Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix 2fa constant prompt #167

Closed
wants to merge 2 commits into from
Closed

fix 2fa constant prompt #167

wants to merge 2 commits into from

Conversation

ingshtrom
Copy link
Contributor

@ingshtrom ingshtrom commented Feb 1, 2021
edited

- What I did

  • added some documentation for newer contributors and additional logging
  • remove forced reprompt of OTP, so that we only re-prompt when the token is expired.

Fixes #162, or at least makes it less painful.

A little bit of background...

Upon first login using the 2fa-login endpoint, a token is returned which gives the user full access to all Hub APIs. When refreshing the token, the resulting token has reduced permissions, and so some APIs that initially worked with the first token will now fail. Until the Hub API is modified to allow refreshed tokens to have the same access as the first token, we need to do another prompt of the user's OTP to get another token which gives the tool full access to the Hub APIs.

- How I did it

  • removed the code that logs in for every "sudo" command.

- How to verify it

Below is output from some commands I ran and the date when they were run to show it working.

Here is the first run with a token that is expired.

❯ date -u && go run main.go account info
Mon Feb  1 15:12:18 UTC 2021
2FA required, please provide the 6 digit code: XXXXXX
Name:           ahokanson
Full name:      Alex Hokanson
Company:        Docker, Inc
Location:
Joined:         17 months ago
Plan:           free
Limits:
  Seats:                1/1
  Private repositories: 1/1
  Teams:                unlimited
  Collaborators:        unlimited
  Parallel builds:      1

Then we run it again within the TTL of the token (30 minutes) and no reprompting of the OTP is required.

❯ date -u && go run main.go account info
Mon Feb  1 15:12:39 UTC 2021
Name:           ahokanson
Full name:      Alex Hokanson
Company:        Docker, Inc
Location:
Joined:         17 months ago
Plan:           free
Limits:
  Seats:                1/1
  Private repositories: 1/1
  Teams:                unlimited
  Collaborators:        unlimited
  Parallel builds:      1

One last run shows that the token has expired, again, and we are correctly prompted to provide the OTP for 2FA authentication

❯ date -u && go run main.go account info
Mon Feb  1 15:56:01 UTC 2021
2FA required, please provide the 6 digit code: XXXXXX
Name:           ahokanson
Full name:      Alex Hokanson
Company:        Docker, Inc
Location:
Joined:         17 months ago
Plan:           free
Limits:
  Seats:                1/1
  Private repositories: 1/1
  Teams:                unlimited
  Collaborators:        unlimited
  Parallel builds:      1

- Description for the changelog

  • added some documentation for newer contributors and additional logging
  • remove forced reprompt of OTP.

- A picture of a cute animal (not mandatory)
CleanShot 2021-02-01 at 11 13 23@2x

@ingshtrom
document some basic getting started for newer people like me 😄
8a7f520 
Signed-off-by: Alex Hokanson <571756+ingshtrom@users.noreply.github.com>
@ingshtrom
addtl logging and remove constant prompt for all 'sudo' commands
87ee7f0 
Signed-off-by: Alex Hokanson <571756+ingshtrom@users.noreply.github.com>
@ingshtrom
Copy link
Contributor Author

PTAL @silvin-lubecki @rumpl

@silvin-lubecki
Copy link
Collaborator

@ingshtrom correct me if I'm wrong, but I think that this way all hub-tool commands will prompt for a 6-digit code if 2FA is enabled, right? It means the sudo annotations aren't used anymore? 🤔

@ingshtrom
Copy link
Contributor Author

Good call. That isn't what we want. Although, that is likely what is already happening since https://github.com/docker/hub-tool/pull/167/files#diff-6830a710a038a65c376a407bfafe6dbcba1561c4994fcfb20aff88375403ac37R86 hasn't changed. I'll take a look at that and post a test here once I check it out. Thanks!

@silvin-lubecki
Copy link
Collaborator

I wonder if we can tell if the stored token is a refreshed token (with less rights) or a new token, with full rights. Maybe we should store refresh tokens and new tokens separately, and depending if the command is a sudo one or not, we take one token or the other 🤔
It adds a lot of complexity, but I don't see any other option 😞

@ingshtrom
Copy link
Contributor Author

stale, and I do not have any intention of working further on this

@ingshtrom ingshtrom closed this Apr 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

2FA Prompting continually
2 participants
@ingshtrom @silvin-lubecki