TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-13 13:01:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

only read cookie

Browse Source
This commit is contained in:
Max Peintner
2025-05-21 11:00:18 +02:00
parent 14a8e74b69
commit 75b682a646
6 changed files with 45 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
apps/login/src/app/(login)/verify/page.tsx
View File

@@ -6,7 +6,7 @@ import { VerifyRedirectButton } from "@/components/verify-redirect-button";
import { sendEmailCode } from "@/lib/server/verify"; import { sendEmailCode } from "@/lib/server/verify";
import { getServiceUrlFromHeaders } from "@/lib/service-url"; import { getServiceUrlFromHeaders } from "@/lib/service-url";
import { loadMostRecentSession } from "@/lib/session"; import { loadMostRecentSession } from "@/lib/session";
import { checkUserVerification } from "@/lib/verification-helper"; import { checkUserVerification } from "@/lib/verify-helper";
import { import {
getBrandingSettings, getBrandingSettings,
getUserByID, getUserByID,

3
apps/login/src/lib/server/loginname.ts
View File

@@ -9,8 +9,7 @@ import { idpTypeToIdentityProviderType, idpTypeToSlug } from "../idp";
import { PasskeysType } from "@zitadel/proto/zitadel/settings/v2/login_settings_pb"; import { PasskeysType } from "@zitadel/proto/zitadel/settings/v2/login_settings_pb";
import { UserState } from "@zitadel/proto/zitadel/user/v2/user_pb"; import { UserState } from "@zitadel/proto/zitadel/user/v2/user_pb";
import { getServiceUrlFromHeaders } from "../service-url"; import { getServiceUrlFromHeaders } from "../service-url";
import { checkUserVerification } from "../verification-helper"; import { checkEmailVerified, checkUserVerification } from "../verify-helper";
import { checkEmailVerified } from "../verify-helper";
import { import {
getActiveIdentityProviders, getActiveIdentityProviders,
getIDPByID, getIDPByID,

6
apps/login/src/lib/server/passkeys.ts
View File

@@ -25,8 +25,10 @@ import {
getSessionCookieByLoginName, getSessionCookieByLoginName,
} from "../cookies"; } from "../cookies";
import { getServiceUrlFromHeaders } from "../service-url"; import { getServiceUrlFromHeaders } from "../service-url";
import { checkUserVerification } from "../verification-helper"; import {
import { checkEmailVerification } from "../verify-helper"; checkEmailVerification,
checkUserVerification,
} from "../verify-helper";
import { setSessionAndUpdateCookie } from "./cookie"; import { setSessionAndUpdateCookie } from "./cookie";
type VerifyPasskeyCommand = { type VerifyPasskeyCommand = {

2
apps/login/src/lib/server/password.ts
View File

@@ -29,11 +29,11 @@ import { headers } from "next/headers";
import { getNextUrl } from "../client"; import { getNextUrl } from "../client";
import { getSessionCookieById, getSessionCookieByLoginName } from "../cookies"; import { getSessionCookieById, getSessionCookieByLoginName } from "../cookies";
import { getServiceUrlFromHeaders } from "../service-url"; import { getServiceUrlFromHeaders } from "../service-url";
import { checkUserVerification } from "../verification-helper";
import { import {
checkEmailVerification, checkEmailVerification,
checkMFAFactors, checkMFAFactors,
checkPasswordChangeRequired, checkPasswordChangeRequired,
checkUserVerification,
} from "../verify-helper"; } from "../verify-helper";
type ResetPasswordCommand = { type ResetPasswordCommand = {

34
apps/login/src/lib/verification-helper.ts
View File

@@ -1,34 +0,0 @@
"use server";
import crypto from "crypto";
import { cookies } from "next/headers";
import { getOrSetFingerprintId } from "./fingerprint";
export async function checkUserVerification(userId: string): Promise<boolean> {
// check if a verification was done earlier
const cookiesList = await cookies();
const userAgentId = await getOrSetFingerprintId();
const verificationCheck = crypto
.createHash("sha256")
.update(`${userId}:${userAgentId}`)
.digest("hex");
const cookieValue = await cookiesList.get("verificationCheck")?.value;
if (!cookieValue) {
console.warn(
"User verification check cookie not found. User verification check failed.",
);
return false;
}
if (cookieValue !== verificationCheck) {
console.warn(
`User verification check failed. Expected ${verificationCheck} but got ${cookieValue}`,
);
return false;
}
return true;
}

38
apps/login/src/lib/verify-helper.ts
View File

@@ -4,7 +4,10 @@ import { LoginSettings } from "@zitadel/proto/zitadel/settings/v2/login_settings
import { PasswordExpirySettings } from "@zitadel/proto/zitadel/settings/v2/password_settings_pb"; import { PasswordExpirySettings } from "@zitadel/proto/zitadel/settings/v2/password_settings_pb";
import { HumanUser } from "@zitadel/proto/zitadel/user/v2/user_pb"; import { HumanUser } from "@zitadel/proto/zitadel/user/v2/user_pb";
import { AuthenticationMethodType } from "@zitadel/proto/zitadel/user/v2/user_service_pb"; import { AuthenticationMethodType } from "@zitadel/proto/zitadel/user/v2/user_service_pb";
import crypto from "crypto";
import moment from "moment"; import moment from "moment";
import { cookies } from "next/headers";
import { getFingerprintIdCookie } from "./fingerprint";
import { getUserByID } from "./zitadel"; import { getUserByID } from "./zitadel";
export function checkPasswordChangeRequired( export function checkPasswordChangeRequired(
@@ -249,3 +252,38 @@ export async function checkMFAFactors(
return { redirect: `/mfa/set?` + params }; return { redirect: `/mfa/set?` + params };
} }
} }
export async function checkUserVerification(userId: string): Promise<boolean> {
// check if a verification was done earlier
const cookiesList = await cookies();
// only read cookie to prevent issues on page.tsx
const userAgentId = await getFingerprintIdCookie();
if (!userAgentId || userAgentId.value) {
return false;
}
const verificationCheck = crypto
.createHash("sha256")
.update(`${userId}:${userAgentId}`)
.digest("hex");
const cookieValue = await cookiesList.get("verificationCheck")?.value;
if (!cookieValue) {
console.warn(
"User verification check cookie not found. User verification check failed.",
);
return false;
}
if (cookieValue !== verificationCheck) {
console.warn(
`User verification check failed. Expected ${verificationCheck} but got ${cookieValue}`,
);
return false;
}
return true;
}