Skip to content

πŸ› Harden two-factor auth secret storage#475

Merged
baealex merged 1 commit into
mainfrom
fix/auth-2fa-secret-hardening
Jun 28, 2026
Merged

πŸ› Harden two-factor auth secret storage#475
baealex merged 1 commit into
mainfrom
fix/auth-2fa-secret-hardening

Conversation

@baealex

@baealex baealex commented Jun 26, 2026

Copy link
Copy Markdown
Owner

🎯 Goal

  • Protect 2FA TOTP secrets and recovery keys stored in the database.
  • Preserve existing users' authenticator app and recovery-key login after migration.

πŸ”§ Core Changes

  • Encrypt TwoFactorAuth.totp_secret at rest and decrypt only for TOTP verification / QR regeneration.
  • Hash TwoFactorAuth.recovery_key and stop returning stored recovery keys after setup.
  • Add an irreversible, idempotent data migration for existing 2FA rows.
  • Generate new recovery keys with secrets and document CIPHER_KEY backup requirements.

πŸ€” Key Decisions

  • TOTP secrets are encrypted, not hashed, because verification and QR regeneration need the original secret.
  • Recovery keys are hashed because the server only needs verification.
  • The migration is irreversible because recovery key hashes cannot be converted back to plaintext and rollback would otherwise shrink protected values.

πŸ§ͺ Verification Guide

How to verify

  1. Run npm run server:check-migrations.
  2. Run npm run server:test -- board.tests.api.test_two_factor_auth board.tests.templates.test_oauth_callback.
  3. Run npm run server:test.

Expected result

  • Migration check reports no changes.
  • Existing TOTP and recovery-key login paths keep working.
  • Stored recovery keys are not returned by the security API after setup.

βœ… Checklist

  • Lint not required (backend-only change)
  • Type-check not required (backend-only change)
  • Tests completed
  • Documentation updated (if needed)

@baealex baealex merged commit bf6bd79 into main Jun 28, 2026
2 checks passed
@baealex baealex deleted the fix/auth-2fa-secret-hardening branch June 28, 2026 05:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant