IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

DEV: Do not require session confirmation for new users (#24799)

Browse Source 
When making sensitive changes to an account (adding 2FA or passkeys), we
require users to confirm their password. This is to prevent an attacker
from adding 2FA to an account they have access to.

However, on newly created accounts, we should not require this, it's an
extra step and it doesn't provide extra security (since the account was
just created). This commit makes it so that we don't require session
confirmation for accounts created less than 5 minutes ago.
This commit is contained in:
Penar Musaraj
2024-02-15 12:29:16 -05:00
committed by GitHub
parent 292685d3de
commit 974b3a2a6f
4 changed files with 40 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
spec/system/user_page/user_preferences_security_spec.rb
View File

@@ -9,6 +9,9 @@ describe "User preferences | Security", type: :system do
before do
user.activate
# testing the enforced 2FA flow requires a user that was created > 5 minutes ago
user.created_at = 6.minutes.ago
user.save!
sign_in(user)
# system specs run on their own host + port