TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-12-02 12:32:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(authz): ignore unready auth methods for mfa requirement check (#11056)

Browse Source 
# Which Problems Are Solved

The recent
[fix](2a7db64881)
made sure the Zitadel API always requires MFA if a user has set up so
even though not required by the login policy. After the deployment,
multiple users reached out that also users without any MFA set up got
the corresponding `[permission_denied] mfa required (AUTHZ-KI3p0)`error.

# How the Problems Are Solved

- Only check the set up factors with are verified and ready to use.
Ignore all unready auth methods.

# Additional Changes

None

# Additional Context

- relates to
2a7db64881
- closes https://github.com/zitadel/zitadel/issues/11055
- requires backport to v2.71.x, v3.x and v4.x
This commit is contained in:
Livio Spring
2025-11-11 06:55:59 +01:00
committed by GitHub
parent 449285fda3
commit e4a959c321
2 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
internal/api/grpc/session/v2/integration_test/session_test.go
View File

@@ -972,11 +972,22 @@ func Test_ZITADEL_API_missing_authentication(t *testing.T) {
func Test_ZITADEL_API_missing_mfa(t *testing.T) {
mfaUser := createFullUser(CTX)
registerTOTP(CTX, t, mfaUser.GetUserId())
// make sure the session works even with a not fully set up MFA factor
_, err := Instance.Client.UserV2.RegisterTOTP(CTX, &user.RegisterTOTPRequest{
UserId: mfaUser.GetUserId(),
})
require.NoError(t, err)
id, token, _, _ := Instance.CreatePasswordSession(t, LoginCTX, mfaUser.GetUserId(), integration.UserPassword)
ctx := integration.WithAuthorizationToken(context.Background(), token)
sessionResp, err := Instance.Client.SessionV2.GetSession(ctx, &session.GetSessionRequest{SessionId: id})
require.NoError(t, err)
// now fully set up MFA and make sure the session is rejected without MFA
registerTOTP(CTX, t, mfaUser.GetUserId())
id, token, _, _ = Instance.CreatePasswordSession(t, LoginCTX, mfaUser.GetUserId(), integration.UserPassword)
ctx = integration.WithAuthorizationToken(context.Background(), token)
sessionResp, err = Instance.Client.SessionV2.GetSession(ctx, &session.GetSessionRequest{SessionId: id})
require.Error(t, err)
require.Nil(t, sessionResp)
}

1
internal/query/user_auth_method_types_required.sql
View File

@@ -19,6 +19,7 @@ LEFT JOIN LATERAL (
WHERE
projections.user_auth_methods5.user_id = projections.users14.id
AND projections.user_auth_methods5.instance_id = projections.users14.instance_id
AND projections.user_auth_methods5.state = 2
) AS user_auth_methods5 ON TRUE
WHERE
projections.users14.id = $1