Add notification email on invalid second authenticator (#28822)

This commit is contained in:
Claire 2024-01-22 14:55:43 +01:00 committed by GitHub
parent 18004bf227
commit e2d9635074
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 102 additions and 3 deletions

View file

@ -181,6 +181,11 @@ class Auth::SessionsController < Devise::SessionsController
ip: request.remote_ip,
user_agent: request.user_agent
)
# Only send a notification email every hour at most
return if redis.set("2fa_failure_notification:#{user.id}", '1', ex: 1.hour, get: true).present?
UserMailer.failed_2fa(user, request.remote_ip, request.user_agent, Time.now.utc).deliver_later!
end
def second_factor_attempts_key(user)

View file

@ -191,6 +191,18 @@ class UserMailer < Devise::Mailer
end
end
def failed_2fa(user, remote_ip, user_agent, timestamp)
@resource = user
@remote_ip = remote_ip
@user_agent = user_agent
@detection = Browser.new(user_agent)
@timestamp = timestamp.to_time.utc
I18n.with_locale(locale) do
mail subject: default_i18n_subject
end
end
private
def default_devise_subject

View file

@ -0,0 +1,24 @@
= content_for :heading do
= render 'application/mailer/heading', heading_title: t('user_mailer.failed_2fa.title'), heading_subtitle: t('user_mailer.failed_2fa.explanation'), heading_image_url: frontend_asset_url('images/mailer-new/heading/login.png')
%table.email-w-full{ cellspacing: 0, cellpadding: 0, border: 0, role: 'presentation' }
%tr
%td.email-body-padding-td
%table.email-inner-card-table{ cellspacing: 0, cellpadding: 0, border: 0, role: 'presentation' }
%tr
%td.email-inner-card-td.email-prose
%p= t 'user_mailer.failed_2fa.details'
%p
%strong #{t('sessions.ip')}:
= @remote_ip
%br/
%strong #{t('sessions.browser')}:
%span{ title: @user_agent }
= t 'sessions.description',
browser: t("sessions.browsers.#{@detection.id}", default: @detection.id.to_s),
platform: t("sessions.platforms.#{@detection.platform.id}", default: @detection.platform.id.to_s)
%br/
%strong #{t('sessions.date')}:
= l(@timestamp.in_time_zone(@resource.time_zone.presence), format: :with_time_zone)
= render 'application/mailer/button', text: t('settings.account_settings'), url: edit_user_registration_url
%p= t 'user_mailer.failed_2fa.further_actions_html',
action: link_to(t('user_mailer.suspicious_sign_in.change_password'), edit_user_registration_url)

View file

@ -0,0 +1,15 @@
<%= t 'user_mailer.failed_2fa.title' %>
===
<%= t 'user_mailer.failed_2fa.explanation' %>
<%= t 'user_mailer.failed_2fa.details' %>
<%= t('sessions.ip') %>: <%= @remote_ip %>
<%= t('sessions.browser') %>: <%= t('sessions.description', browser: t("sessions.browsers.#{@detection.id}", default: "#{@detection.id}"), platform: t("sessions.platforms.#{@detection.platform.id}", default: "#{@detection.platform.id}")) %>
<%= l(@timestamp.in_time_zone(@resource.time_zone.presence), format: :with_time_zone) %>
<%= t 'user_mailer.failed_2fa.further_actions_html', action: t('user_mailer.suspicious_sign_in.change_password') %>
=> <%= edit_user_registration_url %>

View file

@ -1791,6 +1791,12 @@ en:
extra: It's now ready for download!
subject: Your archive is ready for download
title: Archive takeout
failed_2fa:
details: 'Here are details of the sign-in attempt:'
explanation: Someone has tried to sign in to your account but provided an invalid second authentication factor.
further_actions_html: If this wasn't you, we recommend that you %{action} immediately as it may be compromised.
subject: Second factor authentication failure
title: Failed second factor authentication
suspicious_sign_in:
change_password: change your password
details: 'Here are details of the sign-in:'

View file

@ -265,21 +265,35 @@ RSpec.describe Auth::SessionsController do
context 'when repeatedly using an invalid TOTP code before using a valid code' do
before do
stub_const('Auth::SessionsController::MAX_2FA_ATTEMPTS_PER_HOUR', 2)
# Travel to the beginning of an hour to avoid crossing rate-limit buckets
travel_to '2023-12-20T10:00:00Z'
end
it 'does not log the user in' do
# Travel to the beginning of an hour to avoid crossing rate-limit buckets
travel_to '2023-12-20T10:00:00Z'
Auth::SessionsController::MAX_2FA_ATTEMPTS_PER_HOUR.times do
post :create, params: { user: { otp_attempt: '1234' } }, session: { attempt_user_id: user.id, attempt_user_updated_at: user.updated_at.to_s }
expect(controller.current_user).to be_nil
end
post :create, params: { user: { otp_attempt: user.current_otp } }, session: { attempt_user_id: user.id, attempt_user_updated_at: user.updated_at.to_s }
expect(controller.current_user).to be_nil
expect(flash[:alert]).to match I18n.t('users.rate_limited')
end
it 'sends a suspicious sign-in mail', :sidekiq_inline do
Auth::SessionsController::MAX_2FA_ATTEMPTS_PER_HOUR.times do
post :create, params: { user: { otp_attempt: '1234' } }, session: { attempt_user_id: user.id, attempt_user_updated_at: user.updated_at.to_s }
expect(controller.current_user).to be_nil
end
post :create, params: { user: { otp_attempt: user.current_otp } }, session: { attempt_user_id: user.id, attempt_user_updated_at: user.updated_at.to_s }
expect(UserMailer.deliveries.size).to eq(1)
expect(UserMailer.deliveries.first.to.first).to eq(user.email)
expect(UserMailer.deliveries.first.subject).to eq(I18n.t('user_mailer.failed_2fa.subject'))
end
end
context 'when using a valid OTP' do

View file

@ -93,4 +93,9 @@ class UserMailerPreview < ActionMailer::Preview
def suspicious_sign_in
UserMailer.suspicious_sign_in(User.first, '127.0.0.1', 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0', Time.now.utc)
end
# Preview this email at http://localhost:3000/rails/mailers/user_mailer/failed_2fa
def failed_2fa
UserMailer.failed_2fa(User.first, '127.0.0.1', 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0', Time.now.utc)
end
end

View file

@ -135,6 +135,24 @@ describe UserMailer do
'user_mailer.suspicious_sign_in.subject'
end
describe '#failed_2fa' do
let(:ip) { '192.168.0.1' }
let(:agent) { 'NCSA_Mosaic/2.0 (Windows 3.1)' }
let(:timestamp) { Time.now.utc }
let(:mail) { described_class.failed_2fa(receiver, ip, agent, timestamp) }
it 'renders failed 2FA notification' do
receiver.update!(locale: nil)
expect(mail)
.to be_present
.and(have_body_text(I18n.t('user_mailer.failed_2fa.explanation')))
end
include_examples 'localized subject',
'user_mailer.failed_2fa.subject'
end
describe '#appeal_approved' do
let(:appeal) { Fabricate(:appeal, account: receiver.account, approved_at: Time.now.utc) }
let(:mail) { described_class.appeal_approved(receiver, appeal) }