From 75b682a6465a4fb5079a631728336c29e20cc11b Mon Sep 17 00:00:00 2001 From: Max Peintner Date: Wed, 21 May 2025 11:00:18 +0200 Subject: [PATCH] only read cookie --- apps/login/src/app/(login)/verify/page.tsx | 2 +- apps/login/src/lib/server/loginname.ts | 3 +- apps/login/src/lib/server/passkeys.ts | 6 ++-- apps/login/src/lib/server/password.ts | 2 +- apps/login/src/lib/verification-helper.ts | 34 ------------------- apps/login/src/lib/verify-helper.ts | 38 ++++++++++++++++++++++ 6 files changed, 45 insertions(+), 40 deletions(-) delete mode 100644 apps/login/src/lib/verification-helper.ts diff --git a/apps/login/src/app/(login)/verify/page.tsx b/apps/login/src/app/(login)/verify/page.tsx index e5b2268f14..fcbc4fd34a 100644 --- a/apps/login/src/app/(login)/verify/page.tsx +++ b/apps/login/src/app/(login)/verify/page.tsx @@ -6,7 +6,7 @@ import { VerifyRedirectButton } from "@/components/verify-redirect-button"; import { sendEmailCode } from "@/lib/server/verify"; import { getServiceUrlFromHeaders } from "@/lib/service-url"; import { loadMostRecentSession } from "@/lib/session"; -import { checkUserVerification } from "@/lib/verification-helper"; +import { checkUserVerification } from "@/lib/verify-helper"; import { getBrandingSettings, getUserByID, diff --git a/apps/login/src/lib/server/loginname.ts b/apps/login/src/lib/server/loginname.ts index 1282def867..bbe08dfec8 100644 --- a/apps/login/src/lib/server/loginname.ts +++ b/apps/login/src/lib/server/loginname.ts @@ -9,8 +9,7 @@ import { idpTypeToIdentityProviderType, idpTypeToSlug } from "../idp"; import { PasskeysType } from "@zitadel/proto/zitadel/settings/v2/login_settings_pb"; import { UserState } from "@zitadel/proto/zitadel/user/v2/user_pb"; import { getServiceUrlFromHeaders } from "../service-url"; -import { checkUserVerification } from "../verification-helper"; -import { checkEmailVerified } from "../verify-helper"; +import { checkEmailVerified, checkUserVerification } from "../verify-helper"; import { getActiveIdentityProviders, getIDPByID, diff --git a/apps/login/src/lib/server/passkeys.ts b/apps/login/src/lib/server/passkeys.ts index 1a26824141..3470629f24 100644 --- a/apps/login/src/lib/server/passkeys.ts +++ b/apps/login/src/lib/server/passkeys.ts @@ -25,8 +25,10 @@ import { getSessionCookieByLoginName, } from "../cookies"; import { getServiceUrlFromHeaders } from "../service-url"; -import { checkUserVerification } from "../verification-helper"; -import { checkEmailVerification } from "../verify-helper"; +import { + checkEmailVerification, + checkUserVerification, +} from "../verify-helper"; import { setSessionAndUpdateCookie } from "./cookie"; type VerifyPasskeyCommand = { diff --git a/apps/login/src/lib/server/password.ts b/apps/login/src/lib/server/password.ts index 56158ddef1..34859d419b 100644 --- a/apps/login/src/lib/server/password.ts +++ b/apps/login/src/lib/server/password.ts @@ -29,11 +29,11 @@ import { headers } from "next/headers"; import { getNextUrl } from "../client"; import { getSessionCookieById, getSessionCookieByLoginName } from "../cookies"; import { getServiceUrlFromHeaders } from "../service-url"; -import { checkUserVerification } from "../verification-helper"; import { checkEmailVerification, checkMFAFactors, checkPasswordChangeRequired, + checkUserVerification, } from "../verify-helper"; type ResetPasswordCommand = { diff --git a/apps/login/src/lib/verification-helper.ts b/apps/login/src/lib/verification-helper.ts deleted file mode 100644 index 2e8565f3ac..0000000000 --- a/apps/login/src/lib/verification-helper.ts +++ /dev/null @@ -1,34 +0,0 @@ -"use server"; - -import crypto from "crypto"; -import { cookies } from "next/headers"; -import { getOrSetFingerprintId } from "./fingerprint"; - -export async function checkUserVerification(userId: string): Promise { - // check if a verification was done earlier - const cookiesList = await cookies(); - const userAgentId = await getOrSetFingerprintId(); - - const verificationCheck = crypto - .createHash("sha256") - .update(`${userId}:${userAgentId}`) - .digest("hex"); - - const cookieValue = await cookiesList.get("verificationCheck")?.value; - - if (!cookieValue) { - console.warn( - "User verification check cookie not found. User verification check failed.", - ); - return false; - } - - if (cookieValue !== verificationCheck) { - console.warn( - `User verification check failed. Expected ${verificationCheck} but got ${cookieValue}`, - ); - return false; - } - - return true; -} diff --git a/apps/login/src/lib/verify-helper.ts b/apps/login/src/lib/verify-helper.ts index 45de5df315..e8a18c053c 100644 --- a/apps/login/src/lib/verify-helper.ts +++ b/apps/login/src/lib/verify-helper.ts @@ -4,7 +4,10 @@ import { LoginSettings } from "@zitadel/proto/zitadel/settings/v2/login_settings import { PasswordExpirySettings } from "@zitadel/proto/zitadel/settings/v2/password_settings_pb"; import { HumanUser } from "@zitadel/proto/zitadel/user/v2/user_pb"; import { AuthenticationMethodType } from "@zitadel/proto/zitadel/user/v2/user_service_pb"; +import crypto from "crypto"; import moment from "moment"; +import { cookies } from "next/headers"; +import { getFingerprintIdCookie } from "./fingerprint"; import { getUserByID } from "./zitadel"; export function checkPasswordChangeRequired( @@ -249,3 +252,38 @@ export async function checkMFAFactors( return { redirect: `/mfa/set?` + params }; } } + +export async function checkUserVerification(userId: string): Promise { + // check if a verification was done earlier + const cookiesList = await cookies(); + + // only read cookie to prevent issues on page.tsx + const userAgentId = await getFingerprintIdCookie(); + + if (!userAgentId || userAgentId.value) { + return false; + } + + const verificationCheck = crypto + .createHash("sha256") + .update(`${userId}:${userAgentId}`) + .digest("hex"); + + const cookieValue = await cookiesList.get("verificationCheck")?.value; + + if (!cookieValue) { + console.warn( + "User verification check cookie not found. User verification check failed.", + ); + return false; + } + + if (cookieValue !== verificationCheck) { + console.warn( + `User verification check failed. Expected ${verificationCheck} but got ${cookieValue}`, + ); + return false; + } + + return true; +}