feat: delegate SMS code generation, sending and verification to an external service (PS-221)#4113
Open
splaunov wants to merge 5 commits intoory:masterfrom
Open
feat: delegate SMS code generation, sending and verification to an external service (PS-221)#4113splaunov wants to merge 5 commits intoory:masterfrom
splaunov wants to merge 5 commits intoory:masterfrom
Conversation
|
|
Member
|
Looks like your branch and master have divereged. We recently merged improvements to SMS which probably cause the conflicts. |
Contributor
Author
|
Yes, we are a bit behind the master. |
Member
|
The problem described is definitely something we should consider. Regarding the approach, I'm not sure if I fully understand how it works, but it does look a bit "strapped on" from first glance, with hardcoded values and some other things, which make me question if it wouldn't be better to use hooks and transient payloads for example. |
This patch adds the ability to verify Android APK origins used during WebAuthn/Passkey exchange. Upgrades go-webauthn and includes fixes for Go 1.23 and workarounds for Swagger.
commit 6a60bf9 Author: splaunov <splaunov@gmail.com> Date: Mon Nov 25 19:45:36 2024 +0300 feat: in code login flow send identity not found sms (PS-572) commit f13a642 Author: maoanran <anma@monta.com> Date: Fri Sep 6 10:41:47 2024 +0200 feat: do not retry on 429 responses from external verification service (PS-405) commit 602d716 Author: splaunov <splaunov@gmail.com> Date: Wed Mar 27 12:00:49 2024 +0300 feat: delegate SMS code generation, sending and verification to an external service (PS-221) ignore: respond 400 when code is invalid (PS-307) ignore: accept all http codes from 200-300 range ignore: add `body` parameter to request config schema (PS-221) feat: delegate SMS code generation, sending and verification to an external service - registration flow (PS-262) feat: delegate SMS code generation, sending and verification to an external service - login flow (PS-263) feat: delegate SMS code generation, sending and verification to an external service - verification flow (PS-221)
maoanran
force-pushed
the
feature/feat-ps-221
branch
from
6a60bf9 to
36e139e
Compare
… login (PS-758) (#10)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Phone/sms registration and login flows are vulnerable to sms pumping attacks.
This PR allows to delegate all the key steps of the flow to an external service which is able to detect sms pumping and throttle requests.
Related issue(s)
Checklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got the approval (please contact
security@ory.sh) from the maintainers to push
the changes.
works.
Further Comments