As a user I want to make sure that I cannot be locked out of my account or lose second factor protection by someone who has access to my logged in account.

AC

• Before configuring second factor the user is presented with a password challenge
• When deleting a second factor the user is also presented with a password challenge
• The server enforces the password validity for 2FA changes
• Old clients still allow the changes without the password confirmation
• For admin users changing second factors of other admin users the password of the active admin is verified instead of the user password
• For admins changing second factors of regular (non-admin) users there is no password check

Notes

Ask for the password before starting 2FA flow

Tasks

• Write down the design for token system
• Add a service for requesting account token/admin token
• Handle admin users changing 2fa for other users (admin and non-admin)
• Add password request form upon changing second factors
• Implement a check for the token validity (deactivated for now)
• Handle expired tokens on the client (an error message)

Estimated time: 24h
taken: 25.75h

Test Notes

• With Current Version
  • be able to add 2fa
  • be able to delete 2fa
  • take a long time, request is denied
    - steps: enter password, keep the 2fa setup dialog open for longer than 30 min, try to finish setup, the request should be denied
  • enter wrong password, request is denied
    • when adding
    • when deleting
  • managing users
    • when adding/removing 2fa from non-admin user, there is no prompt for a password
    • when adding/removing 2fa from another admin user, this is a prompt for a password
    • try to add/remove 2fa from a deactivated user, a pop-up saying that the user is deactivated appears
• With older version
  • be able to add 2fa
  • be able to delete 2fa