Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Track if backup codes have been verified #257

Merged
merged 2 commits into from
Sep 25, 2023
Merged

Track if backup codes have been verified #257

merged 2 commits into from
Sep 25, 2023

Conversation

iandunn
Copy link
Member

@iandunn iandunn commented Sep 21, 2023
edited
Loading

One of the commits from #245 was reverted in 03ab804. This achieves the same goal as that commit, but in a way that doesn't have the side-effects that it did.

It takes a similar conceptual approach to #221, where it keeps track of whether or not the codes have been verified. That can't be done in BackupCodes, though, because the state would get lost when clicking Back. It also can't do it in local storage, since that wouldn't persist across browsers.

This approach keeps the state in Main so that it won't get lost, but it ultimately relies on the database as the canonical source of truth. The user record is refreshed after saving the codes so that the system knows the user has them, but it also has the state of whether or not they've verified them. The combination of those two lets us achieve the original goal but without the side effects.

I also added some defensive code to the Password component. That's not necessary for the main fix here, it's just related because the need for it was exposed by the previous bug.

Testing

  1. Start without backup codes saved for the user
  2. Visit the Backup Codes screen. Codes will automatically be generated and saved for the user.
  3. Click Back. The Backup Codes status will show that it's active
  4. Click on Backup Codes, and you'll see the Manage screen. Before the fix, you would have seen the Setup screen and new codes would have been saved

Also test that flow but with clicking Finished, and do some general tests to make sure there aren't any side-effects.

@iandunn
Password: Return early on invalid input
ac93c1a
@iandunn
Backup Codes: Track if codes are verified to show Setup/Manage correctly
f1e7bde 
Without this, generating codes for the first time, then clicking `Back`, then visiting the Backup Codes screen would generate another set of codes. It should instead render the `Manage` component, since the first setup saved the codes to the database.
@iandunn iandunn added this to the Iteration 1 milestone Sep 21, 2023
@iandunn iandunn self-assigned this Sep 21, 2023
@iandunn iandunn marked this pull request as ready for review September 21, 2023 18:36
@iandunn iandunn mentioned this pull request Sep 21, 2023
Merged
@iandunn iandunn changed the title Track codes verified Track if backup codes have been verified Sep 21, 2023
StevenDufresne
StevenDufresne approved these changes Sep 22, 2023
View reviewed changes
Copy link
Contributor

@StevenDufresne StevenDufresne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a better solution that doesn't appear to impact the user experience 👍 .

renintw
renintw approved these changes Sep 24, 2023
View reviewed changes
Copy link
Contributor

@renintw renintw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍 Thanks for the fix!

settings/src/script.js
@@ -61,6 +61,7 @@ function Main( { userId } ) {
} = user;
const [ globalNotice, setGlobalNotice ] = useState( '' );
const [ error, setError ] = useState( '' );
const [ backupCodesVerified, setBackupCodesVerified ] = useState( true );
Copy link
Contributor

@renintw renintw Sep 24, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just add some notes about my testing process for the logic here for future reference.

Initially, I thought of setting this value to false during testing.
And setting this part to true only when the Back button on the backup-codes screen is pressed.

However, there are two issues with this approach:

  1. Currently, within ScreenLink, we can't determine which screen the Back button is pressed from.
  2. Even if we could determine that, since the value is set to true only when the Back button on the backup-codes screen is pressed, this condition with ! backupCodesVerified would be true again when the user exits the account screen (when Main is unmounted) and returns to the account screen, leading to another unexpected re-generation of backup-codes.

So, the current logic is that every time the ScreenLink component is pressed, it will execute setBackupCodesVerified( true );. I believe this is an acceptable compromise, especially since this workaround was put in place primarily due to the side-effects of two-factor/#507.

@iandunn iandunn merged commit bedf3d6 into trunk Sep 25, 2023
@iandunn iandunn deleted the track-codes-verified branch September 25, 2023 15:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@StevenDufresne StevenDufresne StevenDufresne approved these changes

@renintw renintw renintw approved these changes

Assignees

@iandunn iandunn

Labels
None yet
Projects
None yet
Milestone
Iteration 1
Development

Successfully merging this pull request may close these issues.
3 participants
@iandunn @StevenDufresne @renintw