feat: add mfa verification postgres hook #1314
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hf
reviewed
Nov 20, 2023
hf
reviewed
Nov 24, 2023
…e/gotrue into j0/mfa_verification_counter_hook
J0
changed the title
J0
added a commit
that referenced
this pull request
Nov 28, 2023
## What kind of change does this PR introduce? The mfa tests are hard to read. There's also a lot of redundant code which makes testing for hooks quite a bit harder. This PR aims to remove some of the redundancy so that it's easier to write the tests for #1314 Main changes include - Splitting out `enrollAndVerify` into `enroll` and `verify` - Using suite specific constants - Packaging duplicated setup code --------- Co-authored-by: joel@joellee.org <joel@joellee.org>
hf
reviewed
Nov 29, 2023
Co-authored-by: Stojan Dimitrovski <sdimitrovski@gmail.com>
Co-authored-by: Stojan Dimitrovski <sdimitrovski@gmail.com>
…e/gotrue into j0/mfa_verification_counter_hook
hf
reviewed
Nov 30, 2023
hf
changed the title
J0
commented
Nov 30, 2023
|
|
||
| } | ||
|
|
||
| func (mf *MFAVerificationAttemptOutput) IsError() bool { |
There was a problem hiding this comment.
WIll refactor this in the FLUP with password verification hooks
|
🎉 This PR is included in version 2.123.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
uxodb
pushed a commit
to uxodb/auth
that referenced
this pull request
Nov 13, 2024
## What kind of change does this PR introduce? The mfa tests are hard to read. There's also a lot of redundant code which makes testing for hooks quite a bit harder. This PR aims to remove some of the redundancy so that it's easier to write the tests for supabase#1314 Main changes include - Splitting out `enrollAndVerify` into `enroll` and `verify` - Using suite specific constants - Packaging duplicated setup code --------- Co-authored-by: joel@joellee.org <joel@joellee.org>
uxodb
pushed a commit
to uxodb/auth
that referenced
this pull request
Nov 13, 2024
## What kind of change does this PR introduce? Proof of concept hook for MFA Verification. With this hook, developers can introduce additional conditions around when to accept/reject an MFA verification (e.g. log a developer out after a certain number of attempts). We distinguish this from the existing Webhooks implementation via introduction of `hooks` package which will contain future Hook related structs, constants, and utility methods. For the most part we leverage existing Postgres capabilities - as far as possible we will return the PostgreSQL error codes for debugging and use Postgres in-built timeouts to ensure hte hook doesn't overrun. ## Testing The MFA Verification Hook test suite does not guarantee accurate status codes - the test setup (to enroll factors and create a challenge after signup) requires some setup. It is reliant on `signUpAndVerify` which gets the dev to AAL2 and takes time to refactor. As such, most of the cases were manually tested in addition to the current loose check of checking for the absence of an access token. Further edits will be made in GMT +8 morning to properly check for the http status codes in the tests. Also, since `supabase_auth_admin` cannot create functions on the `public` schema we create the functions on the `auth` schema for testing. We typically discourage this on the Supabase platform but in theory there should be no issue when dealing with GoTrue (the OSS project). Will spend a short amount of time looking into alternatives tomorrow. ## Additional Notes Response schema checks are left out of this PR as they don't seem to serve as much benefit for this particular extensibility point and will probably bloat the PR a little with the introduction of a new library --------- Co-authored-by: joel@joellee.org <joel@joellee.org> Co-authored-by: Stojan Dimitrovski <sdimitrovski@gmail.com>
LashaJini
pushed a commit
to LashaJini/auth
that referenced
this pull request
Nov 13, 2024
## What kind of change does this PR introduce? The mfa tests are hard to read. There's also a lot of redundant code which makes testing for hooks quite a bit harder. This PR aims to remove some of the redundancy so that it's easier to write the tests for supabase#1314 Main changes include - Splitting out `enrollAndVerify` into `enroll` and `verify` - Using suite specific constants - Packaging duplicated setup code --------- Co-authored-by: joel@joellee.org <joel@joellee.org>
LashaJini
pushed a commit
to LashaJini/auth
that referenced
this pull request
Nov 13, 2024
## What kind of change does this PR introduce? Proof of concept hook for MFA Verification. With this hook, developers can introduce additional conditions around when to accept/reject an MFA verification (e.g. log a developer out after a certain number of attempts). We distinguish this from the existing Webhooks implementation via introduction of `hooks` package which will contain future Hook related structs, constants, and utility methods. For the most part we leverage existing Postgres capabilities - as far as possible we will return the PostgreSQL error codes for debugging and use Postgres in-built timeouts to ensure hte hook doesn't overrun. ## Testing The MFA Verification Hook test suite does not guarantee accurate status codes - the test setup (to enroll factors and create a challenge after signup) requires some setup. It is reliant on `signUpAndVerify` which gets the dev to AAL2 and takes time to refactor. As such, most of the cases were manually tested in addition to the current loose check of checking for the absence of an access token. Further edits will be made in GMT +8 morning to properly check for the http status codes in the tests. Also, since `supabase_auth_admin` cannot create functions on the `public` schema we create the functions on the `auth` schema for testing. We typically discourage this on the Supabase platform but in theory there should be no issue when dealing with GoTrue (the OSS project). Will spend a short amount of time looking into alternatives tomorrow. ## Additional Notes Response schema checks are left out of this PR as they don't seem to serve as much benefit for this particular extensibility point and will probably bloat the PR a little with the introduction of a new library --------- Co-authored-by: joel@joellee.org <joel@joellee.org> Co-authored-by: Stojan Dimitrovski <sdimitrovski@gmail.com>
LashaJini
pushed a commit
to LashaJini/auth
that referenced
this pull request
Nov 15, 2024
## What kind of change does this PR introduce? The mfa tests are hard to read. There's also a lot of redundant code which makes testing for hooks quite a bit harder. This PR aims to remove some of the redundancy so that it's easier to write the tests for supabase#1314 Main changes include - Splitting out `enrollAndVerify` into `enroll` and `verify` - Using suite specific constants - Packaging duplicated setup code --------- Co-authored-by: joel@joellee.org <joel@joellee.org>
LashaJini
pushed a commit
to LashaJini/auth
that referenced
this pull request
Nov 15, 2024
## What kind of change does this PR introduce? Proof of concept hook for MFA Verification. With this hook, developers can introduce additional conditions around when to accept/reject an MFA verification (e.g. log a developer out after a certain number of attempts). We distinguish this from the existing Webhooks implementation via introduction of `hooks` package which will contain future Hook related structs, constants, and utility methods. For the most part we leverage existing Postgres capabilities - as far as possible we will return the PostgreSQL error codes for debugging and use Postgres in-built timeouts to ensure hte hook doesn't overrun. ## Testing The MFA Verification Hook test suite does not guarantee accurate status codes - the test setup (to enroll factors and create a challenge after signup) requires some setup. It is reliant on `signUpAndVerify` which gets the dev to AAL2 and takes time to refactor. As such, most of the cases were manually tested in addition to the current loose check of checking for the absence of an access token. Further edits will be made in GMT +8 morning to properly check for the http status codes in the tests. Also, since `supabase_auth_admin` cannot create functions on the `public` schema we create the functions on the `auth` schema for testing. We typically discourage this on the Supabase platform but in theory there should be no issue when dealing with GoTrue (the OSS project). Will spend a short amount of time looking into alternatives tomorrow. ## Additional Notes Response schema checks are left out of this PR as they don't seem to serve as much benefit for this particular extensibility point and will probably bloat the PR a little with the introduction of a new library --------- Co-authored-by: joel@joellee.org <joel@joellee.org> Co-authored-by: Stojan Dimitrovski <sdimitrovski@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
Proof of concept hook for MFA Verification. With this hook, developers can introduce additional conditions around when to accept/reject an MFA verification (e.g. log a developer out after a certain number of attempts).
We distinguish this from the existing Webhooks implementation via introduction of
hookspackage which will contain future Hook related structs, constants, and utility methods.For the most part we leverage existing Postgres capabilities - as far as possible we will return the PostgreSQL error codes for debugging and use Postgres in-built timeouts to ensure hte hook doesn't overrun.
Testing
The MFA Verification Hook test suite does not guarantee accurate status codes - the test setup (to enroll factors and create a challenge after signup) requires some setup. It is reliant on
signUpAndVerifywhich gets the dev to AAL2 and takes time to refactor.As such, most of the cases were manually tested in addition to the current loose check of checking for the absence of an access token. Further edits will be made in GMT +8 morning to properly check for the http status codes in the tests.
Also, since
supabase_auth_admincannot create functions on thepublicschema we create the functions on theauthschema for testing. We typically discourage this on the Supabase platform but in theory there should be no issue when dealing with GoTrue (the OSS project). Will spend a short amount of time looking into alternatives tomorrow.Additional Notes
Response schema checks are left out of this PR as they don't seem to serve as much benefit for this particular extensibility point and will probably bloat the PR a little with the introduction of a new library