TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-10-21 14:40:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: handle disabled mfa types correctly during login (#979)

Browse Source 
* fix: handle disabled mfa types during login correctly

* fix: add 2fa to default login policy

* fix: setup

* Update internal/setup/step7.go

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
This commit is contained in:
Livio Amstutz
2020-11-18 12:56:24 +01:00
committed by GitHub
parent 955dec8694
commit b9be5f4e11
8 changed files with 128 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
internal/auth/repository/eventsourcing/eventstore/auth_request.go
View File

@@ -624,12 +624,16 @@ func (repo *AuthRequestRepo) usersForUserSelection(request *model.AuthRequest) (
func (repo *AuthRequestRepo) mfaChecked(userSession *user_model.UserSessionView, request *model.AuthRequest, user *user_model.UserView) (model.NextStep, bool, error) {
mfaLevel := request.MfaLevel()
promptRequired := (user.MfaMaxSetUp < mfaLevel) || !user.HasRequiredOrgMFALevel(request.LoginPolicy)
if promptRequired || !repo.mfaSkippedOrSetUp(user, request.LoginPolicy) {
allowedProviders, required := user.MfaTypesAllowed(mfaLevel, request.LoginPolicy)
promptRequired := (user.MfaMaxSetUp < mfaLevel) || (len(allowedProviders) == 0 && required)
if promptRequired || !repo.mfaSkippedOrSetUp(user) {
types := user.MfaTypesSetupPossible(mfaLevel, request.LoginPolicy)
if promptRequired && len(types) == 0 {
return nil, false, errors.ThrowPreconditionFailed(nil, "LOGIN-5Hm8s", "Errors.Login.LoginPolicy.MFA.ForceAndNotConfigured")
}
if len(types) == 0 {
return nil, true, nil
}
return &model.MfaPromptStep{
Required: promptRequired,
MfaProviders: types,
@@ -639,7 +643,7 @@ func (repo *AuthRequestRepo) mfaChecked(userSession *user_model.UserSessionView,
default:
fallthrough
case model.MFALevelNotSetUp:
if user.MfaMaxSetUp == model.MFALevelNotSetUp {
if len(allowedProviders) == 0 {
return nil, true, nil
}
fallthrough
@@ -658,11 +662,11 @@ func (repo *AuthRequestRepo) mfaChecked(userSession *user_model.UserSessionView,
}
}
return &model.MfaVerificationStep{
MfaProviders: user.MfaTypesAllowed(mfaLevel, request.LoginPolicy),
MfaProviders: allowedProviders,
}, false, nil
}
func (repo *AuthRequestRepo) mfaSkippedOrSetUp(user *user_model.UserView, policy *iam_model.LoginPolicyView) bool {
func (repo *AuthRequestRepo) mfaSkippedOrSetUp(user *user_model.UserView) bool {
if user.MfaMaxSetUp > model.MFALevelNotSetUp {
return true
}