTP provisioning
A user's e-mail address may be fluid, and the site "instance name"
may be strange or change regularly. There's no reason to use these
over the user's stable ID and the site's stable hostname for TOTP
parameters. Even if the system is built to TOLERATE changes (as it
is -- I tested it), it seems much more elegant to have these para-
meters as stable identifiers.
2022-03-15 12:56:27 -05:00
2 changed files with 2 additions and 2 deletions

View File

@ -34,7 +34,7 @@ defmodule Pleroma.MFA.TOTP do
defp default_digits, do: Config.get(@config_ns ++ [:digits])
defp default_issuer,
do: Config.get(@config_ns ++ [:issuer], Config.get([:instance, :name]))
do: Config.get(@config_ns ++ [:issuer], Config.get([:instance, :host]))
@doc "Creates a random Base 32 encoded string"
def generate_secret do

View File

@ -41,7 +41,7 @@ defmodule Pleroma.Web.PleromaAPI.TwoFactorAuthenticationController do
def setup(%{assigns: %{user: user}} = conn, %{"method" => "totp"} = _params) do
with {:ok, user} <- MFA.setup_totp(user),
%{secret: secret} = _ <- user.multi_factor_authentication_settings.totp do
provisioning_uri = TOTP.provisioning_uri(secret, "#{user.email}")
provisioning_uri = TOTP.provisioning_uri(secret, "#{user.ap_id}")
json(conn, %{provisioning_uri: provisioning_uri, key: secret})
else