From 14a8e74b6910256aaf2f5f776a20d962f989c5ef Mon Sep 17 00:00:00 2001 From: Max Peintner Date: Wed, 21 May 2025 10:15:17 +0200 Subject: [PATCH] move userverificationcheck to server action --- apps/login/src/app/(login)/verify/page.tsx | 2 +- apps/login/src/lib/server/loginname.ts | 3 +- apps/login/src/lib/server/passkeys.ts | 6 ++-- apps/login/src/lib/server/password.ts | 2 +- apps/login/src/lib/verification-helper.ts | 34 ++++++++++++++++++++++ apps/login/src/lib/verify-helper.ts | 32 -------------------- 6 files changed, 40 insertions(+), 39 deletions(-) create mode 100644 apps/login/src/lib/verification-helper.ts diff --git a/apps/login/src/app/(login)/verify/page.tsx b/apps/login/src/app/(login)/verify/page.tsx index fcbc4fd34a..e5b2268f14 100644 --- a/apps/login/src/app/(login)/verify/page.tsx +++ b/apps/login/src/app/(login)/verify/page.tsx @@ -6,7 +6,7 @@ import { VerifyRedirectButton } from "@/components/verify-redirect-button"; import { sendEmailCode } from "@/lib/server/verify"; import { getServiceUrlFromHeaders } from "@/lib/service-url"; import { loadMostRecentSession } from "@/lib/session"; -import { checkUserVerification } from "@/lib/verify-helper"; +import { checkUserVerification } from "@/lib/verification-helper"; import { getBrandingSettings, getUserByID, diff --git a/apps/login/src/lib/server/loginname.ts b/apps/login/src/lib/server/loginname.ts index bbe08dfec8..1282def867 100644 --- a/apps/login/src/lib/server/loginname.ts +++ b/apps/login/src/lib/server/loginname.ts @@ -9,7 +9,8 @@ import { idpTypeToIdentityProviderType, idpTypeToSlug } from "../idp"; import { PasskeysType } from "@zitadel/proto/zitadel/settings/v2/login_settings_pb"; import { UserState } from "@zitadel/proto/zitadel/user/v2/user_pb"; import { getServiceUrlFromHeaders } from "../service-url"; -import { checkEmailVerified, checkUserVerification } from "../verify-helper"; +import { checkUserVerification } from "../verification-helper"; +import { checkEmailVerified } from "../verify-helper"; import { getActiveIdentityProviders, getIDPByID, diff --git a/apps/login/src/lib/server/passkeys.ts b/apps/login/src/lib/server/passkeys.ts index 3470629f24..1a26824141 100644 --- a/apps/login/src/lib/server/passkeys.ts +++ b/apps/login/src/lib/server/passkeys.ts @@ -25,10 +25,8 @@ import { getSessionCookieByLoginName, } from "../cookies"; import { getServiceUrlFromHeaders } from "../service-url"; -import { - checkEmailVerification, - checkUserVerification, -} from "../verify-helper"; +import { checkUserVerification } from "../verification-helper"; +import { checkEmailVerification } from "../verify-helper"; import { setSessionAndUpdateCookie } from "./cookie"; type VerifyPasskeyCommand = { diff --git a/apps/login/src/lib/server/password.ts b/apps/login/src/lib/server/password.ts index 34859d419b..56158ddef1 100644 --- a/apps/login/src/lib/server/password.ts +++ b/apps/login/src/lib/server/password.ts @@ -29,11 +29,11 @@ import { headers } from "next/headers"; import { getNextUrl } from "../client"; import { getSessionCookieById, getSessionCookieByLoginName } from "../cookies"; import { getServiceUrlFromHeaders } from "../service-url"; +import { checkUserVerification } from "../verification-helper"; import { checkEmailVerification, checkMFAFactors, checkPasswordChangeRequired, - checkUserVerification, } from "../verify-helper"; type ResetPasswordCommand = { diff --git a/apps/login/src/lib/verification-helper.ts b/apps/login/src/lib/verification-helper.ts new file mode 100644 index 0000000000..2e8565f3ac --- /dev/null +++ b/apps/login/src/lib/verification-helper.ts @@ -0,0 +1,34 @@ +"use server"; + +import crypto from "crypto"; +import { cookies } from "next/headers"; +import { getOrSetFingerprintId } from "./fingerprint"; + +export async function checkUserVerification(userId: string): Promise { + // check if a verification was done earlier + const cookiesList = await cookies(); + const userAgentId = await getOrSetFingerprintId(); + + const verificationCheck = crypto + .createHash("sha256") + .update(`${userId}:${userAgentId}`) + .digest("hex"); + + const cookieValue = await cookiesList.get("verificationCheck")?.value; + + if (!cookieValue) { + console.warn( + "User verification check cookie not found. User verification check failed.", + ); + return false; + } + + if (cookieValue !== verificationCheck) { + console.warn( + `User verification check failed. Expected ${verificationCheck} but got ${cookieValue}`, + ); + return false; + } + + return true; +} diff --git a/apps/login/src/lib/verify-helper.ts b/apps/login/src/lib/verify-helper.ts index a25f9ef805..45de5df315 100644 --- a/apps/login/src/lib/verify-helper.ts +++ b/apps/login/src/lib/verify-helper.ts @@ -4,10 +4,7 @@ import { LoginSettings } from "@zitadel/proto/zitadel/settings/v2/login_settings import { PasswordExpirySettings } from "@zitadel/proto/zitadel/settings/v2/password_settings_pb"; import { HumanUser } from "@zitadel/proto/zitadel/user/v2/user_pb"; import { AuthenticationMethodType } from "@zitadel/proto/zitadel/user/v2/user_service_pb"; -import crypto from "crypto"; import moment from "moment"; -import { cookies } from "next/headers"; -import { getOrSetFingerprintId } from "./fingerprint"; import { getUserByID } from "./zitadel"; export function checkPasswordChangeRequired( @@ -252,32 +249,3 @@ export async function checkMFAFactors( return { redirect: `/mfa/set?` + params }; } } - -export async function checkUserVerification(userId: string): Promise { - // check if a verification was done earlier - const cookiesList = await cookies(); - const userAgentId = await getOrSetFingerprintId(); - - const verificationCheck = crypto - .createHash("sha256") - .update(`${userId}:${userAgentId}`) - .digest("hex"); - - const cookieValue = await cookiesList.get("verificationCheck")?.value; - - if (!cookieValue) { - console.warn( - "User verification check cookie not found. User verification check failed.", - ); - return false; - } - - if (cookieValue !== verificationCheck) { - console.warn( - `User verification check failed. Expected ${verificationCheck} but got ${cookieValue}`, - ); - return false; - } - - return true; -}