-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Email OTP should have a period of validity #66
Comments
Good point, but it is only the email method which needs this implementation. Do you like to give it a try or shall i do it? |
Either way is fine, I can have a look during the week ! |
Sure. Let me know if you need help.
…On Mon, 10 Oct 2022, 19:46 Ugo Popée, ***@***.***> wrote:
Either way is fine, I can have a look during the week !
—
Reply to this email directly, view it on GitHub
<#66 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACPOPRG4YEM24YTHTGHKWRDWCRJBBANCNFSM6AAAAAARBQRNFU>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
I searched for this functionnality in the readme and by exploring the code and it seems that there is no concept of period of validity involved in the logic of
mfa.Email.auth
Maybe this could be implemented using the request session only for email keys, or a more generic approach could be added directly using
User_Keys.expires
and a middleware.In both case, this timeout should be configurable per OTP method and have sensible defaults.
Happy to discuss it further if you think it's worth it !
The text was updated successfully, but these errors were encountered: