Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: clean up expired factors #1371

Merged
merged 6 commits into from
Mar 13, 2024
Merged

feat: clean up expired factors #1371

merged 6 commits into from
Mar 13, 2024

Conversation

J0
Copy link
Contributor

@J0 J0 commented Jan 9, 2024

What kind of change does this PR introduce?

Currently, unverified MFA factors can build up in the database quickly. Supabase developers can toggle Maximum unverified factors ( Maximum number of per-user MFA factors) via the dashboard but developers will have to look for the toggle. Developers can also call unenroll but it requires an additional step.

This PR proposes periodic cleanup of stale factors on each request. A stale factor is:

  • Unverified
  • Has no associated Challenges
  • Older than five minutes

Why five minutes?

  • Most enrolment or verification flow should be completed within the five minute window

Factors which are unverified but have associated challenges will be cleaned up after the developer makes successful verification

Alternatives considered:

  • Return the same factor and QR code if the same user calls /enroll twice. We unfortunately can't reuse the QR code as it poses a security risk.
  • Increase the initial number of default unverified factors (currently 10)
  • Drop the unverified factor check. I think this was initially introduced to prevent a malicious user from creating excessive entries in the database

Address #979.

@J0 J0 changed the title feat: clean up stale factors feat: clean up expired factors Jan 16, 2024
@J0
Copy link
Contributor Author

J0 commented Jan 22, 2024

Probably add a test for this and then send for review

@J0 J0 marked this pull request as ready for review February 1, 2024 08:33
@J0 J0 requested a review from a team as a code owner February 1, 2024 08:33
@J0
Copy link
Contributor Author

J0 commented Feb 1, 2024

Let me write a test

@J0 J0 marked this pull request as draft February 1, 2024 08:38
@J0 J0 force-pushed the j0/cleanup_stale_factors branch 3 times, most recently from 5521d51 to edd4540 Compare February 1, 2024 09:17
@J0 J0 marked this pull request as ready for review February 1, 2024 09:18
internal/models/factor.go Outdated Show resolved Hide resolved
internal/api/mfa.go Outdated Show resolved Hide resolved
internal/models/factor.go Outdated Show resolved Hide resolved
@J0 J0 requested a review from hf February 2, 2024 10:17
internal/models/factor.go Outdated Show resolved Hide resolved
@J0
Copy link
Contributor Author

J0 commented Mar 13, 2024

Tests needs to be modified so that there's a valid AAL1 token when enroll is called - make some adjustments in a bit.

@J0 J0 force-pushed the j0/cleanup_stale_factors branch from 22c8505 to 22519c1 Compare March 13, 2024 02:57
@J0 J0 merged commit 5c94207 into master Mar 13, 2024
2 checks passed
@J0 J0 deleted the j0/cleanup_stale_factors branch March 13, 2024 03:07
J0 pushed a commit that referenced this pull request Mar 26, 2024
🤖 I have created a release *beep* *boop*
---


##
[2.145.0](v2.144.0...v2.145.0)
(2024-03-26)


### Features

* add error codes
([#1377](#1377))
([e4beea1](e4beea1))
* add kakao OIDC
([#1381](#1381))
([b5566e7](b5566e7))
* clean up expired factors
([#1371](#1371))
([5c94207](5c94207))
* configurable NameID format for SAML provider
([#1481](#1481))
([ef405d8](ef405d8))
* HTTP Hook - Add custom envconfig decoding for HTTP Hook Secrets
([#1467](#1467))
([5b24c4e](5b24c4e))
* refactor PKCE FlowState to reduce duplicate code
([#1446](#1446))
([b8d0337](b8d0337))


### Bug Fixes

* add http support for https hooks on localhost
([#1484](#1484))
([5c04104](5c04104))
* cleanup panics due to bad inactivity timeout code
([#1471](#1471))
([548edf8](548edf8))
* **docs:** remove bracket on file name for broken link
([#1493](#1493))
([96f7a68](96f7a68))
* impose expiry on auth code instead of magic link
([#1440](#1440))
([35aeaf1](35aeaf1))
* invalidate email, phone OTPs on password change
([#1489](#1489))
([960a4f9](960a4f9))
* move creation of flow state into function
([#1470](#1470))
([4392a08](4392a08))
* prevent user email side-channel leak on verify
([#1472](#1472))
([311cde8](311cde8))
* refactor email sending functions
([#1495](#1495))
([285c290](285c290))
* refactor factor_test to centralize setup
([#1473](#1473))
([c86007e](c86007e))
* refactor mfa challenge and tests
([#1469](#1469))
([6c76f21](6c76f21))
* Resend SMS when duplicate SMS sign ups are made
([#1490](#1490))
([73240a0](73240a0))
* unlink identity bugs
([#1475](#1475))
([73e8d87](73e8d87))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@kangmingtay kangmingtay mentioned this pull request Apr 2, 2024
uxodb pushed a commit to uxodb/auth that referenced this pull request Nov 13, 2024
## What kind of change does this PR introduce?

Currently, unverified MFA factors can build up in the database quickly.
Supabase developers can toggle Maximum unverified factors ( `Maximum
number of per-user MFA factors`) via the dashboard but developers will
have to look for the toggle. Developers can also call `unenroll` but it
requires an additional step.


This PR proposes periodic cleanup of stale factors on each request. A
stale factor is:

- Unverified
- Has no associated Challenges 
- Older than five minutes

Why five minutes? 
- Most enrolment or verification flow should be completed within the
five minute window

Factors which are unverified but have associated challenges will be
cleaned up [after the developer makes successful
verification](https://github.com/supabase/gotrue/blob/master/internal/api/mfa.go#L314)

Alternatives considered:
- Return the same factor and QR code if the same user calls `/enroll`
twice. We unfortunately can't reuse the QR code as it poses a security
risk.
- Increase the initial number of default unverified factors (currently
10)
- Drop the unverified factor check. I think this was initially
introduced to prevent a malicious user from creating excessive entries
in the database


Address supabase#979.

---------

Co-authored-by: joel@joellee.org <joel@joellee.org>
Co-authored-by: joel <joel@joels-MacBook-Pro.local>
uxodb pushed a commit to uxodb/auth that referenced this pull request Nov 13, 2024
🤖 I have created a release *beep* *boop*
---


##
[2.145.0](supabase/auth@v2.144.0...v2.145.0)
(2024-03-26)


### Features

* add error codes
([supabase#1377](supabase#1377))
([e4beea1](supabase@e4beea1))
* add kakao OIDC
([supabase#1381](supabase#1381))
([b5566e7](supabase@b5566e7))
* clean up expired factors
([supabase#1371](supabase#1371))
([5c94207](supabase@5c94207))
* configurable NameID format for SAML provider
([supabase#1481](supabase#1481))
([ef405d8](supabase@ef405d8))
* HTTP Hook - Add custom envconfig decoding for HTTP Hook Secrets
([supabase#1467](supabase#1467))
([5b24c4e](supabase@5b24c4e))
* refactor PKCE FlowState to reduce duplicate code
([supabase#1446](supabase#1446))
([b8d0337](supabase@b8d0337))


### Bug Fixes

* add http support for https hooks on localhost
([supabase#1484](supabase#1484))
([5c04104](supabase@5c04104))
* cleanup panics due to bad inactivity timeout code
([supabase#1471](supabase#1471))
([548edf8](supabase@548edf8))
* **docs:** remove bracket on file name for broken link
([supabase#1493](supabase#1493))
([96f7a68](supabase@96f7a68))
* impose expiry on auth code instead of magic link
([supabase#1440](supabase#1440))
([35aeaf1](supabase@35aeaf1))
* invalidate email, phone OTPs on password change
([supabase#1489](supabase#1489))
([960a4f9](supabase@960a4f9))
* move creation of flow state into function
([supabase#1470](supabase#1470))
([4392a08](supabase@4392a08))
* prevent user email side-channel leak on verify
([supabase#1472](supabase#1472))
([311cde8](supabase@311cde8))
* refactor email sending functions
([supabase#1495](supabase#1495))
([285c290](supabase@285c290))
* refactor factor_test to centralize setup
([supabase#1473](supabase#1473))
([c86007e](supabase@c86007e))
* refactor mfa challenge and tests
([supabase#1469](supabase#1469))
([6c76f21](supabase@6c76f21))
* Resend SMS when duplicate SMS sign ups are made
([supabase#1490](supabase#1490))
([73240a0](supabase@73240a0))
* unlink identity bugs
([supabase#1475](supabase#1475))
([73e8d87](supabase@73e8d87))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
LashaJini pushed a commit to LashaJini/auth that referenced this pull request Nov 13, 2024
## What kind of change does this PR introduce?

Currently, unverified MFA factors can build up in the database quickly.
Supabase developers can toggle Maximum unverified factors ( `Maximum
number of per-user MFA factors`) via the dashboard but developers will
have to look for the toggle. Developers can also call `unenroll` but it
requires an additional step.


This PR proposes periodic cleanup of stale factors on each request. A
stale factor is:

- Unverified
- Has no associated Challenges 
- Older than five minutes

Why five minutes? 
- Most enrolment or verification flow should be completed within the
five minute window

Factors which are unverified but have associated challenges will be
cleaned up [after the developer makes successful
verification](https://github.com/supabase/gotrue/blob/master/internal/api/mfa.go#L314)

Alternatives considered:
- Return the same factor and QR code if the same user calls `/enroll`
twice. We unfortunately can't reuse the QR code as it poses a security
risk.
- Increase the initial number of default unverified factors (currently
10)
- Drop the unverified factor check. I think this was initially
introduced to prevent a malicious user from creating excessive entries
in the database


Address supabase#979.

---------

Co-authored-by: joel@joellee.org <joel@joellee.org>
Co-authored-by: joel <joel@joels-MacBook-Pro.local>
LashaJini pushed a commit to LashaJini/auth that referenced this pull request Nov 13, 2024
🤖 I have created a release *beep* *boop*
---


##
[2.145.0](supabase/auth@v2.144.0...v2.145.0)
(2024-03-26)


### Features

* add error codes
([supabase#1377](supabase#1377))
([e4beea1](supabase@e4beea1))
* add kakao OIDC
([supabase#1381](supabase#1381))
([b5566e7](supabase@b5566e7))
* clean up expired factors
([supabase#1371](supabase#1371))
([5c94207](supabase@5c94207))
* configurable NameID format for SAML provider
([supabase#1481](supabase#1481))
([ef405d8](supabase@ef405d8))
* HTTP Hook - Add custom envconfig decoding for HTTP Hook Secrets
([supabase#1467](supabase#1467))
([5b24c4e](supabase@5b24c4e))
* refactor PKCE FlowState to reduce duplicate code
([supabase#1446](supabase#1446))
([b8d0337](supabase@b8d0337))


### Bug Fixes

* add http support for https hooks on localhost
([supabase#1484](supabase#1484))
([5c04104](supabase@5c04104))
* cleanup panics due to bad inactivity timeout code
([supabase#1471](supabase#1471))
([548edf8](supabase@548edf8))
* **docs:** remove bracket on file name for broken link
([supabase#1493](supabase#1493))
([96f7a68](supabase@96f7a68))
* impose expiry on auth code instead of magic link
([supabase#1440](supabase#1440))
([35aeaf1](supabase@35aeaf1))
* invalidate email, phone OTPs on password change
([supabase#1489](supabase#1489))
([960a4f9](supabase@960a4f9))
* move creation of flow state into function
([supabase#1470](supabase#1470))
([4392a08](supabase@4392a08))
* prevent user email side-channel leak on verify
([supabase#1472](supabase#1472))
([311cde8](supabase@311cde8))
* refactor email sending functions
([supabase#1495](supabase#1495))
([285c290](supabase@285c290))
* refactor factor_test to centralize setup
([supabase#1473](supabase#1473))
([c86007e](supabase@c86007e))
* refactor mfa challenge and tests
([supabase#1469](supabase#1469))
([6c76f21](supabase@6c76f21))
* Resend SMS when duplicate SMS sign ups are made
([supabase#1490](supabase#1490))
([73240a0](supabase@73240a0))
* unlink identity bugs
([supabase#1475](supabase#1475))
([73e8d87](supabase@73e8d87))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
LashaJini pushed a commit to LashaJini/auth that referenced this pull request Nov 15, 2024
## What kind of change does this PR introduce?

Currently, unverified MFA factors can build up in the database quickly.
Supabase developers can toggle Maximum unverified factors ( `Maximum
number of per-user MFA factors`) via the dashboard but developers will
have to look for the toggle. Developers can also call `unenroll` but it
requires an additional step.


This PR proposes periodic cleanup of stale factors on each request. A
stale factor is:

- Unverified
- Has no associated Challenges 
- Older than five minutes

Why five minutes? 
- Most enrolment or verification flow should be completed within the
five minute window

Factors which are unverified but have associated challenges will be
cleaned up [after the developer makes successful
verification](https://github.com/supabase/gotrue/blob/master/internal/api/mfa.go#L314)

Alternatives considered:
- Return the same factor and QR code if the same user calls `/enroll`
twice. We unfortunately can't reuse the QR code as it poses a security
risk.
- Increase the initial number of default unverified factors (currently
10)
- Drop the unverified factor check. I think this was initially
introduced to prevent a malicious user from creating excessive entries
in the database


Address supabase#979.

---------

Co-authored-by: joel@joellee.org <joel@joellee.org>
Co-authored-by: joel <joel@joels-MacBook-Pro.local>
LashaJini pushed a commit to LashaJini/auth that referenced this pull request Nov 15, 2024
🤖 I have created a release *beep* *boop*
---


##
[2.145.0](supabase/auth@v2.144.0...v2.145.0)
(2024-03-26)


### Features

* add error codes
([supabase#1377](supabase#1377))
([e4beea1](supabase@e4beea1))
* add kakao OIDC
([supabase#1381](supabase#1381))
([b5566e7](supabase@b5566e7))
* clean up expired factors
([supabase#1371](supabase#1371))
([5c94207](supabase@5c94207))
* configurable NameID format for SAML provider
([supabase#1481](supabase#1481))
([ef405d8](supabase@ef405d8))
* HTTP Hook - Add custom envconfig decoding for HTTP Hook Secrets
([supabase#1467](supabase#1467))
([5b24c4e](supabase@5b24c4e))
* refactor PKCE FlowState to reduce duplicate code
([supabase#1446](supabase#1446))
([b8d0337](supabase@b8d0337))


### Bug Fixes

* add http support for https hooks on localhost
([supabase#1484](supabase#1484))
([5c04104](supabase@5c04104))
* cleanup panics due to bad inactivity timeout code
([supabase#1471](supabase#1471))
([548edf8](supabase@548edf8))
* **docs:** remove bracket on file name for broken link
([supabase#1493](supabase#1493))
([96f7a68](supabase@96f7a68))
* impose expiry on auth code instead of magic link
([supabase#1440](supabase#1440))
([35aeaf1](supabase@35aeaf1))
* invalidate email, phone OTPs on password change
([supabase#1489](supabase#1489))
([960a4f9](supabase@960a4f9))
* move creation of flow state into function
([supabase#1470](supabase#1470))
([4392a08](supabase@4392a08))
* prevent user email side-channel leak on verify
([supabase#1472](supabase#1472))
([311cde8](supabase@311cde8))
* refactor email sending functions
([supabase#1495](supabase#1495))
([285c290](supabase@285c290))
* refactor factor_test to centralize setup
([supabase#1473](supabase#1473))
([c86007e](supabase@c86007e))
* refactor mfa challenge and tests
([supabase#1469](supabase#1469))
([6c76f21](supabase@6c76f21))
* Resend SMS when duplicate SMS sign ups are made
([supabase#1490](supabase#1490))
([73240a0](supabase@73240a0))
* unlink identity bugs
([supabase#1475](supabase#1475))
([73e8d87](supabase@73e8d87))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants