mirror of
https://github.com/zitadel/zitadel.git
synced 2025-12-02 13:32:26 +00:00
fix(authz): ignore unready auth methods for mfa requirement check (#11056)
# Which Problems Are Solved The recent [fix](2a7db64881) made sure the Zitadel API always requires MFA if a user has set up so even though not required by the login policy. After the deployment, multiple users reached out that also users without any MFA set up got the corresponding `[permission_denied] mfa required (AUTHZ-KI3p0)`error. # How the Problems Are Solved - Only check the set up factors with are verified and ready to use. Ignore all unready auth methods. # Additional Changes None # Additional Context - relates to2a7db64881- closes https://github.com/zitadel/zitadel/issues/11055 - requires backport to v2.71.x, v3.x and v4.x
This commit is contained in:
Livio Spring
@@ -972,11 +972,22 @@ func Test_ZITADEL_API_missing_authentication(t *testing.T) {
|
|||||||
|
|
||||||
func Test_ZITADEL_API_missing_mfa(t *testing.T) {
|
func Test_ZITADEL_API_missing_mfa(t *testing.T) {
|
||||||
mfaUser := createFullUser(CTX)
|
mfaUser := createFullUser(CTX)
|
||||||
registerTOTP(CTX, t, mfaUser.GetUserId())
|
|
||||||
|
// make sure the session works even with a not fully set up MFA factor
|
||||||
|
_, err := Instance.Client.UserV2.RegisterTOTP(CTX, &user.RegisterTOTPRequest{
|
||||||
|
UserId: mfaUser.GetUserId(),
|
||||||
|
})
|
||||||
|
require.NoError(t, err)
|
||||||
id, token, _, _ := Instance.CreatePasswordSession(t, LoginCTX, mfaUser.GetUserId(), integration.UserPassword)
|
id, token, _, _ := Instance.CreatePasswordSession(t, LoginCTX, mfaUser.GetUserId(), integration.UserPassword)
|
||||||
ctx := integration.WithAuthorizationToken(context.Background(), token)
|
ctx := integration.WithAuthorizationToken(context.Background(), token)
|
||||||
|
|
||||||
sessionResp, err := Instance.Client.SessionV2.GetSession(ctx, &session.GetSessionRequest{SessionId: id})
|
sessionResp, err := Instance.Client.SessionV2.GetSession(ctx, &session.GetSessionRequest{SessionId: id})
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
// now fully set up MFA and make sure the session is rejected without MFA
|
||||||
|
registerTOTP(CTX, t, mfaUser.GetUserId())
|
||||||
|
id, token, _, _ = Instance.CreatePasswordSession(t, LoginCTX, mfaUser.GetUserId(), integration.UserPassword)
|
||||||
|
ctx = integration.WithAuthorizationToken(context.Background(), token)
|
||||||
|
sessionResp, err = Instance.Client.SessionV2.GetSession(ctx, &session.GetSessionRequest{SessionId: id})
|
||||||
require.Error(t, err)
|
require.Error(t, err)
|
||||||
require.Nil(t, sessionResp)
|
require.Nil(t, sessionResp)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -19,6 +19,7 @@ LEFT JOIN LATERAL (
|
|||||||
WHERE
|
WHERE
|
||||||
projections.user_auth_methods5.user_id = projections.users14.id
|
projections.user_auth_methods5.user_id = projections.users14.id
|
||||||
AND projections.user_auth_methods5.instance_id = projections.users14.instance_id
|
AND projections.user_auth_methods5.instance_id = projections.users14.instance_id
|
||||||
|
AND projections.user_auth_methods5.state = 2
|
||||||
) AS user_auth_methods5 ON TRUE
|
) AS user_auth_methods5 ON TRUE
|
||||||
WHERE
|
WHERE
|
||||||
projections.users14.id = $1
|
projections.users14.id = $1
|
||||||
|
|||||||
Reference in New Issue
Block a user