diff --git a/migrations/mysql/2024-06-05-131359_add_2fa_duo_store/up.sql b/migrations/mysql/2024-06-05-131359_add_2fa_duo_store/up.sql index 9a619f65..29091791 100644 --- a/migrations/mysql/2024-06-05-131359_add_2fa_duo_store/up.sql +++ b/migrations/mysql/2024-06-05-131359_add_2fa_duo_store/up.sql @@ -1,11 +1,8 @@ CREATE TABLE twofactor_duo_ctx ( - -- For mysql, the character set on state is overridden to ascii because the utf8mb4 database charset recommended in - -- the Vaultwarden docs causes 1 character to consume 4 bytes, exceeding innodb's 3072 max key size if we want to - -- accommodate the largest supported state size. This isn't a problem for nonce since it's not a key for the table. - state VARCHAR(1024) CHARACTER SET ascii COLLATE ascii_general_ci NOT NULL, - user_email VARCHAR(255) NOT NULL, - nonce VARCHAR(1024) NOT NULL, - exp BIGINT NOT NULL, + state VARCHAR(64) NOT NULL, + user_email VARCHAR(255) NOT NULL, + nonce VARCHAR(64) NOT NULL, + exp BIGINT NOT NULL, PRIMARY KEY (state) ); \ No newline at end of file diff --git a/migrations/postgresql/2024-06-05-131359_add_2fa_duo_store/up.sql b/migrations/postgresql/2024-06-05-131359_add_2fa_duo_store/up.sql index 6cd1cdc5..ebc8be1b 100644 --- a/migrations/postgresql/2024-06-05-131359_add_2fa_duo_store/up.sql +++ b/migrations/postgresql/2024-06-05-131359_add_2fa_duo_store/up.sql @@ -1,7 +1,7 @@ CREATE TABLE twofactor_duo_ctx ( - state VARCHAR(1024) NOT NULL, + state VARCHAR(64) NOT NULL, user_email VARCHAR(255) NOT NULL, - nonce VARCHAR(1024) NOT NULL, + nonce VARCHAR(64) NOT NULL, exp BIGINT NOT NULL, PRIMARY KEY (state) diff --git a/src/api/core/two_factor/duo_oidc.rs b/src/api/core/two_factor/duo_oidc.rs index b1aa6ee4..c62939b8 100644 --- a/src/api/core/two_factor/duo_oidc.rs +++ b/src/api/core/two_factor/duo_oidc.rs @@ -63,6 +63,8 @@ const DUO_RESP_SIGNATURE_ALG: Algorithm = Algorithm::HS512; const JWT_SIGNATURE_ALG: Algorithm = Algorithm::HS512; // Size of random strings for state and nonce. Must be at least 16 characters and at most 1024 characters. +// If increasing this above 64, also increase the size of the twofactor_duo_ctx.state and +// twofactor_duo_ctx.nonce database columns for postgres and mariadb. const STATE_LENGTH: usize = 64; // client_assertion payload for health checks and obtaining MFA results.