mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-12 11:57:37 +00:00
feat: add WebAuthN support for passwordless login and 2fa (#966)
* at least registration prompt works * in memory test for login * buttons to start webauthn process * begin eventstore impl * begin eventstore impl * serialize into bytes * fix: u2f, passwordless types * fix for localhost * fix script * fix: u2f, passwordless types * fix: add u2f * fix: verify u2f * fix: session data in event store * fix: u2f credentials in eventstore * fix: webauthn pkg handles business models * feat: tests * feat: append events * fix: test * fix: check only ready webauthn creds * fix: move u2f methods to authrepo * frontend improvements * fix return * feat: add passwordless * feat: add passwordless * improve ui / error handling * separate call for login * fix login * js * feat: u2f login methods * feat: remove unused session id * feat: error handling * feat: error handling * feat: refactor user eventstore * feat: finish webauthn * feat: u2f and passwordlss in auth.proto * u2f step * passwordless step * cleanup js * EndpointPasswordLessLogin * migration * update mfaChecked test * next step test * token name * cleanup * attribute * passwordless as tokens * remove sms as otp type * add "user" to amr for webauthn * error handling * fixes * fix tests * naming * naming * fixes * session handler * i18n * error handling in login * Update internal/ui/login/static/i18n/de.yaml Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * improvements * merge fixes * fixes * fixes Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
This commit is contained in:
Livio Amstutz
@@ -7,6 +7,7 @@ import (
|
||||
"github.com/caos/zitadel/internal/project/model"
|
||||
proj_event "github.com/caos/zitadel/internal/project/repository/eventsourcing"
|
||||
proj_view_model "github.com/caos/zitadel/internal/project/repository/view/model"
|
||||
"github.com/caos/zitadel/internal/telemetry/tracing"
|
||||
)
|
||||
|
||||
type ApplicationRepo struct {
|
||||
@@ -22,7 +23,10 @@ func (a *ApplicationRepo) ApplicationByClientID(ctx context.Context, clientID st
|
||||
return proj_view_model.ApplicationViewToModel(app), nil
|
||||
}
|
||||
|
||||
func (a *ApplicationRepo) AuthorizeOIDCApplication(ctx context.Context, clientID, secret string) error {
|
||||
func (a *ApplicationRepo) AuthorizeOIDCApplication(ctx context.Context, clientID, secret string) (err error) {
|
||||
ctx, span := tracing.NewSpan(ctx)
|
||||
defer func() { span.EndWithError(err) }()
|
||||
|
||||
app, err := a.View.ApplicationByClientID(ctx, clientID)
|
||||
if err != nil {
|
||||
return err
|
||||
|
||||
@@ -47,7 +47,7 @@ type AuthRequestRepo struct {
|
||||
|
||||
PasswordCheckLifeTime time.Duration
|
||||
ExternalLoginCheckLifeTime time.Duration
|
||||
MfaInitSkippedLifeTime time.Duration
|
||||
MFAInitSkippedLifeTime time.Duration
|
||||
SecondFactorCheckLifeTime time.Duration
|
||||
MultiFactorCheckLifeTime time.Duration
|
||||
|
||||
@@ -245,27 +245,62 @@ func (repo *AuthRequestRepo) SelectUser(ctx context.Context, id, userID, userAge
|
||||
func (repo *AuthRequestRepo) VerifyPassword(ctx context.Context, id, userID, password, userAgentID string, info *model.BrowserInfo) (err error) {
|
||||
ctx, span := tracing.NewSpan(ctx)
|
||||
defer func() { span.EndWithError(err) }()
|
||||
request, err := repo.getAuthRequest(ctx, id, userAgentID)
|
||||
request, err := repo.getAuthRequestEnsureUser(ctx, id, userAgentID, userID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if request.UserID != userID {
|
||||
return errors.ThrowPreconditionFailed(nil, "EVENT-ds35D", "Errors.User.NotMatchingUserID")
|
||||
}
|
||||
return repo.UserEvents.CheckPassword(ctx, userID, password, request.WithCurrentInfo(info))
|
||||
}
|
||||
|
||||
func (repo *AuthRequestRepo) VerifyMfaOTP(ctx context.Context, authRequestID, userID, code, userAgentID string, info *model.BrowserInfo) (err error) {
|
||||
func (repo *AuthRequestRepo) VerifyMFAOTP(ctx context.Context, authRequestID, userID, code, userAgentID string, info *model.BrowserInfo) (err error) {
|
||||
ctx, span := tracing.NewSpan(ctx)
|
||||
defer func() { span.EndWithError(err) }()
|
||||
request, err := repo.getAuthRequest(ctx, authRequestID, userAgentID)
|
||||
request, err := repo.getAuthRequestEnsureUser(ctx, authRequestID, userAgentID, userID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if request.UserID != userID {
|
||||
return errors.ThrowPreconditionFailed(nil, "EVENT-ADJ26", "Errors.User.NotMatchingUserID")
|
||||
return repo.UserEvents.CheckMFAOTP(ctx, userID, code, request.WithCurrentInfo(info))
|
||||
}
|
||||
|
||||
func (repo *AuthRequestRepo) BeginMFAU2FLogin(ctx context.Context, userID, authRequestID, userAgentID string) (login *user_model.WebAuthNLogin, err error) {
|
||||
ctx, span := tracing.NewSpan(ctx)
|
||||
defer func() { span.EndWithError(err) }()
|
||||
|
||||
request, err := repo.getAuthRequestEnsureUser(ctx, authRequestID, userAgentID, userID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return repo.UserEvents.CheckMfaOTP(ctx, userID, code, request.WithCurrentInfo(info))
|
||||
return repo.UserEvents.BeginU2FLogin(ctx, userID, request)
|
||||
}
|
||||
|
||||
func (repo *AuthRequestRepo) VerifyMFAU2F(ctx context.Context, userID, authRequestID, userAgentID string, credentialData []byte, info *model.BrowserInfo) (err error) {
|
||||
ctx, span := tracing.NewSpan(ctx)
|
||||
defer func() { span.EndWithError(err) }()
|
||||
request, err := repo.getAuthRequestEnsureUser(ctx, authRequestID, userAgentID, userID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return repo.UserEvents.VerifyMFAU2F(ctx, userID, credentialData, request)
|
||||
}
|
||||
|
||||
func (repo *AuthRequestRepo) BeginPasswordlessLogin(ctx context.Context, userID, authRequestID, userAgentID string) (login *user_model.WebAuthNLogin, err error) {
|
||||
ctx, span := tracing.NewSpan(ctx)
|
||||
defer func() { span.EndWithError(err) }()
|
||||
request, err := repo.getAuthRequestEnsureUser(ctx, authRequestID, userAgentID, userID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return repo.UserEvents.BeginPasswordlessLogin(ctx, userID, request)
|
||||
}
|
||||
|
||||
func (repo *AuthRequestRepo) VerifyPasswordless(ctx context.Context, userID, authRequestID, userAgentID string, credentialData []byte, info *model.BrowserInfo) (err error) {
|
||||
ctx, span := tracing.NewSpan(ctx)
|
||||
defer func() { span.EndWithError(err) }()
|
||||
request, err := repo.getAuthRequestEnsureUser(ctx, authRequestID, userAgentID, userID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return repo.UserEvents.VerifyPasswordless(ctx, userID, credentialData, request)
|
||||
}
|
||||
|
||||
func (repo *AuthRequestRepo) LinkExternalUsers(ctx context.Context, authReqID, userAgentID string, info *model.BrowserInfo) (err error) {
|
||||
@@ -365,6 +400,17 @@ func (repo *AuthRequestRepo) getAuthRequestNextSteps(ctx context.Context, id, us
|
||||
return request, nil
|
||||
}
|
||||
|
||||
func (repo *AuthRequestRepo) getAuthRequestEnsureUser(ctx context.Context, authRequestID, userAgentID, userID string) (*model.AuthRequest, error) {
|
||||
request, err := repo.getAuthRequest(ctx, authRequestID, userAgentID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if request.UserID != userID {
|
||||
return nil, errors.ThrowPreconditionFailed(nil, "EVENT-GBH32", "Errors.User.NotMatchingUserID")
|
||||
}
|
||||
return request, nil
|
||||
}
|
||||
|
||||
func (repo *AuthRequestRepo) getAuthRequest(ctx context.Context, id, userAgentID string) (*model.AuthRequest, error) {
|
||||
request, err := repo.AuthRequests.GetAuthRequestByID(ctx, id)
|
||||
if err != nil {
|
||||
@@ -545,27 +591,19 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *model.AuthR
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if (request.SelectedIDPConfigID != "" || userSession.SelectedIDPConfigID != "") && (request.LinkingUsers == nil || len(request.LinkingUsers) == 0) {
|
||||
if !checkVerificationTime(userSession.ExternalLoginVerification, repo.ExternalLoginCheckLifeTime) {
|
||||
selectedIDPConfigID := request.SelectedIDPConfigID
|
||||
if selectedIDPConfigID == "" {
|
||||
selectedIDPConfigID = userSession.SelectedIDPConfigID
|
||||
}
|
||||
return append(steps, &model.ExternalLoginStep{SelectedIDPConfigID: selectedIDPConfigID}), nil
|
||||
isInternalLogin := request.SelectedIDPConfigID == "" && userSession.SelectedIDPConfigID == ""
|
||||
if !isInternalLogin && len(request.LinkingUsers) == 0 && !checkVerificationTime(userSession.ExternalLoginVerification, repo.ExternalLoginCheckLifeTime) {
|
||||
selectedIDPConfigID := request.SelectedIDPConfigID
|
||||
if selectedIDPConfigID == "" {
|
||||
selectedIDPConfigID = userSession.SelectedIDPConfigID
|
||||
}
|
||||
} else if (request.SelectedIDPConfigID == "" && userSession.SelectedIDPConfigID == "") || (request.SelectedIDPConfigID != "" && request.LinkingUsers != nil && len(request.LinkingUsers) > 0) {
|
||||
if user.InitRequired {
|
||||
return append(steps, &model.InitUserStep{PasswordSet: user.PasswordSet}), nil
|
||||
return append(steps, &model.ExternalLoginStep{SelectedIDPConfigID: selectedIDPConfigID}), nil
|
||||
}
|
||||
if isInternalLogin || (!isInternalLogin && len(request.LinkingUsers) > 0) {
|
||||
step := repo.firstFactorChecked(request, user, userSession)
|
||||
if step != nil {
|
||||
return append(steps, step), nil
|
||||
}
|
||||
if !user.PasswordSet {
|
||||
return append(steps, &model.InitPasswordStep{}), nil
|
||||
}
|
||||
|
||||
if !checkVerificationTime(userSession.PasswordVerification, repo.PasswordCheckLifeTime) {
|
||||
return append(steps, &model.PasswordStep{}), nil
|
||||
}
|
||||
request.PasswordVerified = true
|
||||
request.AuthTime = userSession.PasswordVerification
|
||||
}
|
||||
|
||||
step, ok, err := repo.mfaChecked(userSession, request, user)
|
||||
@@ -624,21 +662,46 @@ func (repo *AuthRequestRepo) usersForUserSelection(request *model.AuthRequest) (
|
||||
return users, nil
|
||||
}
|
||||
|
||||
func (repo *AuthRequestRepo) firstFactorChecked(request *model.AuthRequest, user *user_model.UserView, userSession *user_model.UserSessionView) model.NextStep {
|
||||
if user.InitRequired {
|
||||
return &model.InitUserStep{PasswordSet: user.PasswordSet}
|
||||
}
|
||||
|
||||
if user.IsPasswordlessReady() {
|
||||
if !checkVerificationTime(userSession.PasswordlessVerification, repo.MultiFactorCheckLifeTime) {
|
||||
return &model.PasswordlessStep{}
|
||||
}
|
||||
request.AuthTime = userSession.PasswordlessVerification
|
||||
return nil
|
||||
}
|
||||
|
||||
if !user.PasswordSet {
|
||||
return &model.InitPasswordStep{}
|
||||
}
|
||||
|
||||
if !checkVerificationTime(userSession.PasswordVerification, repo.PasswordCheckLifeTime) {
|
||||
return &model.PasswordStep{}
|
||||
}
|
||||
request.PasswordVerified = true
|
||||
request.AuthTime = userSession.PasswordVerification
|
||||
return nil
|
||||
}
|
||||
|
||||
func (repo *AuthRequestRepo) mfaChecked(userSession *user_model.UserSessionView, request *model.AuthRequest, user *user_model.UserView) (model.NextStep, bool, error) {
|
||||
mfaLevel := request.MfaLevel()
|
||||
allowedProviders, required := user.MfaTypesAllowed(mfaLevel, request.LoginPolicy)
|
||||
promptRequired := (user.MfaMaxSetUp < mfaLevel) || (len(allowedProviders) == 0 && required)
|
||||
mfaLevel := request.MFALevel()
|
||||
allowedProviders, required := user.MFATypesAllowed(mfaLevel, request.LoginPolicy)
|
||||
promptRequired := (user.MFAMaxSetUp < mfaLevel) || (len(allowedProviders) == 0 && required)
|
||||
if promptRequired || !repo.mfaSkippedOrSetUp(user) {
|
||||
types := user.MfaTypesSetupPossible(mfaLevel, request.LoginPolicy)
|
||||
types := user.MFATypesSetupPossible(mfaLevel, request.LoginPolicy)
|
||||
if promptRequired && len(types) == 0 {
|
||||
return nil, false, errors.ThrowPreconditionFailed(nil, "LOGIN-5Hm8s", "Errors.Login.LoginPolicy.MFA.ForceAndNotConfigured")
|
||||
}
|
||||
if len(types) == 0 {
|
||||
return nil, true, nil
|
||||
}
|
||||
return &model.MfaPromptStep{
|
||||
return &model.MFAPromptStep{
|
||||
Required: promptRequired,
|
||||
MfaProviders: types,
|
||||
MFAProviders: types,
|
||||
}, false, nil
|
||||
}
|
||||
switch mfaLevel {
|
||||
@@ -651,28 +714,28 @@ func (repo *AuthRequestRepo) mfaChecked(userSession *user_model.UserSessionView,
|
||||
fallthrough
|
||||
case model.MFALevelSecondFactor:
|
||||
if checkVerificationTime(userSession.SecondFactorVerification, repo.SecondFactorCheckLifeTime) {
|
||||
request.MfasVerified = append(request.MfasVerified, userSession.SecondFactorVerificationType)
|
||||
request.MFAsVerified = append(request.MFAsVerified, userSession.SecondFactorVerificationType)
|
||||
request.AuthTime = userSession.SecondFactorVerification
|
||||
return nil, true, nil
|
||||
}
|
||||
fallthrough
|
||||
case model.MFALevelMultiFactor:
|
||||
if checkVerificationTime(userSession.MultiFactorVerification, repo.MultiFactorCheckLifeTime) {
|
||||
request.MfasVerified = append(request.MfasVerified, userSession.MultiFactorVerificationType)
|
||||
request.MFAsVerified = append(request.MFAsVerified, userSession.MultiFactorVerificationType)
|
||||
request.AuthTime = userSession.MultiFactorVerification
|
||||
return nil, true, nil
|
||||
}
|
||||
}
|
||||
return &model.MfaVerificationStep{
|
||||
MfaProviders: allowedProviders,
|
||||
return &model.MFAVerificationStep{
|
||||
MFAProviders: allowedProviders,
|
||||
}, false, nil
|
||||
}
|
||||
|
||||
func (repo *AuthRequestRepo) mfaSkippedOrSetUp(user *user_model.UserView) bool {
|
||||
if user.MfaMaxSetUp > model.MFALevelNotSetUp {
|
||||
if user.MFAMaxSetUp > model.MFALevelNotSetUp {
|
||||
return true
|
||||
}
|
||||
return checkVerificationTime(user.MfaInitSkipped, repo.MfaInitSkippedLifeTime)
|
||||
return checkVerificationTime(user.MFAInitSkipped, repo.MFAInitSkippedLifeTime)
|
||||
}
|
||||
|
||||
func (repo *AuthRequestRepo) getLoginPolicy(ctx context.Context, orgID string) (*iam_model.LoginPolicyView, error) {
|
||||
@@ -745,7 +808,11 @@ func userSessionByIDs(ctx context.Context, provider userSessionViewProvider, eve
|
||||
es_model.HumanExternalLoginCheckSucceeded,
|
||||
es_model.HumanMFAOTPCheckSucceeded,
|
||||
es_model.HumanMFAOTPCheckFailed,
|
||||
es_model.HumanSignedOut:
|
||||
es_model.HumanSignedOut,
|
||||
es_model.HumanPasswordlessTokenCheckSucceeded,
|
||||
es_model.HumanPasswordlessTokenCheckFailed,
|
||||
es_model.HumanMFAU2FTokenCheckSucceeded,
|
||||
es_model.HumanMFAU2FTokenCheckFailed:
|
||||
eventData, err := user_view_model.UserSessionFromEvent(event)
|
||||
if err != nil {
|
||||
logging.Log("EVENT-sdgT3").WithError(err).WithField("traceID", tracing.TraceIDFromCtx(ctx)).Debug("error getting event data")
|
||||
|
||||
@@ -48,8 +48,10 @@ func (m *mockViewErrUserSession) UserSessionsByAgentID(string) ([]*user_view_mod
|
||||
|
||||
type mockViewUserSession struct {
|
||||
ExternalLoginVerification time.Time
|
||||
PasswordlessVerification time.Time
|
||||
PasswordVerification time.Time
|
||||
SecondFactorVerification time.Time
|
||||
MultiFactorVerification time.Time
|
||||
Users []mockUser
|
||||
}
|
||||
|
||||
@@ -61,8 +63,10 @@ type mockUser struct {
|
||||
func (m *mockViewUserSession) UserSessionByIDs(string, string) (*user_view_model.UserSessionView, error) {
|
||||
return &user_view_model.UserSessionView{
|
||||
ExternalLoginVerification: m.ExternalLoginVerification,
|
||||
PasswordlessVerification: m.PasswordlessVerification,
|
||||
PasswordVerification: m.PasswordVerification,
|
||||
SecondFactorVerification: m.SecondFactorVerification,
|
||||
MultiFactorVerification: m.MultiFactorVerification,
|
||||
}, nil
|
||||
}
|
||||
|
||||
@@ -115,8 +119,9 @@ type mockViewUser struct {
|
||||
PasswordChangeRequired bool
|
||||
IsEmailVerified bool
|
||||
OTPState int32
|
||||
MfaMaxSetUp int32
|
||||
MfaInitSkipped time.Time
|
||||
MFAMaxSetUp int32
|
||||
MFAInitSkipped time.Time
|
||||
PasswordlessTokens user_view_model.WebAuthNTokens
|
||||
}
|
||||
|
||||
type mockLoginPolicy struct {
|
||||
@@ -138,8 +143,9 @@ func (m *mockViewUser) UserByID(string) (*user_view_model.UserView, error) {
|
||||
PasswordChangeRequired: m.PasswordChangeRequired,
|
||||
IsEmailVerified: m.IsEmailVerified,
|
||||
OTPState: m.OTPState,
|
||||
MfaMaxSetUp: m.MfaMaxSetUp,
|
||||
MfaInitSkipped: m.MfaInitSkipped,
|
||||
MFAMaxSetUp: m.MFAMaxSetUp,
|
||||
MFAInitSkipped: m.MFAInitSkipped,
|
||||
PasswordlessTokens: m.PasswordlessTokens,
|
||||
},
|
||||
}, nil
|
||||
}
|
||||
@@ -200,7 +206,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
|
||||
loginPolicyProvider loginPolicyViewProvider
|
||||
PasswordCheckLifeTime time.Duration
|
||||
ExternalLoginCheckLifeTime time.Duration
|
||||
MfaInitSkippedLifeTime time.Duration
|
||||
MFAInitSkippedLifeTime time.Duration
|
||||
SecondFactorCheckLifeTime time.Duration
|
||||
MultiFactorCheckLifeTime time.Duration
|
||||
}
|
||||
@@ -413,6 +419,49 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
|
||||
}},
|
||||
nil,
|
||||
},
|
||||
{
|
||||
"passwordless not verified, passwordless check step",
|
||||
fields{
|
||||
userSessionViewProvider: &mockViewUserSession{},
|
||||
userViewProvider: &mockViewUser{
|
||||
PasswordSet: true,
|
||||
PasswordlessTokens: user_view_model.WebAuthNTokens{&user_view_model.WebAuthNView{ID: "id", State: int32(user_model.MFAStateReady)}},
|
||||
},
|
||||
userEventProvider: &mockEventUser{},
|
||||
orgViewProvider: &mockViewOrg{State: org_model.OrgStateActive},
|
||||
MultiFactorCheckLifeTime: 10 * time.Hour,
|
||||
},
|
||||
args{&model.AuthRequest{UserID: "UserID"}, false},
|
||||
[]model.NextStep{&model.PasswordlessStep{}},
|
||||
nil,
|
||||
},
|
||||
{
|
||||
"passwordless verified, email not verified, email verification step",
|
||||
fields{
|
||||
userSessionViewProvider: &mockViewUserSession{
|
||||
PasswordlessVerification: time.Now().Add(-5 * time.Minute),
|
||||
MultiFactorVerification: time.Now().Add(-5 * time.Minute),
|
||||
},
|
||||
userViewProvider: &mockViewUser{
|
||||
PasswordSet: true,
|
||||
PasswordlessTokens: user_view_model.WebAuthNTokens{&user_view_model.WebAuthNView{ID: "id", State: int32(user_model.MFAStateReady)}},
|
||||
PasswordChangeRequired: false,
|
||||
IsEmailVerified: false,
|
||||
MFAMaxSetUp: int32(model.MFALevelMultiFactor),
|
||||
},
|
||||
userEventProvider: &mockEventUser{},
|
||||
orgViewProvider: &mockViewOrg{State: org_model.OrgStateActive},
|
||||
MultiFactorCheckLifeTime: 10 * time.Hour,
|
||||
},
|
||||
args{&model.AuthRequest{
|
||||
UserID: "UserID",
|
||||
LoginPolicy: &iam_model.LoginPolicyView{
|
||||
MultiFactors: []iam_model.MultiFactorType{iam_model.MultiFactorTypeU2FWithPIN},
|
||||
},
|
||||
}, false},
|
||||
[]model.NextStep{&model.VerifyEMailStep{}},
|
||||
nil,
|
||||
},
|
||||
{
|
||||
"password not set, init password step",
|
||||
fields{
|
||||
@@ -433,7 +482,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
|
||||
},
|
||||
userViewProvider: &mockViewUser{
|
||||
IsEmailVerified: true,
|
||||
MfaMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
MFAMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
},
|
||||
userEventProvider: &mockEventUser{},
|
||||
orgViewProvider: &mockViewOrg{State: org_model.OrgStateActive},
|
||||
@@ -452,7 +501,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
|
||||
},
|
||||
userViewProvider: &mockViewUser{
|
||||
IsEmailVerified: true,
|
||||
MfaMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
MFAMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
},
|
||||
userEventProvider: &mockEventUser{},
|
||||
orgViewProvider: &mockViewOrg{State: org_model.OrgStateActive},
|
||||
@@ -499,7 +548,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
|
||||
userViewProvider: &mockViewUser{
|
||||
PasswordSet: true,
|
||||
IsEmailVerified: true,
|
||||
MfaMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
MFAMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
},
|
||||
userEventProvider: &mockEventUser{},
|
||||
orgViewProvider: &mockViewOrg{State: org_model.OrgStateActive},
|
||||
@@ -525,8 +574,8 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
|
||||
},
|
||||
userViewProvider: &mockViewUser{
|
||||
PasswordSet: true,
|
||||
OTPState: int32(user_model.MfaStateReady),
|
||||
MfaMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
OTPState: int32(user_model.MFAStateReady),
|
||||
MFAMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
},
|
||||
userEventProvider: &mockEventUser{},
|
||||
orgViewProvider: &mockViewOrg{State: org_model.OrgStateActive},
|
||||
@@ -540,8 +589,8 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
|
||||
SecondFactors: []iam_model.SecondFactorType{iam_model.SecondFactorTypeOTP},
|
||||
},
|
||||
}, false},
|
||||
[]model.NextStep{&model.MfaVerificationStep{
|
||||
MfaProviders: []model.MFAType{model.MFATypeOTP},
|
||||
[]model.NextStep{&model.MFAVerificationStep{
|
||||
MFAProviders: []model.MFAType{model.MFATypeOTP},
|
||||
}},
|
||||
nil,
|
||||
},
|
||||
@@ -554,8 +603,8 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
|
||||
},
|
||||
userViewProvider: &mockViewUser{
|
||||
PasswordSet: true,
|
||||
OTPState: int32(user_model.MfaStateReady),
|
||||
MfaMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
OTPState: int32(user_model.MFAStateReady),
|
||||
MFAMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
},
|
||||
userEventProvider: &mockEventUser{},
|
||||
orgViewProvider: &mockViewOrg{State: org_model.OrgStateActive},
|
||||
@@ -571,8 +620,8 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
|
||||
SecondFactors: []iam_model.SecondFactorType{iam_model.SecondFactorTypeOTP},
|
||||
},
|
||||
}, false},
|
||||
[]model.NextStep{&model.MfaVerificationStep{
|
||||
MfaProviders: []model.MFAType{model.MFATypeOTP},
|
||||
[]model.NextStep{&model.MFAVerificationStep{
|
||||
MFAProviders: []model.MFAType{model.MFATypeOTP},
|
||||
}},
|
||||
nil,
|
||||
},
|
||||
@@ -587,7 +636,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
|
||||
PasswordSet: true,
|
||||
PasswordChangeRequired: true,
|
||||
IsEmailVerified: true,
|
||||
MfaMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
MFAMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
},
|
||||
userEventProvider: &mockEventUser{},
|
||||
orgViewProvider: &mockViewOrg{State: org_model.OrgStateActive},
|
||||
@@ -613,7 +662,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
|
||||
},
|
||||
userViewProvider: &mockViewUser{
|
||||
PasswordSet: true,
|
||||
MfaMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
MFAMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
},
|
||||
userEventProvider: &mockEventUser{},
|
||||
orgViewProvider: &mockViewOrg{State: org_model.OrgStateActive},
|
||||
@@ -639,7 +688,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
|
||||
userViewProvider: &mockViewUser{
|
||||
PasswordSet: true,
|
||||
PasswordChangeRequired: true,
|
||||
MfaMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
MFAMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
},
|
||||
userEventProvider: &mockEventUser{},
|
||||
orgViewProvider: &mockViewOrg{State: org_model.OrgStateActive},
|
||||
@@ -665,7 +714,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
|
||||
userViewProvider: &mockViewUser{
|
||||
PasswordSet: true,
|
||||
IsEmailVerified: true,
|
||||
MfaMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
MFAMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
},
|
||||
userEventProvider: &mockEventUser{},
|
||||
orgViewProvider: &mockViewOrg{State: org_model.OrgStateActive},
|
||||
@@ -693,7 +742,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
|
||||
userViewProvider: &mockViewUser{
|
||||
PasswordSet: true,
|
||||
IsEmailVerified: true,
|
||||
MfaMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
MFAMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
},
|
||||
userEventProvider: &mockEventUser{},
|
||||
orgViewProvider: &mockViewOrg{State: org_model.OrgStateActive},
|
||||
@@ -722,7 +771,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
|
||||
userViewProvider: &mockViewUser{
|
||||
PasswordSet: true,
|
||||
IsEmailVerified: true,
|
||||
MfaMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
MFAMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
},
|
||||
userEventProvider: &mockEventUser{},
|
||||
orgViewProvider: &mockViewOrg{State: org_model.OrgStateActive},
|
||||
@@ -754,7 +803,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
|
||||
userViewProvider: &mockViewUser{
|
||||
PasswordSet: true,
|
||||
IsEmailVerified: true,
|
||||
MfaMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
MFAMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
},
|
||||
userEventProvider: &mockEventUser{},
|
||||
orgViewProvider: &mockViewOrg{State: org_model.OrgStateActive},
|
||||
@@ -785,7 +834,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
|
||||
userViewProvider: &mockViewUser{
|
||||
PasswordSet: true,
|
||||
IsEmailVerified: true,
|
||||
MfaMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
MFAMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
},
|
||||
userEventProvider: &mockEventUser{},
|
||||
orgViewProvider: &mockViewOrg{State: org_model.OrgStateActive},
|
||||
@@ -810,7 +859,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
|
||||
userViewProvider: &mockViewUser{
|
||||
PasswordSet: true,
|
||||
IsEmailVerified: true,
|
||||
MfaMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
MFAMaxSetUp: int32(model.MFALevelSecondFactor),
|
||||
},
|
||||
userEventProvider: &mockEventUser{},
|
||||
orgViewProvider: &mockViewOrg{State: org_model.OrgStateActive},
|
||||
@@ -844,7 +893,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
|
||||
LoginPolicyViewProvider: tt.fields.loginPolicyProvider,
|
||||
PasswordCheckLifeTime: tt.fields.PasswordCheckLifeTime,
|
||||
ExternalLoginCheckLifeTime: tt.fields.ExternalLoginCheckLifeTime,
|
||||
MfaInitSkippedLifeTime: tt.fields.MfaInitSkippedLifeTime,
|
||||
MFAInitSkippedLifeTime: tt.fields.MFAInitSkippedLifeTime,
|
||||
SecondFactorCheckLifeTime: tt.fields.SecondFactorCheckLifeTime,
|
||||
MultiFactorCheckLifeTime: tt.fields.MultiFactorCheckLifeTime,
|
||||
}
|
||||
@@ -860,7 +909,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
|
||||
|
||||
func TestAuthRequestRepo_mfaChecked(t *testing.T) {
|
||||
type fields struct {
|
||||
MfaInitSkippedLifeTime time.Duration
|
||||
MFAInitSkippedLifeTime time.Duration
|
||||
SecondFactorCheckLifeTime time.Duration
|
||||
MultiFactorCheckLifeTime time.Duration
|
||||
}
|
||||
@@ -884,7 +933,7 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) {
|
||||
// args{
|
||||
// request: &model.AuthRequest{PossibleLOAs: []model.LevelOfAssurance{}},
|
||||
// user: &user_model.UserView{
|
||||
// OTPState: user_model.MfaStateReady,
|
||||
// OTPState: user_model.MFAStateReady,
|
||||
// },
|
||||
// },
|
||||
// false,
|
||||
@@ -892,7 +941,7 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) {
|
||||
{
|
||||
"not set up, forced by policy, no mfas configured, error",
|
||||
fields{
|
||||
MfaInitSkippedLifeTime: 30 * 24 * time.Hour,
|
||||
MFAInitSkippedLifeTime: 30 * 24 * time.Hour,
|
||||
},
|
||||
args{
|
||||
request: &model.AuthRequest{
|
||||
@@ -902,7 +951,7 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) {
|
||||
},
|
||||
user: &user_model.UserView{
|
||||
HumanView: &user_model.HumanView{
|
||||
MfaMaxSetUp: model.MFALevelNotSetUp,
|
||||
MFAMaxSetUp: model.MFALevelNotSetUp,
|
||||
},
|
||||
},
|
||||
},
|
||||
@@ -913,7 +962,7 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) {
|
||||
{
|
||||
"not set up, no mfas configured, no prompt and true",
|
||||
fields{
|
||||
MfaInitSkippedLifeTime: 30 * 24 * time.Hour,
|
||||
MFAInitSkippedLifeTime: 30 * 24 * time.Hour,
|
||||
},
|
||||
args{
|
||||
request: &model.AuthRequest{
|
||||
@@ -921,7 +970,7 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) {
|
||||
},
|
||||
user: &user_model.UserView{
|
||||
HumanView: &user_model.HumanView{
|
||||
MfaMaxSetUp: model.MFALevelNotSetUp,
|
||||
MFAMaxSetUp: model.MFALevelNotSetUp,
|
||||
},
|
||||
},
|
||||
},
|
||||
@@ -932,7 +981,7 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) {
|
||||
{
|
||||
"not set up, prompt and false",
|
||||
fields{
|
||||
MfaInitSkippedLifeTime: 30 * 24 * time.Hour,
|
||||
MFAInitSkippedLifeTime: 30 * 24 * time.Hour,
|
||||
},
|
||||
args{
|
||||
request: &model.AuthRequest{
|
||||
@@ -942,12 +991,12 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) {
|
||||
},
|
||||
user: &user_model.UserView{
|
||||
HumanView: &user_model.HumanView{
|
||||
MfaMaxSetUp: model.MFALevelNotSetUp,
|
||||
MFAMaxSetUp: model.MFALevelNotSetUp,
|
||||
},
|
||||
},
|
||||
},
|
||||
&model.MfaPromptStep{
|
||||
MfaProviders: []model.MFAType{
|
||||
&model.MFAPromptStep{
|
||||
MFAProviders: []model.MFAType{
|
||||
model.MFATypeOTP,
|
||||
},
|
||||
},
|
||||
@@ -957,7 +1006,7 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) {
|
||||
{
|
||||
"not set up, forced by org, true",
|
||||
fields{
|
||||
MfaInitSkippedLifeTime: 30 * 24 * time.Hour,
|
||||
MFAInitSkippedLifeTime: 30 * 24 * time.Hour,
|
||||
},
|
||||
args{
|
||||
request: &model.AuthRequest{
|
||||
@@ -968,13 +1017,13 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) {
|
||||
},
|
||||
user: &user_model.UserView{
|
||||
HumanView: &user_model.HumanView{
|
||||
MfaMaxSetUp: model.MFALevelNotSetUp,
|
||||
MFAMaxSetUp: model.MFALevelNotSetUp,
|
||||
},
|
||||
},
|
||||
},
|
||||
&model.MfaPromptStep{
|
||||
&model.MFAPromptStep{
|
||||
Required: true,
|
||||
MfaProviders: []model.MFAType{
|
||||
MFAProviders: []model.MFAType{
|
||||
model.MFATypeOTP,
|
||||
},
|
||||
},
|
||||
@@ -984,7 +1033,7 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) {
|
||||
{
|
||||
"not set up and skipped, true",
|
||||
fields{
|
||||
MfaInitSkippedLifeTime: 30 * 24 * time.Hour,
|
||||
MFAInitSkippedLifeTime: 30 * 24 * time.Hour,
|
||||
},
|
||||
args{
|
||||
request: &model.AuthRequest{
|
||||
@@ -992,8 +1041,8 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) {
|
||||
},
|
||||
user: &user_model.UserView{
|
||||
HumanView: &user_model.HumanView{
|
||||
MfaMaxSetUp: model.MFALevelNotSetUp,
|
||||
MfaInitSkipped: time.Now().UTC(),
|
||||
MFAMaxSetUp: model.MFALevelNotSetUp,
|
||||
MFAInitSkipped: time.Now().UTC(),
|
||||
},
|
||||
},
|
||||
},
|
||||
@@ -1014,8 +1063,8 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) {
|
||||
},
|
||||
user: &user_model.UserView{
|
||||
HumanView: &user_model.HumanView{
|
||||
MfaMaxSetUp: model.MFALevelSecondFactor,
|
||||
OTPState: user_model.MfaStateReady,
|
||||
MFAMaxSetUp: model.MFALevelSecondFactor,
|
||||
OTPState: user_model.MFAStateReady,
|
||||
},
|
||||
},
|
||||
userSession: &user_model.UserSessionView{SecondFactorVerification: time.Now().UTC().Add(-5 * time.Hour)},
|
||||
@@ -1037,15 +1086,15 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) {
|
||||
},
|
||||
user: &user_model.UserView{
|
||||
HumanView: &user_model.HumanView{
|
||||
MfaMaxSetUp: model.MFALevelSecondFactor,
|
||||
OTPState: user_model.MfaStateReady,
|
||||
MFAMaxSetUp: model.MFALevelSecondFactor,
|
||||
OTPState: user_model.MFAStateReady,
|
||||
},
|
||||
},
|
||||
userSession: &user_model.UserSessionView{},
|
||||
},
|
||||
|
||||
&model.MfaVerificationStep{
|
||||
MfaProviders: []model.MFAType{model.MFATypeOTP},
|
||||
&model.MFAVerificationStep{
|
||||
MFAProviders: []model.MFAType{model.MFATypeOTP},
|
||||
},
|
||||
false,
|
||||
nil,
|
||||
@@ -1054,7 +1103,7 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) {
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
repo := &AuthRequestRepo{
|
||||
MfaInitSkippedLifeTime: tt.fields.MfaInitSkippedLifeTime,
|
||||
MFAInitSkippedLifeTime: tt.fields.MFAInitSkippedLifeTime,
|
||||
SecondFactorCheckLifeTime: tt.fields.SecondFactorCheckLifeTime,
|
||||
MultiFactorCheckLifeTime: tt.fields.MultiFactorCheckLifeTime,
|
||||
}
|
||||
@@ -1073,7 +1122,7 @@ func TestAuthRequestRepo_mfaChecked(t *testing.T) {
|
||||
|
||||
func TestAuthRequestRepo_mfaSkippedOrSetUp(t *testing.T) {
|
||||
type fields struct {
|
||||
MfaInitSkippedLifeTime time.Duration
|
||||
MFAInitSkippedLifeTime time.Duration
|
||||
}
|
||||
type args struct {
|
||||
user *user_model.UserView
|
||||
@@ -1090,7 +1139,7 @@ func TestAuthRequestRepo_mfaSkippedOrSetUp(t *testing.T) {
|
||||
args{
|
||||
&user_model.UserView{
|
||||
HumanView: &user_model.HumanView{
|
||||
MfaMaxSetUp: model.MFALevelSecondFactor,
|
||||
MFAMaxSetUp: model.MFALevelSecondFactor,
|
||||
},
|
||||
},
|
||||
},
|
||||
@@ -1099,13 +1148,13 @@ func TestAuthRequestRepo_mfaSkippedOrSetUp(t *testing.T) {
|
||||
{
|
||||
"mfa skipped active, true",
|
||||
fields{
|
||||
MfaInitSkippedLifeTime: 30 * 24 * time.Hour,
|
||||
MFAInitSkippedLifeTime: 30 * 24 * time.Hour,
|
||||
},
|
||||
args{
|
||||
&user_model.UserView{
|
||||
HumanView: &user_model.HumanView{
|
||||
MfaMaxSetUp: -1,
|
||||
MfaInitSkipped: time.Now().UTC().Add(-10 * time.Hour),
|
||||
MFAMaxSetUp: -1,
|
||||
MFAInitSkipped: time.Now().UTC().Add(-10 * time.Hour),
|
||||
},
|
||||
},
|
||||
},
|
||||
@@ -1114,13 +1163,13 @@ func TestAuthRequestRepo_mfaSkippedOrSetUp(t *testing.T) {
|
||||
{
|
||||
"mfa skipped inactive, false",
|
||||
fields{
|
||||
MfaInitSkippedLifeTime: 30 * 24 * time.Hour,
|
||||
MFAInitSkippedLifeTime: 30 * 24 * time.Hour,
|
||||
},
|
||||
args{
|
||||
&user_model.UserView{
|
||||
HumanView: &user_model.HumanView{
|
||||
MfaMaxSetUp: -1,
|
||||
MfaInitSkipped: time.Now().UTC().Add(-40 * 24 * time.Hour),
|
||||
MFAMaxSetUp: -1,
|
||||
MFAInitSkipped: time.Now().UTC().Add(-40 * 24 * time.Hour),
|
||||
},
|
||||
},
|
||||
},
|
||||
@@ -1130,7 +1179,7 @@ func TestAuthRequestRepo_mfaSkippedOrSetUp(t *testing.T) {
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
repo := &AuthRequestRepo{
|
||||
MfaInitSkippedLifeTime: tt.fields.MfaInitSkippedLifeTime,
|
||||
MFAInitSkippedLifeTime: tt.fields.MFAInitSkippedLifeTime,
|
||||
}
|
||||
if got := repo.mfaSkippedOrSetUp(tt.args.user); got != tt.want {
|
||||
t.Errorf("mfaSkippedOrSetUp() = %v, want %v", got, tt.want)
|
||||
|
||||
@@ -253,18 +253,22 @@ func (repo *UserRepo) ChangePassword(ctx context.Context, userID, old, new strin
|
||||
return err
|
||||
}
|
||||
|
||||
func (repo *UserRepo) MyUserMfas(ctx context.Context) ([]*model.MultiFactor, error) {
|
||||
func (repo *UserRepo) MyUserMFAs(ctx context.Context) ([]*model.MultiFactor, error) {
|
||||
user, err := repo.UserByID(ctx, authz.GetCtxData(ctx).UserID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if user.OTPState == model.MfaStateUnspecified {
|
||||
return []*model.MultiFactor{}, nil
|
||||
mfas := make([]*model.MultiFactor, 0)
|
||||
if user.OTPState != model.MFAStateUnspecified {
|
||||
mfas = append(mfas, &model.MultiFactor{Type: model.MFATypeOTP, State: user.OTPState})
|
||||
}
|
||||
return []*model.MultiFactor{{Type: model.MfaTypeOTP, State: user.OTPState}}, nil
|
||||
for _, u2f := range user.U2FTokens {
|
||||
mfas = append(mfas, &model.MultiFactor{Type: model.MFATypeU2F, State: u2f.State, Attribute: u2f.Name})
|
||||
}
|
||||
return mfas, nil
|
||||
}
|
||||
|
||||
func (repo *UserRepo) AddMfaOTP(ctx context.Context, userID string) (*model.OTP, error) {
|
||||
func (repo *UserRepo) AddMFAOTP(ctx context.Context, userID string) (*model.OTP, error) {
|
||||
accountName := ""
|
||||
user, err := repo.UserByID(ctx, userID)
|
||||
if err != nil {
|
||||
@@ -275,7 +279,7 @@ func (repo *UserRepo) AddMfaOTP(ctx context.Context, userID string) (*model.OTP,
|
||||
return repo.UserEvents.AddOTP(ctx, userID, accountName)
|
||||
}
|
||||
|
||||
func (repo *UserRepo) AddMyMfaOTP(ctx context.Context) (*model.OTP, error) {
|
||||
func (repo *UserRepo) AddMyMFAOTP(ctx context.Context) (*model.OTP, error) {
|
||||
accountName := ""
|
||||
user, err := repo.UserByID(ctx, authz.GetCtxData(ctx).UserID)
|
||||
if err != nil {
|
||||
@@ -286,18 +290,66 @@ func (repo *UserRepo) AddMyMfaOTP(ctx context.Context) (*model.OTP, error) {
|
||||
return repo.UserEvents.AddOTP(ctx, authz.GetCtxData(ctx).UserID, accountName)
|
||||
}
|
||||
|
||||
func (repo *UserRepo) VerifyMfaOTPSetup(ctx context.Context, userID, code string) error {
|
||||
return repo.UserEvents.CheckMfaOTPSetup(ctx, userID, code)
|
||||
func (repo *UserRepo) VerifyMFAOTPSetup(ctx context.Context, userID, code string) error {
|
||||
return repo.UserEvents.CheckMFAOTPSetup(ctx, userID, code)
|
||||
}
|
||||
|
||||
func (repo *UserRepo) VerifyMyMfaOTPSetup(ctx context.Context, code string) error {
|
||||
return repo.UserEvents.CheckMfaOTPSetup(ctx, authz.GetCtxData(ctx).UserID, code)
|
||||
func (repo *UserRepo) VerifyMyMFAOTPSetup(ctx context.Context, code string) error {
|
||||
return repo.UserEvents.CheckMFAOTPSetup(ctx, authz.GetCtxData(ctx).UserID, code)
|
||||
}
|
||||
|
||||
func (repo *UserRepo) RemoveMyMfaOTP(ctx context.Context) error {
|
||||
func (repo *UserRepo) RemoveMyMFAOTP(ctx context.Context) error {
|
||||
return repo.UserEvents.RemoveOTP(ctx, authz.GetCtxData(ctx).UserID)
|
||||
}
|
||||
|
||||
func (repo *UserRepo) AddMFAU2F(ctx context.Context, userID string) (*model.WebAuthNToken, error) {
|
||||
return repo.UserEvents.AddU2F(ctx, userID)
|
||||
}
|
||||
|
||||
func (repo *UserRepo) AddMyMFAU2F(ctx context.Context) (*model.WebAuthNToken, error) {
|
||||
return repo.UserEvents.AddU2F(ctx, authz.GetCtxData(ctx).UserID)
|
||||
}
|
||||
|
||||
func (repo *UserRepo) VerifyMFAU2FSetup(ctx context.Context, userID, tokenName string, credentialData []byte) error {
|
||||
return repo.UserEvents.VerifyU2FSetup(ctx, userID, tokenName, credentialData)
|
||||
}
|
||||
|
||||
func (repo *UserRepo) VerifyMyMFAU2FSetup(ctx context.Context, tokenName string, credentialData []byte) error {
|
||||
return repo.UserEvents.VerifyU2FSetup(ctx, authz.GetCtxData(ctx).UserID, tokenName, credentialData)
|
||||
}
|
||||
|
||||
func (repo *UserRepo) RemoveMFAU2F(ctx context.Context, userID, webAuthNTokenID string) error {
|
||||
return repo.UserEvents.RemoveU2FToken(ctx, userID, webAuthNTokenID)
|
||||
}
|
||||
|
||||
func (repo *UserRepo) RemoveMyMFAU2F(ctx context.Context, webAuthNTokenID string) error {
|
||||
return repo.UserEvents.RemoveU2FToken(ctx, authz.GetCtxData(ctx).UserID, webAuthNTokenID)
|
||||
}
|
||||
|
||||
func (repo *UserRepo) AddPasswordless(ctx context.Context, userID string) (*model.WebAuthNToken, error) {
|
||||
return repo.UserEvents.AddPasswordless(ctx, userID)
|
||||
}
|
||||
|
||||
func (repo *UserRepo) AddMyPasswordless(ctx context.Context) (*model.WebAuthNToken, error) {
|
||||
return repo.UserEvents.AddPasswordless(ctx, authz.GetCtxData(ctx).UserID)
|
||||
}
|
||||
|
||||
func (repo *UserRepo) VerifyPasswordlessSetup(ctx context.Context, userID, tokenName string, credentialData []byte) error {
|
||||
return repo.UserEvents.VerifyPasswordlessSetup(ctx, userID, tokenName, credentialData)
|
||||
}
|
||||
|
||||
func (repo *UserRepo) VerifyMyPasswordlessSetup(ctx context.Context, tokenName string, credentialData []byte) error {
|
||||
return repo.UserEvents.VerifyPasswordlessSetup(ctx, authz.GetCtxData(ctx).UserID, tokenName, credentialData)
|
||||
}
|
||||
|
||||
func (repo *UserRepo) RemovePasswordless(ctx context.Context, userID, webAuthNTokenID string) error {
|
||||
return repo.UserEvents.RemovePasswordlessToken(ctx, userID, webAuthNTokenID)
|
||||
}
|
||||
|
||||
func (repo *UserRepo) RemoveMyPasswordless(ctx context.Context, webAuthNTokenID string) error {
|
||||
return repo.UserEvents.RemovePasswordlessToken(ctx, authz.GetCtxData(ctx).UserID, webAuthNTokenID)
|
||||
}
|
||||
|
||||
func (repo *UserRepo) ChangeMyUsername(ctx context.Context, username string) error {
|
||||
ctxData := authz.GetCtxData(ctx)
|
||||
orgPolicy, err := repo.View.OrgIAMPolicyByAggregateID(ctxData.OrgID)
|
||||
@@ -327,8 +379,8 @@ func (repo *UserRepo) VerifyInitCode(ctx context.Context, userID, code, password
|
||||
return repo.UserEvents.VerifyInitCode(ctx, pwPolicyView, userID, code, password)
|
||||
}
|
||||
|
||||
func (repo *UserRepo) SkipMfaInit(ctx context.Context, userID string) error {
|
||||
return repo.UserEvents.SkipMfaInit(ctx, userID)
|
||||
func (repo *UserRepo) SkipMFAInit(ctx context.Context, userID string) error {
|
||||
return repo.UserEvents.SkipMFAInit(ctx, userID)
|
||||
}
|
||||
|
||||
func (repo *UserRepo) RequestPasswordReset(ctx context.Context, loginname string) error {
|
||||
|
||||
@@ -67,7 +67,7 @@ func (u *User) ProcessUser(event *models.Event) (err error) {
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
u.fillLoginNames(user)
|
||||
err = u.fillLoginNames(user)
|
||||
case es_model.UserProfileChanged,
|
||||
es_model.UserEmailChanged,
|
||||
es_model.UserEmailVerified,
|
||||
@@ -94,6 +94,12 @@ func (u *User) ProcessUser(event *models.Event) (err error) {
|
||||
es_model.HumanMFAOTPAdded,
|
||||
es_model.HumanMFAOTPVerified,
|
||||
es_model.HumanMFAOTPRemoved,
|
||||
es_model.HumanMFAU2FTokenAdded,
|
||||
es_model.HumanMFAU2FTokenVerified,
|
||||
es_model.HumanMFAU2FTokenRemoved,
|
||||
es_model.HumanPasswordlessTokenAdded,
|
||||
es_model.HumanPasswordlessTokenVerified,
|
||||
es_model.HumanPasswordlessTokenRemoved,
|
||||
es_model.HumanMFAInitSkipped,
|
||||
es_model.MachineChanged,
|
||||
es_model.HumanPasswordChanged:
|
||||
|
||||
@@ -48,6 +48,10 @@ func (u *UserSession) Reduce(event *models.Event) (err error) {
|
||||
es_model.HumanExternalLoginCheckSucceeded,
|
||||
es_model.HumanMFAOTPCheckSucceeded,
|
||||
es_model.HumanMFAOTPCheckFailed,
|
||||
es_model.HumanMFAU2FTokenCheckSucceeded,
|
||||
es_model.HumanMFAU2FTokenCheckFailed,
|
||||
es_model.HumanPasswordlessTokenCheckSucceeded,
|
||||
es_model.HumanPasswordlessTokenCheckFailed,
|
||||
es_model.HumanSignedOut:
|
||||
eventData, err := view_model.UserSessionFromEvent(event)
|
||||
if err != nil {
|
||||
@@ -78,7 +82,9 @@ func (u *UserSession) Reduce(event *models.Event) (err error) {
|
||||
es_model.DomainClaimed,
|
||||
es_model.UserUserNameChanged,
|
||||
es_model.HumanExternalIDPRemoved,
|
||||
es_model.HumanExternalIDPCascadeRemoved:
|
||||
es_model.HumanExternalIDPCascadeRemoved,
|
||||
es_model.HumanPasswordlessTokenRemoved,
|
||||
es_model.HumanMFAU2FTokenRemoved:
|
||||
sessions, err := u.view.UserSessionsByUserID(event.AggregateID)
|
||||
if err != nil {
|
||||
return err
|
||||
|
||||
@@ -138,7 +138,7 @@ func Start(conf Config, authZ authz.Config, systemDefaults sd.SystemDefaults, au
|
||||
IdGenerator: idGenerator,
|
||||
PasswordCheckLifeTime: systemDefaults.VerificationLifetimes.PasswordCheck.Duration,
|
||||
ExternalLoginCheckLifeTime: systemDefaults.VerificationLifetimes.PasswordCheck.Duration,
|
||||
MfaInitSkippedLifeTime: systemDefaults.VerificationLifetimes.MfaInitSkip.Duration,
|
||||
MFAInitSkippedLifeTime: systemDefaults.VerificationLifetimes.MFAInitSkip.Duration,
|
||||
SecondFactorCheckLifeTime: systemDefaults.VerificationLifetimes.SecondFactorCheck.Duration,
|
||||
MultiFactorCheckLifeTime: systemDefaults.VerificationLifetimes.MultiFactorCheck.Duration,
|
||||
IAMID: systemDefaults.IamID,
|
||||
|
||||
@@ -48,8 +48,8 @@ func (v *View) IsUserUnique(userName, email string) (bool, error) {
|
||||
return view.IsUserUnique(v.Db, userTable, userName, email)
|
||||
}
|
||||
|
||||
func (v *View) UserMfas(userID string) ([]*usr_model.MultiFactor, error) {
|
||||
return view.UserMfas(v.Db, userTable, userID)
|
||||
func (v *View) UserMFAs(userID string) ([]*usr_model.MultiFactor, error) {
|
||||
return view.UserMFAs(v.Db, userTable, userID)
|
||||
}
|
||||
|
||||
func (v *View) PutUser(user *model.UserView, sequence uint64, eventTimestamp time.Time) error {
|
||||
|
||||
Reference in New Issue
Block a user