https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28786
Marcel de Rooy <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|BLOCKED |Failed QA --- Comment #56 from Marcel de Rooy <[email protected]> --- There are several issues. Some are blockers, some could be dealt with on follow-up reports, as is already the case for storing the secret. [1] This code pattern looks wrong: my $secret = Koha::AuthUtils::generate_salt( 'weak', 16 ); my $auth = Koha::Auth::TwoFactorAuth->new( { patron => $logged_in_user, secret => $secret } ); my $secret32 = $auth->generate_secret32; What you do with generate_secret32 is effectively wasting your own secret. Note that Auth::GoogleAuth uses 16 random numbers 0-31 to create a new secret. If you pass a secret, GoogleAuth will convert it to base32 internally. The synopsis in the module is wrong too. This is a blocker. But simple to correct. [2] The randomizer (which we should not use) depends on Math::Random::MT. This module says: This algorithm has a very uniform distribution and is good for modelling purposes but do not use it for cryptography. As long as we pass our own stronger secrets, no worries. See [1]. [3] Martin refers earlier to Authen::OATH. I follow him there, but no blocker. [4] The argument used before "Also, it can generate QR codes out-of-the-box" is currently actually an issue. It creates a link like https://chart.googleapis.com/chart?&cht=qr with the secret as a URL GET parameter. That's obviously unsafe! Furthermore, this Google API has been deprecated for some years already. https://developers.google.com/chart/infographics/docs/qr_codes We could use the $return_otpauth parameter to create the QR code ourselves. Personally, I would not use this in its current form. But I would propose to solve this issue on a follow-up report. [5] This one I did not yet fully tackle. But I have the impression that we have an issue in C4/Auth now. A few times already I had to login twice. This MIGHT be a blocker. Needs still investigation. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
