verify check, mfa check response

2025-08-24 23:18:04 +00:00 · 2024-12-23 16:26:20 +01:00
parent 670ed71dd1
commit 2951b617ce
4 changed files with 46 additions and 8 deletions
--- a/apps/login/src/lib/server/idp.ts
+++ b/apps/login/src/lib/server/idp.ts
@@ -98,7 +98,10 @@ export async function createNewSessionFromIdpIntent(
  }

  // TODO: check if user has MFA methods
-  // checkMFAFactors(session, loginSettings, authMethods, organization, authRequestId);
+  // const mfaFactorCheck = checkMFAFactors(session, loginSettings, authMethods, organization, authRequestId);
+  // if (mfaFactorCheck?.redirect) {
+  //   return mfaFactorCheck;
+  // }

  const url = await getNextUrl(
    command.authRequestId && session.id
--- a/apps/login/src/lib/server/password.ts
+++ b/apps/login/src/lib/server/password.ts
@@ -185,7 +185,7 @@ export async function sendPassword(command: UpdateSessionCommand) {
    return { error: "Could not verify password!" };
  }

-  checkMFAFactors(
+  const mfaFactorCheck = checkMFAFactors(
    session,
    loginSettings,
    authMethods,
@@ -193,6 +193,10 @@ export async function sendPassword(command: UpdateSessionCommand) {
    command.authRequestId,
  );

+  if (mfaFactorCheck?.redirect) {
+    return mfaFactorCheck;
+  }
+
  if (command.authRequestId && session.id) {
    const nextUrl = await getNextUrl(
      {
--- a/apps/login/src/lib/server/register.ts
+++ b/apps/login/src/lib/server/register.ts
@@ -1,7 +1,7 @@
 "use server";

 import { createSessionAndUpdateCookie } from "@/lib/server/cookie";
-import { addHumanUser, getLoginSettings } from "@/lib/zitadel";
+import { addHumanUser, getLoginSettings, getUserByID } from "@/lib/zitadel";
 import { create } from "@zitadel/client";
 import { Factors } from "@zitadel/proto/zitadel/session/v2/session_pb";
 import {
@@ -9,6 +9,7 @@ import {
  ChecksSchema,
 } from "@zitadel/proto/zitadel/session/v2/session_service_pb";
 import { getNextUrl } from "../client";
+import { checkEmailVerification } from "../verify-helper";

 type RegisterUserCommand = {
  email: string;
@@ -25,7 +26,7 @@ export type RegisterUserResponse = {
  factors: Factors | undefined;
 };
 export async function registerUser(command: RegisterUserCommand) {
-  const human = await addHumanUser({
+  const addResponse = await addHumanUser({
    email: command.email,
    firstName: command.firstName,
    lastName: command.lastName,
@@ -33,14 +34,14 @@ export async function registerUser(command: RegisterUserCommand) {
    organization: command.organization,
  });

-  if (!human) {
+  if (!addResponse) {
    return { error: "Could not create user" };
  }

  const loginSettings = await getLoginSettings(command.organization);

  let checkPayload: any = {
-    user: { search: { case: "userId", value: human.userId } },
+    user: { search: { case: "userId", value: addResponse.userId } },
  };

  if (command.password) {
@@ -75,6 +76,28 @@ export async function registerUser(command: RegisterUserCommand) {

    return { redirect: "/passkey/set?" + params };
  } else {
+    const userResponse = await getUserByID(session?.factors?.user?.id);
+
+    if (!userResponse.user) {
+      return { error: "Could not find user" };
+    }
+
+    const humanUser =
+      userResponse.user.type.case === "human"
+        ? userResponse.user.type.value
+        : undefined;
+
+    const emailVerificationCheck = checkEmailVerification(
+      session,
+      humanUser,
+      session.factors.user.organizationId,
+      command.authRequestId,
+    );
+
+    if (emailVerificationCheck?.redirect) {
+      return emailVerificationCheck;
+    }
+
    const url = await getNextUrl(
      command.authRequestId && session.id
        ? {
--- a/apps/login/src/lib/server/verify.ts
+++ b/apps/login/src/lib/server/verify.ts
@@ -139,7 +139,7 @@ export async function sendVerification(command: VerifyUserByEmailCommand) {
  }

  // redirect to mfa factor if user has one, or redirect to set one up
-  checkMFAFactors(
+  const mfaFactorCheck = checkMFAFactors(
    session,
    loginSettings,
    authMethodResponse.authMethodTypes,
@@ -147,6 +147,10 @@ export async function sendVerification(command: VerifyUserByEmailCommand) {
    command.authRequestId,
  );

+  if (mfaFactorCheck?.redirect) {
+    return mfaFactorCheck;
+  }
+
  // login user if no additional steps are required
  if (command.authRequestId && session.id) {
    const nextUrl = await getNextUrl(
@@ -299,7 +303,7 @@ export async function sendVerificationRedirectWithoutCheck(
  const loginSettings = await getLoginSettings(user.details?.resourceOwner);

  // redirect to mfa factor if user has one, or redirect to set one up
-  checkMFAFactors(
+  const mfaFactorCheck = checkMFAFactors(
    session,
    loginSettings,
    authMethodResponse.authMethodTypes,
@@ -307,6 +311,10 @@ export async function sendVerificationRedirectWithoutCheck(
    command.authRequestId,
  );

+  if (mfaFactorCheck?.redirect) {
+    return mfaFactorCheck;
+  }
+
  // login user if no additional steps are required
  if (command.authRequestId && session.id) {
    const nextUrl = await getNextUrl(