Opened 2 months ago

Last modified 5 days ago

#2097 new task

Implement support for device verification

Reported by: nicklas Owned by: everyone
Priority: major Milestone: BASE 3.12
Component: core Version:
Keywords: Cc:

Description

This is inspired by similar functionality in for example, Facebook and Google were a verification code is sent by email (or SMS) to a user the first time that user is trying to login from a new device. Since we already have email support in BASE it should not be too difficult to implement the other part.

Since we need some GUI for entering the verification code it must be possible to enabled/disable this feature per client application. For example, the FTP server extension can't use this due to lack of support in the FTP protocol.

Since we don't require users to register their email address, it should be possible to enable/disable per user account (disabled by default). The email address must be validated before it is possible to enabled this feature.

When this feature is enabled and a user is trying to login from a new device, the login procedure should verify the username/password as normal. Once that has been done, a verification code (6 digits?) will be sent by email to the user. The login procedure will then throw a special exception to indicate that a verification code is needed. The client is responsible for displaying a GUI for entering this code. On the server side, the verification code is kept in memory and is not stored in the database.

The client application then submits the verification code back to the server which checks it. If the code is incorrect, the login procedure should be restarted from the beginning. If the code is correct, the servers sends back a token to the client. The client should store this token on the computer (for example in localStorage). The token is also stored in the database together with some other useful information (eg. User-agent, etc.).

The next time the user is trying to login the client should also send the stored token together with the username and password. The server can then check this token against what has been stored in the database and allow the user to login without a new verification code.

Some other useful stuff:

  • The 'Session' object should have a link to the 'device'.
  • A user should be able to list devices it has used and be able to remove a device from the list of known devices.
  • It might be a good idea to add a checkbox 'Remember this device' on the page were the verification code is entered. It would make it easier to, for example, temporarily login from a public computer without storing it as a trusted device.

Note! A 'device' in this context is a specific browser on a specific computer. Using a different browser on the same computer is considered to be a different device.

Note! If a single computer/browser is used by multiple users each user need to verify the device. However, since it may be difficult for the browser to store more than one token the server must accept that the same token is used for multiple users.

Change History (11)

comment:1 Changed 2 months ago by nicklas

(In [7403]) References #2097: Implement support for device verification

Added a flag to the Client class to enable/disable support device verification. The update script will set it to false for all clients except the web client.

comment:2 Changed 2 months ago by nicklas

(In [7404]) References #2097: Implement support for device verification

Added a flag to the User class to enable/disable support device verification. It is set to false for all existing users.

For now, it can only be enabled by an administrator.

comment:3 Changed 2 months ago by nicklas

(In [7405]) References #2097: Implement support for device verification

Added UserDeviceData class for storing information about a verified device. Links are created to/from user, client and session.

comment:4 Changed 2 months ago by nicklas

(In [7406]) References #2097: Implement support for device verification

Added UserDevice class to the core layer API.

A permission key for roles is created by the install script.

Added the device column to the sessions list and view page.

Added NameableData to the device since it will be a lot easier to use in listings, etc.

comment:5 Changed 2 months ago by nicklas

(In [7407]) References #2097: Implement support for device verification

Added list/view/edit pages to the web client for devices.

comment:6 Changed 2 months ago by nicklas

(In [7409]) References #2097: Implement support for device verification

An email message with the verification code is now sent to the user. The messge text is currently hardcoded into the code. This should maybe be configurable by the server admin?

comment:7 Changed 2 months ago by nicklas

(In [7410]) References #2097: Implement support for device verification

Added support for verifying email addresses. The "BASE->Contact information" dialog now has a "2-factor login" checkbox. If this checkbox is checked or if the email address is changed an email is sent to the user with a verification code. At the same time, the browser displays a new form asking the user to enter the verfication code. The 2-factor login is only enabled if the correct verification code is entered.

The email message template is currently hard-coded but it should may be configurable?

comment:8 Changed 2 months ago by nicklas

(In [7411]) References #2097: Implement support for device verification

Added a "User-Agent" analyzer library (https://github.com/nielsbasjes/yauaa). It is used to automatically generate the name of new devices. For example: Firefox 55 on Windows 10.0 (Desktop)

Added UserDeviceData.lastRemoteId property to store the ip address of the device the last time it was used.

comment:9 Changed 2 months ago by nicklas

(In [7412]) References #2097: Implement support for device verification

Updated documentation with some information about 2-factor login.

comment:10 Changed 6 weeks ago by nicklas

(In [7418]) References #2097: Implement support for device verification

Throwing LoginException instead of IllegalStateException gives a nicer error message to the user instead of an ugly stacktrace.

comment:11 Changed 5 days ago by nicklas

(In [7431]) References #2097: Implement support for device verification

Tests complain that "dev" is already taken as an alias for another item (DATACUBEEXTRAVALUE).

Note: See TracTickets for help on using tickets.