TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-12-12 15:03:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

check user auth methods

Browse Source
This commit is contained in:
Max Peintner
2024-12-09 14:44:10 +01:00
parent 6690a45146
commit 40b474821f
1 changed files with 35 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
apps/login/src/app/login/route.ts
View File

@@ -7,6 +7,7 @@ import {
getAuthRequest, getAuthRequest,
getLoginSettings, getLoginSettings,
getOrgsByDomain, getOrgsByDomain,
listAuthenticationMethodTypes,
listSessions, listSessions,
startIdentityProviderFlow, startIdentityProviderFlow,
} from "@/lib/zitadel"; } from "@/lib/zitadel";
@@ -20,6 +21,7 @@ import {
SessionSchema, SessionSchema,
} from "@zitadel/proto/zitadel/oidc/v2/oidc_service_pb"; } from "@zitadel/proto/zitadel/oidc/v2/oidc_service_pb";
import { Session } from "@zitadel/proto/zitadel/session/v2/session_pb"; import { Session } from "@zitadel/proto/zitadel/session/v2/session_pb";
import { AuthenticationMethodType } from "@zitadel/proto/zitadel/user/v2/user_service_pb";
import { NextRequest, NextResponse } from "next/server"; import { NextRequest, NextResponse } from "next/server";
export const dynamic = "force-dynamic"; export const dynamic = "force-dynamic";
@@ -42,14 +44,38 @@ const IDP_SCOPE_REGEX = /urn:zitadel:iam:org:idp:id:(.+)/;
* mfa is required, session is not valid anymore (e.g. session expired, user logged out, etc.) * mfa is required, session is not valid anymore (e.g. session expired, user logged out, etc.)
* to check for mfa for automatically selected session -> const response = await listAuthenticationMethodTypes(userId); * to check for mfa for automatically selected session -> const response = await listAuthenticationMethodTypes(userId);
**/ **/
async function isSessionValid( async function isSessionValid(session: Session): Promise<boolean> {
session: Session, // session can't be checked without user
checkLoginSettings?: boolean, if (!session.factors?.user) {
): Promise<boolean> { return false;
let mfaValid = true; }
if (checkLoginSettings && session.factors?.user?.organizationId) {
// TODO: check for auth methods of the user to know if the session has all required mfa methods
let mfaValid = true;
const authMethodTypes = await listAuthenticationMethodTypes(
session.factors.user.id,
);
const authMethods = authMethodTypes.authMethodTypes;
if (authMethods && authMethods.includes(AuthenticationMethodType.TOTP)) {
mfaValid = !!session.factors.totp?.verifiedAt;
} else if (
authMethods &&
authMethods.includes(AuthenticationMethodType.OTP_EMAIL)
) {
mfaValid = !!session.factors.otpEmail?.verifiedAt;
} else if (
authMethods &&
authMethods.includes(AuthenticationMethodType.OTP_SMS)
) {
mfaValid = !!session.factors.otpSms?.verifiedAt;
} else if (
authMethods &&
authMethods.includes(AuthenticationMethodType.U2F)
) {
mfaValid = !!session.factors.webAuthN?.verifiedAt;
} else {
// only check settings if no auth methods are available, as this would require a setup
const loginSettings = await getLoginSettings( const loginSettings = await getLoginSettings(
session.factors?.user?.organizationId, session.factors?.user?.organizationId,
); );
@@ -106,7 +132,7 @@ async function findValidSession(
// return the first valid session according to settings // return the first valid session according to settings
for (const session of sessionsWithHint) { for (const session of sessionsWithHint) {
if (await isSessionValid(session, true)) { if (await isSessionValid(session)) {
return session; return session;
} }
} }
@@ -142,7 +168,7 @@ export async function GET(request: NextRequest) {
if (selectedSession && selectedSession.id) { if (selectedSession && selectedSession.id) {
console.log(`Found session ${selectedSession.id}`); console.log(`Found session ${selectedSession.id}`);
const isValid = await isSessionValid(selectedSession, true); const isValid = await isSessionValid(selectedSession);
if (isValid) { if (isValid) {
const cookie = sessionCookies.find( const cookie = sessionCookies.find(