Project

General

Profile

Actions

Defect #34234

closed

Use Setting.host_name instead of Setting.app_title as TOTP issuer to avoid name collision with other instances or apps

Added by Go MAEDA about 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Accounts / authentication
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Currently, Redmine's two-factor authentication uses Setting.app_title for TOTP issuer. However, it causes problems under certain conditions.

Suppose that you use Microsoft Authenticator and have access to the following two Redmine instances:

  • Redmine-1: host_name = "redmine.example.com", app_title = "Redmine", login = "jsmith"
  • Redmine-2: host_name = "redmine.example.org", app_title = "Redmine", login = "jsmith"

Enabling two-factor authentication for Redmine-1 is no problem.

However, a serious problem occurs when you have enabled two-factor authentication for the Redmine-2. Surprisingly, Microsoft Authenticator overwrites the existing account information for Redmine-1 in order to add the account information for Redmine-2. This is because the exactly same TOTP issuer ("Redmine") and account ("jsmith") is used in two Redmine instances. These two values may play a role in the primary key in Microsoft Authenticator.

I don't think the possibility of such an accident occurs is low in the real world because there are many instances that uses default app_title "Redmine". Or if the Redmine's app_title is set to "GitHub", GitHub's account in the Microsofut Authenticator will be overwritten with Redmine's account!

In order to reduce the probability of such accidents, I suggest using Setting.host_name instead of Setting.app_title for TOTP issuer string. Most admins set the appropriate value for Setting.host_name to make links in email notifications correct. And this value does not usually overlap with other Redmine instances. GitLab also uses host name for TOTP issuer string.

diff --git a/lib/redmine/twofa/totp.rb b/lib/redmine/twofa/totp.rb
index e304208a2..b714c78c7 100644
--- a/lib/redmine/twofa/totp.rb
+++ b/lib/redmine/twofa/totp.rb
@@ -63,7 +63,7 @@ module Redmine
       private

       def totp
-        @totp ||= ROTP::TOTP.new(@user.twofa_totp_key, issuer: Setting.app_title)
+        @totp ||= ROTP::TOTP.new(@user.twofa_totp_key, issuer: Setting.host_name)
       end
     end
   end

Related issues

Related to Redmine - Feature #1237: Add support for two-factor authenticationClosedGo MAEDA2008-05-14

Actions
Actions

Also available in: Atom PDF