Skip to content

Require email confirmation for TOTP-based logins #18689

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 23 commits into from
Nov 14, 2025
Merged

Require email confirmation for TOTP-based logins #18689

merged 23 commits into from
Nov 14, 2025
+2,124 −326

Conversation

@di
Copy link
Member

@di di commented Sep 12, 2025

Fixes #18425.

This PR maintains a record of device information across logins for each user:

  • For TOTP logins, confirmation via a link sent to the primary email is required for each new device;
  • For non-TOTP logins, no confirmation is required.

@di di requested a review from a team as a code owner September 12, 2025 17:11
miketheman
miketheman reviewed Sep 17, 2025
View reviewed changes
Copy link
Member

@miketheman miketheman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lots of comments inline. Let me know if they need further details.

Aside: I wonder if there's an opportunity to use these kinds of "annoying" interactions to push webauthn more, but I still want that to be a smoother experience.

di
di commented Sep 18, 2025
View reviewed changes
@di di requested a review from miketheman September 24, 2025 11:02
miketheman
miketheman previously requested changes Oct 14, 2025
View reviewed changes
Copy link
Member

@miketheman miketheman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other than the migration needing a rebase, I think this looks good to me - I'd prefer if at least one other admin reviews as well.

@di di requested review from ewdurbin and miketheman October 14, 2025 16:09
ewdurbin
ewdurbin approved these changes Nov 12, 2025
View reviewed changes
Copy link
Member

@ewdurbin ewdurbin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some notes on verbiage.

Overall I think this is great to get shipped and see how the UX goes... My only concern is that we don't tell users how to avoid this dance up-front. Should we be clear with them what tripped the confirmation email and suggest that they consider using a better 2FA method?

warehouse/admin/templates/admin/users/detail.html
</tr>
</thead>
<tbody>
{% for login in user.unique_logins %}
Copy link
Member

@ewdurbin ewdurbin Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we are almost certainlty going to need to paginate this... but for now seems fine since its admin.

@di di merged commit d5c5876 into pypi:main Nov 14, 2025
21 checks passed
@di di deleted the fix/18425 branch November 14, 2025 16:01
@di di mentioned this pull request Nov 14, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@miketheman miketheman miketheman approved these changes

@ewdurbin ewdurbin ewdurbin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Email confirmation for TOTP-based logins

3 participants

@di @miketheman @ewdurbin