From 078585b3654dda8334bceb8a6288e4e12c201b6e Mon Sep 17 00:00:00 2001 From: mickael-hc <86245626+mickael-hc@users.noreply.github.com> Date: Mon, 4 Aug 2025 17:07:53 -0400 Subject: [PATCH] identity/mfa: revert cache value and add comments to mfa cache (#31421) * identity/mfa: revert cache value and add comments to mfa cache --- changelog/31421.txt | 3 +++ vault/external_tests/identity/login_mfa_totp_test.go | 2 +- vault/login_mfa.go | 7 ++++--- 3 files changed, 8 insertions(+), 4 deletions(-) create mode 100644 changelog/31421.txt diff --git a/changelog/31421.txt b/changelog/31421.txt new file mode 100644 index 0000000000..d328bca62a --- /dev/null +++ b/changelog/31421.txt @@ -0,0 +1,3 @@ +```release-note:bug +identity/mfa: revert cache entry change from #31217 and document cache entry values +``` diff --git a/vault/external_tests/identity/login_mfa_totp_test.go b/vault/external_tests/identity/login_mfa_totp_test.go index 24ebf353b7..48a9172564 100644 --- a/vault/external_tests/identity/login_mfa_totp_test.go +++ b/vault/external_tests/identity/login_mfa_totp_test.go @@ -329,7 +329,7 @@ func TestLoginMfaGenerateTOTPTestAuditIncluded(t *testing.T) { // let's make sure the configID is not blocked for other users doTwoPhaseLogin(t, userClient2, enginePath2, methodID, testuser2) - // let's see if user1 is able to login after 3 + 3*2 = 9 seconds + // let's see if user1 is able to login after 3 * (2+1) = 9 seconds time.Sleep(9 * time.Second) doTwoPhaseLogin(t, userClient1, enginePath1, methodID, testuser1) diff --git a/vault/login_mfa.go b/vault/login_mfa.go index bf4a5d3241..1b6777ad31 100644 --- a/vault/login_mfa.go +++ b/vault/login_mfa.go @@ -2343,9 +2343,10 @@ func (c *Core) validateTOTP(ctx context.Context, mfaFactors *MFAFactor, entityMe return fmt.Errorf("failed to validate TOTP passcode") } - // The duration in which a passcode is stored in cache to enforce - // rate limit on failed totp passcode validation - passcodeTTL := time.Duration(int64(time.Second) * int64(totpSecret.Period) * int64(2*totpSecret.Skew)) + // The duration in which a rateLimitID (configID_entityID) is used to limit the number of TOTP validation attempts. + // The passcode will be added to the usedCodes cache later, with a different TTL, with the skew and period. + passcodeTTL := time.Duration(int64(time.Second) * int64(totpSecret.Period)) + // Enforcing rate limit per MethodID per EntityID rateLimitID := fmt.Sprintf("%s_%s", configID, entityID)