Sudo Mode

On this page, we dive into Sudo Mode and how you can use it to ensure that your users are authorised to perform certain actions.

Sudo Mode is a feature that double checks if a user is authorised to perform a certain action. For example if your user wants to delete a project, you may want them to enter a Multi-Factor Authentication code to confirm that they are authorised to do so.

Sudo Mode is for any feature of your Product that you believe requires extra security. Examples can include deleting a project, a team or deleting an account.

How it works

When a user attempts to delete a project (or perform any other action that requires Sudo Mode), they will be presented with a modal that asks them for an MFA code, Security Key or Password.

The user's input is sent to the DevRIFT API Server (through your Server) and it will check if the input is valid. If the input is valid, it will return a success message to which your Application will now enable Sudo Mode for that user's session for however long you specify in the Dashboard.

The default duration for Sudo Mode is 2 hours. You can change this duration in the Dashboard.

When Sudo Mode is enabled, the user will be able to perform any action that requires Sudo Mode without having to enter an MFA code, Security Key or Password until the duration has expired.

How to enable Sudo Mode

The Sudo Mode feature is currently in beta. If you would like to use it, please contact us through our support page.

To enable Sudo Mode, you will first need to enable it in the Dashboard.

You may also want to configure Sudo Mode further, such as changing the duration of Sudo Mode Sessions or only allowing Security Keys to be used for Sudo Mode.

If you change your integration to only permit Security Keys, you will need to update your code to reflect this change.

Users who do not have a Security Key will not be able to enter Sudo Mode, and hence may not be able to perform any action that requires Sudo Mode.

Enabling Sudo Mode in your Application

You should begin by first creating a new page, for example https://crayoncamps.com/account/sudo. This page will be used to allow users to enter Sudo Mode.

You will then need to create a form that will allow the user to use one of their authentication methods to enter Sudo Mode. Valid Authentication Methods include MFA Codes, Security Keys and Passwords.

When any of these methods are successful, you will need to create a Sudo Session for the user. This can be done by sending a request to the DevRIFT API Server.

Creating a Sudo Session

To create a Sudo Session, you will need to send a request to the DevRIFT API Server. To do this using the DevRIFT PHP SDK, you will need to use the sudo class and the create method.

use DevRIFT\DevRIFT;
use DevRIFT\DevRIFT\Sudo;

DevRIFT::setApiKey("sk_test_foobar...");

DevRIFT\Sudo::create();

This will create a Sudo Session for the user and store it in a session variable called devrift_session.sudo.

The Sudo Session will expire after the duration that you have set in the Dashboard.

Checking that a user is in Sudo Mode

The code below checks if the user is in Sudo Mode and if they are, it will allow them to perform any action that requires Sudo Mode. If the user is not in Sudo Mode, it will redirect them to a page where they can enter Sudo Mode.

use DevRIFT\DevRIFT;

$devrift = new \DevRIFT\DevRIFT::setApiKey("sk_test_foobar...");

$sudo_session = $_SESSION['devrift_session.sudo']; // The Sudo Session

if ($devrift->sudoCheck()) {
	// The Sudo Session is active and valid
    // The User can perform any action that you believe
    // requires Sudo Mode
} else {
	// The Sudo Session is not active or is invalid
    // Here you'll need to redirect the user to a page
    // which will allow them to enter Sudo Mode
}