UX: Challenge changes on validation error when creating TOTP key
xi opened this issue · comments
When creating a TOTP key, a new challenge is generated on every request. So when I have a typo in the code I cannot simply fix the typo. Instead I have to delete the secret from my authenticator and start from scratch. This is both annoying and non-obvious.
The same issue theoretically also exists for all other form views. However, the challenge on TOTP auth is constant (None
) and for the two FIDO2 views there is not really a way to have validation errors.
The big downside to keeping the challenge across requests is that this would be yet another case of state management with potential for security-related bugs.
The big downside to keeping the challenge across requests is that this would be yet another case of state management with potential for security-related bugs.
This might not be so bad after all:
- There can already be zombie state in the session if a user does a GET request, but no POST request. Expanding this to "no successful POST request" is not that bad.
- Half of the challenge (
state
) is already stored in the session. Also storing the other half (data
) is not that bad. - The important bit is to always generate a new challenge on GET, and only keep the challenge on unsuccessful POST
Fixed by d3cbbdd