2023-08-15 14:47:05 +02:00
|
|
|
package login
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"fmt"
|
|
|
|
|
"net/http"
|
|
|
|
|
|
|
|
|
|
http_mw "github.com/zitadel/zitadel/internal/api/http/middleware"
|
|
|
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
tmplOTPVerification = "otpverification"
|
|
|
|
|
querySelectedProvider = "selectedProvider"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
type mfaOTPData struct {
|
|
|
|
|
userData
|
|
|
|
|
MFAProviders []domain.MFAType
|
|
|
|
|
SelectedProvider domain.MFAType
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type mfaOTPFormData struct {
|
|
|
|
|
Resend bool `schema:"resend"`
|
|
|
|
|
Code string `schema:"code"`
|
|
|
|
|
SelectedProvider domain.MFAType `schema:"selectedProvider"`
|
|
|
|
|
Provider domain.MFAType `schema:"provider"`
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func OTPLink(origin, authRequestID, code string, provider domain.MFAType) string {
|
|
|
|
|
return fmt.Sprintf("%s%s?%s=%s&%s=%s&%s=%d", externalLink(origin), EndpointMFAOTPVerify, QueryAuthRequestID, authRequestID, queryCode, code, querySelectedProvider, provider)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// renderOTPVerification renders the OTP verification for SMS and Email based on the passed MFAType.
|
|
|
|
|
// It will send a new code to either phone or email first.
|
|
|
|
|
func (l *Login) handleOTPVerification(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, providers []domain.MFAType, selectedProvider domain.MFAType, err error) {
|
|
|
|
|
if err != nil {
|
|
|
|
|
l.renderOTPVerification(w, r, authReq, providers, selectedProvider, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
|
|
|
|
|
var sendCode func(ctx context.Context, userID, resourceOwner, authRequestID, userAgentID string) error
|
|
|
|
|
switch selectedProvider {
|
|
|
|
|
case domain.MFATypeOTPSMS:
|
|
|
|
|
sendCode = l.authRepo.SendMFAOTPSMS
|
|
|
|
|
case domain.MFATypeOTPEmail:
|
|
|
|
|
sendCode = l.authRepo.SendMFAOTPEmail
|
|
|
|
|
// another type should never be passed, but just making sure
|
|
|
|
|
case domain.MFATypeU2F,
|
|
|
|
|
domain.MFATypeTOTP,
|
|
|
|
|
domain.MFATypeU2FUserVerification:
|
|
|
|
|
l.renderError(w, r, authReq, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
err = sendCode(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, authReq.ID, userAgentID)
|
|
|
|
|
l.renderOTPVerification(w, r, authReq, providers, selectedProvider, err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (l *Login) renderOTPVerification(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, providers []domain.MFAType, selectedProvider domain.MFAType, err error) {
|
|
|
|
|
var errID, errMessage string
|
|
|
|
|
if err != nil {
|
|
|
|
|
errID, errMessage = l.getErrorMessage(r, err)
|
|
|
|
|
}
|
2023-12-05 12:12:01 +01:00
|
|
|
translator := l.getTranslator(r.Context(), authReq)
|
2023-08-15 14:47:05 +02:00
|
|
|
data := &mfaOTPData{
|
2023-12-05 12:12:01 +01:00
|
|
|
userData: l.getUserData(r, authReq, translator, "VerifyMFAU2F.Title", "VerifyMFAU2F.Description", errID, errMessage),
|
2023-08-15 14:47:05 +02:00
|
|
|
MFAProviders: removeSelectedProviderFromList(providers, selectedProvider),
|
|
|
|
|
SelectedProvider: selectedProvider,
|
|
|
|
|
}
|
2023-12-05 12:12:01 +01:00
|
|
|
l.renderer.RenderTemplate(w, r, translator, l.renderer.Templates[tmplOTPVerification], data, nil)
|
2023-08-15 14:47:05 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// handleOTPVerificationCheck handles form submissions of the OTP verification.
|
|
|
|
|
// On successful code verification, the check will be added to the auth request.
|
|
|
|
|
// A user is also able to request a code resend or choose another provider.
|
|
|
|
|
func (l *Login) handleOTPVerificationCheck(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
formData := new(mfaOTPFormData)
|
|
|
|
|
authReq, err := l.getAuthRequestAndParseData(r, formData)
|
2024-05-02 15:21:03 +02:00
|
|
|
if authReq == nil || err != nil {
|
2023-08-15 14:47:05 +02:00
|
|
|
l.renderError(w, r, authReq, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
step, ok := authReq.PossibleSteps[0].(*domain.MFAVerificationStep)
|
|
|
|
|
if !ok {
|
|
|
|
|
l.renderError(w, r, authReq, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if formData.Resend {
|
|
|
|
|
l.handleOTPVerification(w, r, authReq, step.MFAProviders, formData.SelectedProvider, nil)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if formData.Code == "" {
|
|
|
|
|
l.renderMFAVerifySelected(w, r, authReq, step, formData.Provider, nil)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
|
|
|
|
|
var actionType authMethod
|
|
|
|
|
var verifyCode func(ctx context.Context, userID, resourceOwner, code, authRequestID, userAgentID string, info *domain.BrowserInfo) error
|
|
|
|
|
switch formData.SelectedProvider {
|
|
|
|
|
case domain.MFATypeOTPSMS:
|
|
|
|
|
actionType = authMethodOTPSMS
|
|
|
|
|
verifyCode = l.authRepo.VerifyMFAOTPSMS
|
|
|
|
|
case domain.MFATypeOTPEmail:
|
|
|
|
|
actionType = authMethodOTPEmail
|
|
|
|
|
verifyCode = l.authRepo.VerifyMFAOTPEmail
|
|
|
|
|
// another type should never be passed, but just making sure
|
|
|
|
|
case domain.MFATypeU2F,
|
|
|
|
|
domain.MFATypeTOTP,
|
|
|
|
|
domain.MFATypeU2FUserVerification:
|
|
|
|
|
l.renderOTPVerification(w, r, authReq, step.MFAProviders, formData.SelectedProvider, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
err = verifyCode(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, formData.Code, authReq.ID, userAgentID, domain.BrowserInfoFromRequest(r))
|
|
|
|
|
|
|
|
|
|
metadata, actionErr := l.runPostInternalAuthenticationActions(authReq, r, actionType, err)
|
|
|
|
|
if err == nil && actionErr == nil && len(metadata) > 0 {
|
|
|
|
|
_, err = l.command.BulkSetUserMetadata(r.Context(), authReq.UserID, authReq.UserOrgID, metadata...)
|
|
|
|
|
} else if actionErr != nil && err == nil {
|
|
|
|
|
err = actionErr
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
l.renderOTPVerification(w, r, authReq, step.MFAProviders, formData.SelectedProvider, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
l.renderNextStep(w, r, authReq)
|
|
|
|
|
}
|
