fix: enable login with password when passwordless set up (#1120)

* fix: enable login with password when passwordless set up * enable only it allowed
2025-08-12 08:27:32 +00:00 · 2020-12-18 13:42:21 +01:00
parent 40ced9154e
commit 410a53f15b
6 changed files with 72 additions and 13 deletions
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go
@@ -643,24 +643,28 @@ func (repo *AuthRequestRepo) firstFactorChecked(request *model.AuthRequest, user
 		return &model.InitUserStep{PasswordSet: user.PasswordSet}
 	}

+	var step model.NextStep
 	if request.LoginPolicy.PasswordlessType != iam_model.PasswordlessTypeNotAllowed && user.IsPasswordlessReady() {
-		if !checkVerificationTime(userSession.PasswordlessVerification, repo.MultiFactorCheckLifeTime) {
-			return &model.PasswordlessStep{}
+		if checkVerificationTime(userSession.PasswordlessVerification, repo.MultiFactorCheckLifeTime) {
+			request.AuthTime = userSession.PasswordlessVerification
+			return nil
 		}
-		request.AuthTime = userSession.PasswordlessVerification
-		return nil
+		step = &model.PasswordlessStep{}
 	}

 	if !user.PasswordSet {
 		return &model.InitPasswordStep{}
 	}

-	if !checkVerificationTime(userSession.PasswordVerification, repo.PasswordCheckLifeTime) {
-		return &model.PasswordStep{}
+	if checkVerificationTime(userSession.PasswordVerification, repo.PasswordCheckLifeTime) {
+		request.PasswordVerified = true
+		request.AuthTime = userSession.PasswordVerification
+		return nil
 	}
-	request.PasswordVerified = true
-	request.AuthTime = userSession.PasswordVerification
-	return nil
+	if step != nil {
+		return step
+	}
+	return &model.PasswordStep{}
 }

 func (repo *AuthRequestRepo) mfaChecked(userSession *user_model.UserSessionView, request *model.AuthRequest, user *user_model.UserView) (model.NextStep, bool, error) {
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
@@ -611,6 +611,35 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 			[]model.NextStep{&model.RedirectToCallbackStep{}},
 			nil,
 		},
+		{
+			"password verified, passwordless set up, mfa not verified, mfa check step",
+			fields{
+				userSessionViewProvider: &mockViewUserSession{
+					PasswordVerification: time.Now().UTC().Add(-5 * time.Minute),
+				},
+				userViewProvider: &mockViewUser{
+					PasswordSet:        true,
+					PasswordlessTokens: user_view_model.WebAuthNTokens{&user_view_model.WebAuthNView{ID: "id", State: int32(user_model.MFAStateReady)}},
+					OTPState:           int32(user_model.MFAStateReady),
+					MFAMaxSetUp:        int32(model.MFALevelMultiFactor),
+				},
+				userEventProvider:         &mockEventUser{},
+				orgViewProvider:           &mockViewOrg{State: org_model.OrgStateActive},
+				PasswordCheckLifeTime:     10 * 24 * time.Hour,
+				SecondFactorCheckLifeTime: 18 * time.Hour,
+			},
+			args{
+				&model.AuthRequest{
+					UserID: "UserID",
+					LoginPolicy: &iam_model.LoginPolicyView{
+						SecondFactors: []iam_model.SecondFactorType{iam_model.SecondFactorTypeOTP},
+					},
+				}, false},
+			[]model.NextStep{&model.MFAVerificationStep{
+				MFAProviders: []model.MFAType{model.MFATypeOTP},
+			}},
+			nil,
+		},
 		{
 			"mfa not verified, mfa check step",
 			fields{