Email OTP should have a period of validity #66
Comments
|
Good point, but it is only the email method which needs this implementation. Do you like to give it a try or shall i do it? |
|
Either way is fine, I can have a look during the week ! |
|
Sure. Let me know if you need help.
…On Mon, 10 Oct 2022, 19:46 Ugo Popée, ***@***.***> wrote:
Either way is fine, I can have a look during the week !
—
Reply to this email directly, view it on GitHub
<#66 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACPOPRG4YEM24YTHTGHKWRDWCRJBBANCNFSM6AAAAAARBQRNFU>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
I searched for this functionnality in the readme and by exploring the code and it seems that there is no concept of period of validity involved in the logic of
mfa.Email.authMaybe this could be implemented using the request session only for email keys, or a more generic approach could be added directly using
User_Keys.expiresand a middleware.In both case, this timeout should be configurable per OTP method and have sensible defaults.
Happy to discuss it further if you think it's worth it !
The text was updated successfully, but these errors were encountered: