lowered the default mfa duration and reorganized internal record pre/post handling

2026-04-26 16:32:07 +03:00
parent 37b258810a
commit 555a4f1a1e
10 changed files with 107 additions and 69 deletions
--- a/core/collection_model_auth_options.go
+++ b/core/collection_model_auth_options.go
@@ -60,7 +60,7 @@ func (m *Collection) setDefaultAuthOptions() {
 		},
 		MFA: MFAConfig{
 			Enabled:  false,
-			Duration: 1800, // 30min
+			Duration: 600, // 10min
 		},
 		OTP: OTPConfig{
 			Enabled:       false,
--- a/core/external_auth_model.go
+++ b/core/external_auth_model.go
@@ -137,4 +137,42 @@ func (app *BaseApp) registerExternalAuthHooks() {
 		},
 		Priority: 99,
 	})
+
+	// delete all pre-existing external auths on verified upgrade
+	app.OnRecordUpdateExecute().Bind(&hook.Handler[*RecordEvent]{
+		Func: func(e *RecordEvent) error {
+			if !e.Record.Collection().IsAuth() {
+				return e.Next()
+			}
+
+			hasUpgradedVerified := !e.Record.Original().IsNew() && !e.Record.Original().Verified() && e.Record.Verified()
+
+			if !hasUpgradedVerified {
+				return e.Next()
+			}
+
+			originalApp := e.App
+			return e.App.RunInTransaction(func(txApp App) error {
+				e.App = txApp
+				defer func() { e.App = originalApp }()
+
+				externalAuths, err := txApp.FindAllExternalAuthsByRecord(e.Record)
+				if err != nil {
+					return err
+				}
+				if len(externalAuths) > 0 {
+					// delete all pre-existing external auths
+					if err := txApp.DeleteAllExternalAuthsByRecord(e.Record); err != nil {
+						return err
+					}
+
+					// force refresh tokens reset (if not already)
+					e.Record.RefreshTokenKey()
+				}
+
+				return e.Next()
+			})
+		},
+		Priority: 99,
+	})
 }
--- a/core/mfa_model.go
+++ b/core/mfa_model.go
@@ -3,6 +3,7 @@ package core
 import (
 	"context"
 	"errors"
+	"fmt"
 	"time"

 	"github.com/pocketbase/pocketbase/tools/hook"
@@ -141,11 +142,11 @@ func (app *BaseApp) registerMFAHooks() {
 			if old != new {
 				err = e.App.DeleteAllMFAsByRecord(e.Record)
 				if err != nil {
-					e.App.Logger().Warn(
-						"Failed to delete all previous mfas",
-						"error", err,
-						"recordId", e.Record.Id,
-						"collectionId", e.Record.Collection().Id,
+					return fmt.Errorf(
+						"[%s] failed to delete all previos MFAs for record %q: %w",
+						e.Record.Collection().Name,
+						e.Record.Id,
+						err,
 					)
 				}
 			}
--- a/core/otp_model.go
+++ b/core/otp_model.go
@@ -3,8 +3,10 @@ package core
 import (
 	"context"
 	"errors"
+	"fmt"
 	"time"

+	"github.com/pocketbase/pocketbase/tools/hook"
 	"github.com/pocketbase/pocketbase/tools/types"
 )

@@ -124,4 +126,29 @@ func (app *BaseApp) registerOTPHooks() {
 			app.Logger().Warn("Failed to delete expired OTP sessions", "error", err)
 		}
 	})
+
+	// delete all record OTPs on tokenKey change to minimize the risk of hijacking attacks
+	app.OnRecordUpdateExecute().Bind(&hook.Handler[*RecordEvent]{
+		Func: func(e *RecordEvent) error {
+			err := e.Next()
+			if err != nil || !e.Record.Collection().IsAuth() {
+				return err
+			}
+
+			if e.Record.Original().TokenKey() != e.Record.TokenKey() {
+				err := e.App.DeleteAllOTPsByRecord(e.Record)
+				if err != nil {
+					return fmt.Errorf(
+						"[%s] failed to delete all previos OTPs for record %q: %w",
+						e.Record.Collection().Name,
+						e.Record.Id,
+						err,
+					)
+				}
+			}
+
+			return nil
+		},
+		Priority: 99,
+	})
 }
--- a/core/record_model.go
+++ b/core/record_model.go
@@ -1427,10 +1427,7 @@ func onRecordValidate(e *RecordEvent) error {
 }

 func onRecordSaveExecute(e *RecordEvent) error {
-	var needToDeleteExternalAuths bool
-
 	if e.Record.Collection().IsAuth() {
-		// auth resets to prevent (pre)hijacking vulnerabilities
 		if !e.Record.IsNew() {
 			lastSavedRecord, err := e.App.FindRecordById(e.Record.Collection(), e.Record.Id)
 			if err != nil {
@@ -1443,15 +1440,10 @@ func onRecordSaveExecute(e *RecordEvent) error {
 					lastSavedRecord.Email() != e.Record.Email()) {
 				e.Record.RefreshTokenKey()
 			}
-
-			// in case upgrading from "unverified" -> "verified" mark all pre-existing OAuth2 links
-			// for deletion since there is no reliable way to verify that they weren't created by an attacker
-			if !lastSavedRecord.Verified() && e.Record.Verified() {
-				needToDeleteExternalAuths = true
-			}
 		}

-		// cross-check that the auth record id is unique across all auth collections
+		// loosely cross-check that the auth record id is unique across all auth collections
+		// to minimize impact of mistakes in API rules when multiple auth collections are used
 		authCollections, err := e.App.FindAllCollections(CollectionTypeAuth)
 		if err != nil {
 			return fmt.Errorf("unable to fetch the auth collections for cross-id unique check: %w", err)
@@ -1469,45 +1461,16 @@ func onRecordSaveExecute(e *RecordEvent) error {
 		}
 	}

-	finalizer := func() error {
-		err := e.Next()
-		if err == nil {
-			return nil
-		}
-
-		return validators.NormalizeUniqueIndexError(
-			err,
-			e.Record.Collection().Name,
-			e.Record.Collection().Fields.FieldNames(),
-		)
+	err := e.Next()
+	if err == nil {
+		return nil
 	}

-	if needToDeleteExternalAuths {
-		originalApp := e.App
-
-		return e.App.RunInTransaction(func(txApp App) error {
-			e.App = txApp
-			defer func() { e.App = originalApp }()
-
-			externalAuths, err := txApp.FindAllExternalAuthsByRecord(e.Record)
-			if err != nil {
-				return err
-			}
-			if len(externalAuths) > 0 {
-				// delete all pre-existing external auths
-				if err := txApp.DeleteAllExternalAuthsByRecord(e.Record); err != nil {
-					return err
-				}
-
-				// force refresh tokens reset (if not already)
-				e.Record.RefreshTokenKey()
-			}
-
-			return finalizer()
-		})
-	}
-
-	return finalizer()
+	return validators.NormalizeUniqueIndexError(
+		err,
+		e.Record.Collection().Name,
+		e.Record.Collection().Fields.FieldNames(),
+	)
 }

 func onRecordDeleteExecute(e *RecordEvent) error {