fix: improvements for login flow (incl. webauthn) (#1026)

* fix: typo ZITADEL uppercase for OTP Issuer * fix: password validation after change in current user agent * fix: otp validation after setup in current user agent * add waiting * add waiting * show u2f state * regenerate css * add useragentID to webauthn verify * return mfa attribute in mgmt * switch between providers * use preferredLoginName for webauthn display * some fixes * correct translations for login * add some missing event translations * fix usersession test * remove unnecessary cancel button on password change done
2025-10-21 09:49:07 +00:00 · 2020-12-07 12:09:10 +01:00
parent 8b88a0ab86
commit 077a9a628e
48 changed files with 451 additions and 123 deletions
--- a/internal/ui/login/handler/change_password_handler.go
+++ b/internal/ui/login/handler/change_password_handler.go
@@ -3,6 +3,7 @@ package handler
 import (
 	"net/http"

+	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/auth_request/model"
 )

@@ -24,7 +25,8 @@ func (l *Login) handleChangePassword(w http.ResponseWriter, r *http.Request) {
 		l.renderError(w, r, authReq, err)
 		return
 	}
-	err = l.authRepo.ChangePassword(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, data.OldPassword, data.NewPassword)
+	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
+	err = l.authRepo.ChangePassword(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, data.OldPassword, data.NewPassword, userAgentID)
 	if err != nil {
 		l.renderChangePassword(w, r, authReq, err)
 		return
--- a/internal/ui/login/handler/init_password_handler.go
+++ b/internal/ui/login/handler/init_password_handler.go
@@ -3,6 +3,7 @@ package handler
 import (
 	"net/http"

+	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/auth_request/model"
 	"github.com/caos/zitadel/internal/errors"
 )
@@ -67,7 +68,8 @@ func (l *Login) checkPWCode(w http.ResponseWriter, r *http.Request, authReq *mod
 	if authReq != nil {
 		userOrg = authReq.UserOrgID
 	}
-	err = l.authRepo.SetPassword(setContext(r.Context(), userOrg), data.UserID, data.Code, data.Password)
+	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
+	err = l.authRepo.SetPassword(setContext(r.Context(), userOrg), data.UserID, data.Code, data.Password, userAgentID)
 	if err != nil {
 		l.renderInitPassword(w, r, authReq, data.UserID, "", err)
 		return
--- a/internal/ui/login/handler/mfa_init_u2f.go
+++ b/internal/ui/login/handler/mfa_init_u2f.go
@@ -4,6 +4,7 @@ import (
 	"encoding/base64"
 	"net/http"

+	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/auth_request/model"
 	user_model "github.com/caos/zitadel/internal/user/model"
 )
@@ -12,6 +13,11 @@ const (
 	tmplMFAU2FInit = "mfainitu2f"
 )

+type u2fInitData struct {
+	webAuthNData
+	MFAType model.MFAType
+}
+
 func (l *Login) renderRegisterU2F(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
 	var errType, errMessage, credentialData string
 	var u2f *user_model.WebAuthNToken
@@ -24,9 +30,12 @@ func (l *Login) renderRegisterU2F(w http.ResponseWriter, r *http.Request, authRe
 	if u2f != nil {
 		credentialData = base64.RawURLEncoding.EncodeToString(u2f.CredentialCreationData)
 	}
-	data := &webAuthNData{
-		userData:               l.getUserData(r, authReq, "Register WebAuthNToken", errType, errMessage),
-		CredentialCreationData: credentialData,
+	data := &u2fInitData{
+		webAuthNData: webAuthNData{
+			userData:               l.getUserData(r, authReq, "Register WebAuthNToken", errType, errMessage),
+			CredentialCreationData: credentialData,
+		},
+		MFAType: model.MFATypeU2F,
 	}
 	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplMFAU2FInit], data, nil)
 }
@@ -38,17 +47,14 @@ func (l *Login) handleRegisterU2F(w http.ResponseWriter, r *http.Request) {
 		l.renderError(w, r, authReq, err)
 		return
 	}
-	if data.Recreate {
-		l.renderRegisterU2F(w, r, authReq, nil)
-		return
-	}
 	credData, err := base64.URLEncoding.DecodeString(data.CredentialData)
 	if err != nil {
 		l.renderRegisterU2F(w, r, authReq, err)
 		return
 	}

-	if err = l.authRepo.VerifyMFAU2FSetup(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, data.Name, credData); err != nil {
+	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
+	if err = l.authRepo.VerifyMFAU2FSetup(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, data.Name, userAgentID, credData); err != nil {
 		l.renderRegisterU2F(w, r, authReq, err)
 		return
 	}
--- a/internal/ui/login/handler/mfa_init_verify_handler.go
+++ b/internal/ui/login/handler/mfa_init_verify_handler.go
@@ -7,6 +7,7 @@ import (
 	svg "github.com/ajstarks/svgo"
 	"github.com/boombuler/barcode/qr"

+	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/auth_request/model"
 	"github.com/caos/zitadel/internal/qrcode"
 )
@@ -47,7 +48,8 @@ func (l *Login) handleMFAInitVerify(w http.ResponseWriter, r *http.Request) {
 }

 func (l *Login) handleOTPVerify(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaInitVerifyData) *mfaVerifyData {
-	err := l.authRepo.VerifyMFAOTPSetup(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, data.Code)
+	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
+	err := l.authRepo.VerifyMFAOTPSetup(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, data.Code, userAgentID)
 	if err == nil {
 		return nil
 	}
--- a/internal/ui/login/handler/mfa_verify_handler.go
+++ b/internal/ui/login/handler/mfa_verify_handler.go
@@ -35,6 +35,15 @@ func (l *Login) handleMFAVerify(w http.ResponseWriter, r *http.Request) {
 }

 func (l *Login) renderMFAVerify(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, verificationStep *model.MFAVerificationStep, err error) {
+	if verificationStep == nil {
+		l.renderError(w, r, authReq, err)
+		return
+	}
+	provider := verificationStep.MFAProviders[len(verificationStep.MFAProviders)-1]
+	l.renderMFAVerifySelected(w, r, authReq, verificationStep, provider, err)
+}
+
+func (l *Login) renderMFAVerifySelected(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, verificationStep *model.MFAVerificationStep, selectedProvider model.MFAType, err error) {
 	var errType, errMessage string
 	if err != nil {
 		errMessage = l.getErrorMessage(r, err)
@@ -44,13 +53,23 @@ func (l *Login) renderMFAVerify(w http.ResponseWriter, r *http.Request, authReq
 		l.renderError(w, r, authReq, err)
 		return
 	}
-	switch verificationStep.MFAProviders[len(verificationStep.MFAProviders)-1] {
+	switch selectedProvider {
 	case model.MFATypeU2F:
-		l.renderU2FVerification(w, r, authReq, nil)
+		l.renderU2FVerification(w, r, authReq, removeSelectedProviderFromList(verificationStep.MFAProviders, model.MFATypeU2F), nil)
 		return
 	case model.MFATypeOTP:
-		data.MFAProviders = verificationStep.MFAProviders
+		data.MFAProviders = removeSelectedProviderFromList(verificationStep.MFAProviders, model.MFATypeOTP)
 		data.SelectedMFAProvider = model.MFATypeOTP
 	}
 	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplMFAVerify], data, nil)
 }
+
+func removeSelectedProviderFromList(providers []model.MFAType, selected model.MFAType) []model.MFAType {
+	for i := len(providers) - 1; i >= 0; i-- {
+		if providers[i] == selected {
+			copy(providers[i:], providers[i+1:])
+			return providers[:len(providers)-1]
+		}
+	}
+	return providers
+}
--- a/internal/ui/login/handler/mfa_verify_u2f_handler.go
+++ b/internal/ui/login/handler/mfa_verify_u2f_handler.go
@@ -13,7 +13,18 @@ const (
 	tmplU2FVerification = "u2fverification"
 )

-func (l *Login) renderU2FVerification(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
+type mfaU2FData struct {
+	webAuthNData
+	MFAProviders     []model.MFAType
+	SelectedProvider model.MFAType
+}
+
+type mfaU2FFormData struct {
+	webAuthNFormData
+	SelectedProvider model.MFAType `schema:"provider"`
+}
+
+func (l *Login) renderU2FVerification(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, providers []model.MFAType, err error) {
 	var errType, errMessage, credentialData string
 	var webAuthNLogin *user_model.WebAuthNLogin
 	if err == nil {
@@ -26,33 +37,42 @@ func (l *Login) renderU2FVerification(w http.ResponseWriter, r *http.Request, au
 	if webAuthNLogin != nil {
 		credentialData = base64.RawURLEncoding.EncodeToString(webAuthNLogin.CredentialAssertionData)
 	}
-	data := &webAuthNData{
-		userData:               l.getUserData(r, authReq, "Login WebAuthNToken", errType, errMessage),
-		CredentialCreationData: credentialData,
+	data := &mfaU2FData{
+		webAuthNData: webAuthNData{
+			userData:               l.getUserData(r, authReq, "Login WebAuthNToken", errType, errMessage),
+			CredentialCreationData: credentialData,
+		},
+		MFAProviders:     providers,
+		SelectedProvider: -1,
 	}
 	l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplU2FVerification], data, nil)
 }

 func (l *Login) handleU2FVerification(w http.ResponseWriter, r *http.Request) {
-	formData := new(webAuthNFormData)
+	formData := new(mfaU2FFormData)
 	authReq, err := l.getAuthRequestAndParseData(r, formData)
 	if err != nil {
 		l.renderError(w, r, authReq, err)
 		return
 	}
-	if formData.Recreate {
-		l.renderU2FVerification(w, r, authReq, nil)
+	step, ok := authReq.PossibleSteps[0].(*model.MFAVerificationStep)
+	if !ok {
+		l.renderError(w, r, authReq, err)
+		return
+	}
+	if formData.CredentialData == "" {
+		l.renderMFAVerifySelected(w, r, authReq, step, formData.SelectedProvider, nil)
 		return
 	}
 	credData, err := base64.URLEncoding.DecodeString(formData.CredentialData)
 	if err != nil {
-		l.renderU2FVerification(w, r, authReq, err)
+		l.renderU2FVerification(w, r, authReq, step.MFAProviders, err)
 		return
 	}
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
 	err = l.authRepo.VerifyMFAU2F(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.ID, userAgentID, credData, model.BrowserInfoFromRequest(r))
 	if err != nil {
-		l.renderU2FVerification(w, r, authReq, err)
+		l.renderU2FVerification(w, r, authReq, step.MFAProviders, err)
 		return
 	}
 	l.renderNextStep(w, r, authReq)
--- a/internal/ui/login/handler/passwordless_login_handler.go
+++ b/internal/ui/login/handler/passwordless_login_handler.go
@@ -40,10 +40,6 @@ func (l *Login) handlePasswordlessVerification(w http.ResponseWriter, r *http.Re
 		l.renderError(w, r, authReq, err)
 		return
 	}
-	if formData.Recreate {
-		l.renderPasswordlessVerification(w, r, authReq, nil)
-		return
-	}
 	credData, err := base64.URLEncoding.DecodeString(formData.CredentialData)
 	if err != nil {
 		l.renderPasswordlessVerification(w, r, authReq, err)
--- a/internal/ui/login/handler/webauthn.go
+++ b/internal/ui/login/handler/webauthn.go
@@ -8,5 +8,4 @@ type webAuthNData struct {
 type webAuthNFormData struct {
 	CredentialData string `schema:"credentialData"`
 	Name           string `schema:"name"`
-	Recreate       bool   `schema:"recreate"`
 }