Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: trusted devices and 'remember me' #1982

Merged
merged 5 commits into from
Nov 29, 2024
Merged

feat: trusted devices and 'remember me' #1982

merged 5 commits into from
Nov 29, 2024

Conversation

bjoern-m
Copy link
Contributor

@bjoern-m bjoern-m commented Nov 25, 2024
edited
Loading

Description

This PR implements functionality for prompting users to trust their device during login, as well as handling persistent and temporary session management based on the user's preference.

  1. Prompt for Device Trust
  • Users are prompted to trust their device before completing the login flow with MFA.
  1. Trusting the Device
  • Skip MFA for Trusted Devices: Trusted devices bypass Multi-Factor Authentication (MFA) on subsequent logins.
  1. Device Trust:
  • A unique, randomized device_token is generated and stored in the database upon trust confirmation.
  • The device_token is shared with the client via a cookie.
  • On subsequent logins, the backend validates the device_token by matching it in the database.
  • Trust persists until it explicitly expires.
  • The expiration period is not extended by subsequent logins.
  1. "Remember Me" Functionality
  • Users can opt to "Remember me" / "Stay signed in" during the registration or login process.

Implementation

  1. Backend Changes:
  • Added API support for prompting and processing the device trust option.
  • Implemented trust_device cookie generation and validation.
  • Database schema extended to store device_token with expiration timestamps.
  1. Frontend Changes:
  • Updated UI to prompt for device trust.
  • Added a "Remember me" checkbox and corresponding logic for session persistence.

Future Enhancements

  • Enable trust revocation from the user’s account settings.
  • Retain the checked state of the "Remember Me" or "Stay Signed In" checkbox and store the previously used login identifier.

@bjoern-m bjoern-m marked this pull request as ready for review November 26, 2024 12:22
@lfleischmann lfleischmann self-requested a review November 28, 2024 19:57
@bjoern-m bjoern-m merged commit f32f48e into main Nov 29, 2024
8 checks passed
@bjoern-m bjoern-m deleted the feat-trust-device branch November 29, 2024 10:06
@FlxMgdnz FlxMgdnz mentioned this pull request Dec 4, 2024
Closed
2 tasks
@lfleischmann lfleischmann mentioned this pull request Dec 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lfleischmann lfleischmann lfleischmann approved these changes

@FreddyDevelop FreddyDevelop Awaiting requested review from FreddyDevelop

Assignees
No one assigned
Labels
None yet
Projects
Hanko
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bjoern-m @lfleischmann