Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: require verified primary email before adding 2fa #81982

Merged
merged 1 commit into from
Dec 12, 2024
Merged

fix: require verified primary email before adding 2fa #81982

merged 1 commit into from
Dec 12, 2024

Conversation

mdtro
Copy link
Member

@mdtro mdtro commented Dec 11, 2024

A user could add 2FA with a verified secondary email address, but not a verified primary address. This leads to some confusing edge cases with security impact.

This PR adds a new decorator primary_email_verification_required that specifically ensures the account's primary email is verified for the particular endpoint it is wrapping. The endpoint used to enroll new 2FA interfaces has been switched over to this new decorator.

@mdtro mdtro requested a review from a team as a code owner December 11, 2024 20:25
@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Dec 11, 2024
@mdtro mdtro changed the title fix: require primary email before adding 2fa fix: require verified primary email before adding 2fa Dec 11, 2024
@codecov Codecov
Copy link

codecov bot commented Dec 11, 2024

Codecov Report

Attention: Patch coverage is 95.00000% with 1 line in your changes missing coverage. Please review.

✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
src/sentry/users/models/user.py 50.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #81982      +/-   ##
==========================================
- Coverage   80.35%   80.35%   -0.01%     
==========================================
  Files        7274     7275       +1     
  Lines      321295   321337      +42     
  Branches    20955    20955              
==========================================
+ Hits       258180   258209      +29     
- Misses      62701    62714      +13     
  Partials      414      414

@mdtro mdtro requested a review from a team December 12, 2024 15:52
geoffg-sentry
geoffg-sentry approved these changes Dec 12, 2024
View reviewed changes
Copy link

@geoffg-sentry geoffg-sentry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So decorative, lgtm

@mdtro mdtro merged commit 4c6c849 into master Dec 12, 2024
51 checks passed
@mdtro mdtro deleted the mdtro/verified-primary-to-add-2fa branch December 12, 2024 20:02
evanh pushed a commit that referenced this pull request Dec 17, 2024
@mdtro @evanh
fix: require verified primary email before adding 2fa (#81982)
0f64a6c 
A user could add 2FA with a verified secondary email address, but not a
verified primary address. This leads to some confusing edge cases with
security impact.

This PR adds a new decorator `primary_email_verification_required` that
specifically ensures the account's primary email is verified for the
particular endpoint it is wrapping. The endpoint used to enroll new 2FA
interfaces has been switched over to this new decorator.
@github-actions github-actions bot locked and limited conversation to collaborators Dec 28, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@geoffg-sentry geoffg-sentry geoffg-sentry approved these changes

Assignees
No one assigned
Labels
Scope: Backend Automatically applied to PRs that change backend components
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mdtro @geoffg-sentry