From d1d2dd48146da03b421e745497d0b91adb3626ee Mon Sep 17 00:00:00 2001 From: John Cardinal Date: Thu, 11 Mar 2021 18:06:38 +0000 Subject: [PATCH] --- ayanova/devdocs/todo.txt | 29 +++++++++++++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/ayanova/devdocs/todo.txt b/ayanova/devdocs/todo.txt index a32221d1..79c54e57 100644 --- a/ayanova/devdocs/todo.txt +++ b/ayanova/devdocs/todo.txt @@ -184,12 +184,37 @@ todo: GetWorkorderSerial/name from leaf nodes traverse up the tree and fetch the serial number once coded fixup in purchaseorderbiz::getasync MIGRATE_OUTSTANDING bit - +todo: research practicality of supporting SMS from server for things like notification and authentication 2fa + is it a service, a device, a library?? todo: 2fa is going to be an absolute must have pretty soon, look into what's involved again https://rockfish.ayanova.com/default.htm#!/rfcaseEdit/3395 - + + Process: + SIGN UP + (copied a bit from digital ocean) + User settings has a SECURITY section where control 2fa stuff + user enables at which point a secret key for 2fa is generated and stored in the User account + user is redirected to a client form with the qr code displayed for teh secret + User gets QR code then displayed to sign up with auth software + User has to enter a valid code to save or enable 2fa fully otherwise it's not enabled if they cancel out + until the correct code is entered it will not be enabled yet + If user moves out of 2fa area without validating then it generates a new secret next time they go In + + DISABLE + user goes to user settings->Security and click on disable 2fa button which is only enabled to click when the account has 2fa already enabled + this removes the 2fa secret from their account and sets 2fa off. + LOGIN + User logs in as normal, server checks if they have 2fa enabled + if no 2fa enabled then send back token as normal + if 2fa then send back response like "2faenabled:true" + also some kind of temporary one time short lived token (maybe the one already implemented for downloads but shorter) to show which user it is as they cannot use a token for the next step + client sees it's a 2fa and redirects to a page (or login page has a "dialog") to enter 2fa 6 digit code + temp token and 2fa 6 digit code is sent to a /verify route + if they match / pass then the normal token is sent back and login proceeds as normal + + todo: tag search in picklist, does it support more than one tag? I forget no, no it doesn't. Hmmm... fuck