From eb17d0c3780e8f89d83eee5e0c4ef2de1d81d666 Mon Sep 17 00:00:00 2001 From: Stefan Benz <46600784+stebenz@users.noreply.github.com> Date: Thu, 26 Jan 2023 11:40:49 +0100 Subject: [PATCH] feat: add http request to interal and external authentication actions (#5103) Add functionality to provide http.Request and authError to actions for logging or other logic. --- .../apis/actions/external-authentication.md | 5 ++ .../apis/actions/internal-authentication.md | 3 + docs/docs/apis/actions/objects.md | 14 +++++ internal/actions/object/auth_request.go | 10 ++- internal/actions/object/http_request.go | 44 +++++++++++++ internal/api/ui/login/custom_action.go | 63 ++++++++++++++++--- .../api/ui/login/external_login_handler.go | 26 ++++++-- .../api/ui/login/external_register_handler.go | 6 +- internal/api/ui/login/jwt_handler.go | 16 +++-- internal/api/ui/login/mfa_verify_handler.go | 2 +- .../api/ui/login/mfa_verify_u2f_handler.go | 2 +- internal/api/ui/login/password_handler.go | 2 +- .../ui/login/passwordless_login_handler.go | 2 +- internal/api/ui/login/register_handler.go | 4 +- 14 files changed, 170 insertions(+), 29 deletions(-) create mode 100644 internal/actions/object/http_request.go diff --git a/docs/docs/apis/actions/external-authentication.md b/docs/docs/apis/actions/external-authentication.md index 204f9eba81..8ba447333d 100644 --- a/docs/docs/apis/actions/external-authentication.md +++ b/docs/docs/apis/actions/external-authentication.md @@ -22,7 +22,10 @@ The first parameter contains the following fields The id token which will be returned to the user - `v1` - `externalUser()` [*externalUser*](./objects#external-user) + - `authError` *string* + This is a verification errors string representation. If the verification succeeds, this is "none" - `authRequest` [*auth request*](/docs/apis/actions/objects#auth-request) + - `httpRequest` [*http request*](/docs/apis/actions/objects#http-request) - `api` The second parameter contains the following fields - `v1` @@ -63,6 +66,7 @@ A user selected **Register** on the overview page after external authentication. - `v1` - `user` [*human*](./objects#human-user) - `authRequest` [*auth request*](/docs/apis/actions/objects#auth-request) + - `httpRequest` [*http request*](/docs/apis/actions/objects#http-request) - `api` The second parameter contains the following fields - `metadata` @@ -106,6 +110,7 @@ A user selected **Register** on the overview page after external authentication - `v1` - `getUser()` [*user*](./objects#user) - `authRequest` [*auth request*](/docs/apis/actions/objects#auth-request) + - `httpRequest` [*http request*](/docs/apis/actions/objects#http-request) - `api` The second parameter contains the following fields - `userGrants` Array of [*userGrant*](./objects#user-grant)'s diff --git a/docs/docs/apis/actions/internal-authentication.md b/docs/docs/apis/actions/internal-authentication.md index 61f96bc356..25654257f0 100644 --- a/docs/docs/apis/actions/internal-authentication.md +++ b/docs/docs/apis/actions/internal-authentication.md @@ -18,6 +18,7 @@ Each validation step triggers the action. - `authError` *string* This is a verification errors string representation. If the verification succeeds, this is "none" - `authRequest` [*auth request*](/docs/apis/actions/objects#auth-request) + - `httpRequest` [*http request*](/docs/apis/actions/objects#http-request) - `api` The second parameter contains the following fields - `metadata` @@ -39,6 +40,7 @@ ZITADEL did not create the user yet. - `v1` - `user` [*human*](./objects#human-user) - `authRequest` [*auth request*](/docs/apis/actions/objects#auth-request) + - `httpRequest` [*http request*](/docs/apis/actions/objects#http-request) - `api` The second parameter contains the following fields - `metadata` @@ -83,6 +85,7 @@ ZITADEL successfully created the user. - `v1` - `getUser()` [*user*](./objects#user) - `authRequest` [*auth request*](/docs/apis/actions/objects#auth-request) + - `httpRequest` [*http request*](/docs/apis/actions/objects#http-request) - `api` The second parameter contains the following fields - `userGrants` Array of [*userGrant*](./objects#user-grant)'s diff --git a/docs/docs/apis/actions/objects.md b/docs/docs/apis/actions/objects.md index 8b54e9a5cd..f2d4b1fd92 100644 --- a/docs/docs/apis/actions/objects.md +++ b/docs/docs/apis/actions/objects.md @@ -153,3 +153,17 @@ This object contains context information about the request to the [authorization - `audience` Array of *string* - `authTime` *Date* + +## HTTP Request + +This object is based on the Golang struct [http.Request](https://pkg.go.dev/net/http#Request), some attributes are removed as not all provided information is usable in this context. + +- `method` *string* +- `url` *string* +- `proto` *string* +- `contentLength` *number* +- `host` *string* +- `form` Map *string* of Array of *string* +- `postForm` Map *string* of Array of *string* +- `remoteAddr` *string* +- `headers` Map *string* of Array of *string* \ No newline at end of file diff --git a/internal/actions/object/auth_request.go b/internal/actions/object/auth_request.go index 4c4bc3e1e8..01a6f98f32 100644 --- a/internal/actions/object/auth_request.go +++ b/internal/actions/object/auth_request.go @@ -10,7 +10,7 @@ import ( "github.com/zitadel/zitadel/internal/domain" ) -// AuthRequestField accepts the domain.AuthRequest by value, so its not mutated +// AuthRequestField accepts the domain.AuthRequest by value, so it's not mutated func AuthRequestField(authRequest *domain.AuthRequest) func(c *actions.FieldConfig) interface{} { return func(c *actions.FieldConfig) interface{} { return AuthRequestFromDomain(c, authRequest) @@ -18,6 +18,12 @@ func AuthRequestField(authRequest *domain.AuthRequest) func(c *actions.FieldConf } func AuthRequestFromDomain(c *actions.FieldConfig, request *domain.AuthRequest) goja.Value { + var maxAuthAge *time.Duration + if request.MaxAuthAge != nil { + maxAuthAgeCopy := *request.MaxAuthAge + maxAuthAge = &maxAuthAgeCopy + } + return c.Runtime.ToValue(&authRequest{ Id: request.ID, AgentId: request.AgentID, @@ -34,7 +40,7 @@ func AuthRequestFromDomain(c *actions.FieldConfig, request *domain.AuthRequest) Prompt: request.Prompt, UiLocales: request.UiLocales, LoginHint: request.LoginHint, - MaxAuthAge: request.MaxAuthAge, + MaxAuthAge: maxAuthAge, InstanceId: request.InstanceID, Request: requestFromDomain(request.Request), UserId: request.UserID, diff --git a/internal/actions/object/http_request.go b/internal/actions/object/http_request.go new file mode 100644 index 0000000000..8078165bc7 --- /dev/null +++ b/internal/actions/object/http_request.go @@ -0,0 +1,44 @@ +package object + +import ( + "net/http" + + "github.com/zitadel/zitadel/internal/actions" +) + +// HTTPRequestField accepts the http.Request by value, so it's not mutated +func HTTPRequestField(request *http.Request) func(c *actions.FieldConfig) interface{} { + return func(c *actions.FieldConfig) interface{} { + return c.Runtime.ToValue(&httpRequest{ + Method: request.Method, + Url: request.URL.String(), + Proto: request.Proto, + ContentLength: request.ContentLength, + Host: request.Host, + Form: copyMap(request.Form), + PostForm: copyMap(request.PostForm), + RemoteAddr: request.RemoteAddr, + Headers: copyMap(request.Header), + }) + } +} + +type httpRequest struct { + Method string + Url string + Proto string + ContentLength int64 + Host string + Form map[string][]string + PostForm map[string][]string + RemoteAddr string + Headers map[string][]string +} + +func copyMap(src map[string][]string) map[string][]string { + dst := make(map[string][]string) + for k, v := range src { + dst[k] = v + } + return dst +} diff --git a/internal/api/ui/login/custom_action.go b/internal/api/ui/login/custom_action.go index 30f6225329..50baa9cfd4 100644 --- a/internal/api/ui/login/custom_action.go +++ b/internal/api/ui/login/custom_action.go @@ -3,6 +3,7 @@ package login import ( "context" "encoding/json" + "net/http" "github.com/dop251/goja" "github.com/zitadel/oidc/v2/pkg/oidc" @@ -15,8 +16,17 @@ import ( iam_model "github.com/zitadel/zitadel/internal/iam/model" ) -func (l *Login) customExternalUserMapping(ctx context.Context, user *domain.ExternalUser, tokens *oidc.Tokens, req *domain.AuthRequest, config *iam_model.IDPConfigView) (*domain.ExternalUser, error) { - resourceOwner := req.RequestedOrgID +func (l *Login) runPostExternalAuthenticationActions( + user *domain.ExternalUser, + tokens *oidc.Tokens, + authRequest *domain.AuthRequest, + httpRequest *http.Request, + config *iam_model.IDPConfigView, + authenticationError error, +) (*domain.ExternalUser, error) { + ctx := httpRequest.Context() + + resourceOwner := authRequest.RequestedOrgID if resourceOwner == "" { resourceOwner = config.AggregateID } @@ -69,6 +79,11 @@ func (l *Login) customExternalUserMapping(ctx context.Context, user *domain.Exte ), ) + authErrStr := "none" + if authenticationError != nil { + authErrStr = authenticationError.Error() + } + for _, a := range triggerActions { actionCtx, cancel := context.WithTimeout(ctx, a.Timeout()) @@ -77,7 +92,9 @@ func (l *Login) customExternalUserMapping(ctx context.Context, user *domain.Exte actions.SetFields("externalUser", func(c *actions.FieldConfig) interface{} { return object.UserFromExternalUser(c, user) }), - actions.SetFields("authRequest", object.AuthRequestField(req)), + actions.SetFields("authRequest", object.AuthRequestField(authRequest)), + actions.SetFields("httpRequest", object.HTTPRequestField(httpRequest)), + actions.SetFields("authError", authErrStr), ), ) @@ -109,10 +126,17 @@ const ( authMethodPasswordless authMethod = "passwordless" ) -func (l *Login) triggerPostLocalAuthentication(ctx context.Context, req *domain.AuthRequest, authMethod authMethod, authenticationError error) ([]*domain.Metadata, error) { - resourceOwner := req.RequestedOrgID +func (l *Login) runPostInternalAuthenticationActions( + authRequest *domain.AuthRequest, + httpRequest *http.Request, + authMethod authMethod, + authenticationError error, +) ([]*domain.Metadata, error) { + ctx := httpRequest.Context() + + resourceOwner := authRequest.RequestedOrgID if resourceOwner == "" { - resourceOwner = req.UserOrgID + resourceOwner = authRequest.UserOrgID } triggerActions, err := l.query.GetActiveActionsByFlowAndTriggerType(ctx, domain.FlowTypeInternalAuthentication, domain.TriggerTypePostAuthentication, resourceOwner, false) @@ -136,12 +160,12 @@ func (l *Login) triggerPostLocalAuthentication(ctx context.Context, req *domain. if authenticationError != nil { authErrStr = authenticationError.Error() } - ctxFields := actions.SetContextFields( actions.SetFields("v1", actions.SetFields("authMethod", authMethod), actions.SetFields("authError", authErrStr), - actions.SetFields("authRequest", object.AuthRequestField(req)), + actions.SetFields("authRequest", object.AuthRequestField(authRequest)), + actions.SetFields("httpRequest", object.HTTPRequestField(httpRequest)), ), ) @@ -161,7 +185,16 @@ func (l *Login) triggerPostLocalAuthentication(ctx context.Context, req *domain. return object.MetadataListToDomain(metadataList), err } -func (l *Login) customUserToLoginUserMapping(ctx context.Context, authRequest *domain.AuthRequest, user *domain.Human, metadata []*domain.Metadata, resourceOwner string, flowType domain.FlowType) (*domain.Human, []*domain.Metadata, error) { +func (l *Login) runPreCreationActions( + authRequest *domain.AuthRequest, + httpRequest *http.Request, + user *domain.Human, + metadata []*domain.Metadata, + resourceOwner string, + flowType domain.FlowType, +) (*domain.Human, []*domain.Metadata, error) { + ctx := httpRequest.Context() + triggerActions, err := l.query.GetActiveActionsByFlowAndTriggerType(ctx, flowType, domain.TriggerTypePreCreation, resourceOwner, false) if err != nil { return nil, nil, err @@ -231,6 +264,7 @@ func (l *Login) customUserToLoginUserMapping(ctx context.Context, authRequest *d return object.UserFromHuman(c, user) }), actions.SetFields("authRequest", object.AuthRequestField(authRequest)), + actions.SetFields("httpRequest", object.HTTPRequestField(httpRequest)), ), ) @@ -250,7 +284,15 @@ func (l *Login) customUserToLoginUserMapping(ctx context.Context, authRequest *d return user, object.MetadataListToDomain(metadataList), err } -func (l *Login) customGrants(ctx context.Context, userID string, authRequest *domain.AuthRequest, resourceOwner string, flowType domain.FlowType) ([]*domain.UserGrant, error) { +func (l *Login) runPostCreationActions( + userID string, + authRequest *domain.AuthRequest, + httpRequest *http.Request, + resourceOwner string, + flowType domain.FlowType, +) ([]*domain.UserGrant, error) { + ctx := httpRequest.Context() + triggerActions, err := l.query.GetActiveActionsByFlowAndTriggerType(ctx, flowType, domain.TriggerTypePostCreation, resourceOwner, false) if err != nil { return nil, err @@ -280,6 +322,7 @@ func (l *Login) customGrants(ctx context.Context, userID string, authRequest *do } }), actions.SetFields("authRequest", object.AuthRequestField(authRequest)), + actions.SetFields("httpRequest", object.HTTPRequestField(httpRequest)), ), ) diff --git a/internal/api/ui/login/external_login_handler.go b/internal/api/ui/login/external_login_handler.go index a51d23f91c..35d755705a 100644 --- a/internal/api/ui/login/external_login_handler.go +++ b/internal/api/ui/login/external_login_handler.go @@ -8,6 +8,7 @@ import ( "strings" "time" + "github.com/zitadel/logging" "github.com/zitadel/oidc/v2/pkg/client/rp" "github.com/zitadel/oidc/v2/pkg/oidc" "golang.org/x/oauth2" @@ -155,18 +156,35 @@ func (l *Login) handleExternalLoginCallback(w http.ResponseWriter, r *http.Reque if idpConfig.IsOIDC { provider, err := l.getRPConfig(r.Context(), idpConfig, EndpointExternalLoginCallback) if err != nil { + emtpyTokens := &oidc.Tokens{Token: &oauth2.Token{}} + if _, actionErr := l.runPostExternalAuthenticationActions(&domain.ExternalUser{}, emtpyTokens, authReq, r, idpConfig, err); actionErr != nil { + logging.WithError(err).Error("both external user authentication and action post authentication failed") + } + l.renderLogin(w, r, authReq, err) return } tokens, err := rp.CodeExchange(r.Context(), data.Code, provider) if err != nil { + emtpyTokens := &oidc.Tokens{Token: &oauth2.Token{}} + if _, actionErr := l.runPostExternalAuthenticationActions(&domain.ExternalUser{}, emtpyTokens, authReq, r, idpConfig, err); actionErr != nil { + logging.WithError(err).Error("both external user authentication and action post authentication failed") + } + l.renderLogin(w, r, authReq, err) return } l.handleExternalUserAuthenticated(w, r, authReq, idpConfig, userAgentID, tokens) return } - l.renderError(w, r, authReq, errors.ThrowPreconditionFailed(nil, "RP-asff2", "Errors.ExternalIDP.IDPTypeNotImplemented")) + + err = errors.ThrowPreconditionFailed(nil, "RP-asff2", "Errors.ExternalIDP.IDPTypeNotImplemented") + emtpyTokens := &oidc.Tokens{Token: &oauth2.Token{}} + if _, actionErr := l.runPostExternalAuthenticationActions(&domain.ExternalUser{}, emtpyTokens, authReq, r, idpConfig, err); actionErr != nil { + logging.WithError(err).Error("both external user authentication and action post authentication failed") + } + + l.renderError(w, r, authReq, err) } func (l *Login) getRPConfig(ctx context.Context, idpConfig *iam_model.IDPConfigView, callbackEndpoint string) (rp.RelyingParty, error) { @@ -195,7 +213,7 @@ func (l *Login) getRPConfig(ctx context.Context, idpConfig *iam_model.IDPConfigV func (l *Login) handleExternalUserAuthenticated(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, idpConfig *iam_model.IDPConfigView, userAgentID string, tokens *oidc.Tokens) { externalUser := l.mapTokenToLoginUser(tokens, idpConfig) - externalUser, err := l.customExternalUserMapping(r.Context(), externalUser, tokens, authReq, idpConfig) + externalUser, err := l.runPostExternalAuthenticationActions(externalUser, tokens, authReq, r, idpConfig, nil) if err != nil { l.renderError(w, r, authReq, err) return @@ -383,7 +401,7 @@ func (l *Login) handleAutoRegister(w http.ResponseWriter, r *http.Request, authR user, externalIDP, metadata := l.mapExternalUserToLoginUser(orgIamPolicy, linkingUser, idpConfig) - user, metadata, err = l.customUserToLoginUserMapping(r.Context(), authReq, user, metadata, resourceOwner, domain.FlowTypeExternalAuthentication) + user, metadata, err = l.runPreCreationActions(authReq, r, user, metadata, resourceOwner, domain.FlowTypeExternalAuthentication) if err != nil { l.renderExternalNotFoundOption(w, r, authReq, orgIamPolicy, nil, nil, err) return @@ -398,7 +416,7 @@ func (l *Login) handleAutoRegister(w http.ResponseWriter, r *http.Request, authR l.renderError(w, r, authReq, err) return } - userGrants, err := l.customGrants(r.Context(), authReq.UserID, authReq, resourceOwner, domain.FlowTypeExternalAuthentication) + userGrants, err := l.runPostCreationActions(authReq.UserID, authReq, r, resourceOwner, domain.FlowTypeExternalAuthentication) if err != nil { l.renderError(w, r, authReq, err) return diff --git a/internal/api/ui/login/external_register_handler.go b/internal/api/ui/login/external_register_handler.go index 092750e409..0656e777c4 100644 --- a/internal/api/ui/login/external_register_handler.go +++ b/internal/api/ui/login/external_register_handler.go @@ -121,7 +121,7 @@ func (l *Login) handleExternalUserRegister(w http.ResponseWriter, r *http.Reques resourceOwner = authReq.RequestedOrgID } externalUser, externalIDP := l.mapTokenToLoginHumanAndExternalIDP(tokens, idpConfig) - externalUser, err := l.customExternalUserMapping(r.Context(), externalUser, tokens, authReq, idpConfig) + externalUser, err := l.runPostExternalAuthenticationActions(externalUser, tokens, authReq, r, idpConfig, nil) if err != nil { l.renderRegisterOption(w, r, authReq, err) return @@ -161,7 +161,7 @@ func (l *Login) registerExternalUser(w http.ResponseWriter, r *http.Request, aut return } user, externalIDP, metadata := l.mapExternalUserToLoginUser(orgIamPolicy, externalUser, idpConfig) - user, metadata, err = l.customUserToLoginUserMapping(r.Context(), authReq, user, metadata, resourceOwner, domain.FlowTypeExternalAuthentication) + user, metadata, err = l.runPreCreationActions(authReq, r, user, metadata, resourceOwner, domain.FlowTypeExternalAuthentication) if err != nil { l.renderRegisterOption(w, r, authReq, err) return @@ -177,7 +177,7 @@ func (l *Login) registerExternalUser(w http.ResponseWriter, r *http.Request, aut l.renderError(w, r, authReq, err) return } - userGrants, err := l.customGrants(r.Context(), authReq.UserID, authReq, resourceOwner, domain.FlowTypeExternalAuthentication) + userGrants, err := l.runPostCreationActions(authReq.UserID, authReq, r, resourceOwner, domain.FlowTypeExternalAuthentication) if err != nil { l.renderError(w, r, authReq, err) return diff --git a/internal/api/ui/login/jwt_handler.go b/internal/api/ui/login/jwt_handler.go index 9fa96b912a..ac100dd6a1 100644 --- a/internal/api/ui/login/jwt_handler.go +++ b/internal/api/ui/login/jwt_handler.go @@ -67,17 +67,25 @@ func (l *Login) handleJWTRequest(w http.ResponseWriter, r *http.Request) { func (l *Login) handleJWTExtraction(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, idpConfig *iam_model.IDPConfigView) { token, err := getToken(r, idpConfig.JWTHeaderName) if err != nil { + emtpyTokens := &oidc.Tokens{Token: &oauth2.Token{}} + if _, actionErr := l.runPostExternalAuthenticationActions(&domain.ExternalUser{}, emtpyTokens, authReq, r, idpConfig, err); actionErr != nil { + logging.WithError(err).Error("both external user authentication and action post authentication failed") + } + l.renderError(w, r, authReq, err) return } tokenClaims, err := validateToken(r.Context(), token, idpConfig) + tokens := &oidc.Tokens{IDToken: token, IDTokenClaims: tokenClaims, Token: &oauth2.Token{}} if err != nil { + if _, actionErr := l.runPostExternalAuthenticationActions(&domain.ExternalUser{}, tokens, authReq, r, idpConfig, err); actionErr != nil { + logging.WithError(err).Error("both external user authentication and action post authentication failed") + } l.renderError(w, r, authReq, err) return } - tokens := &oidc.Tokens{IDToken: token, IDTokenClaims: tokenClaims, Token: &oauth2.Token{}} externalUser := l.mapTokenToLoginUser(tokens, idpConfig) - externalUser, err = l.customExternalUserMapping(r.Context(), externalUser, tokens, authReq, idpConfig) + externalUser, err = l.runPostExternalAuthenticationActions(externalUser, tokens, authReq, r, idpConfig, nil) if err != nil { l.renderError(w, r, authReq, err) return @@ -129,7 +137,7 @@ func (l *Login) jwtExtractionUserNotFound(w http.ResponseWriter, r *http.Request } user, externalIDP, metadata := l.mapExternalUserToLoginUser(orgIamPolicy, authReq.LinkingUsers[len(authReq.LinkingUsers)-1], idpConfig) - user, metadata, err = l.customUserToLoginUserMapping(r.Context(), authReq, user, metadata, resourceOwner, domain.FlowTypeExternalAuthentication) + user, metadata, err = l.runPreCreationActions(authReq, r, user, metadata, resourceOwner, domain.FlowTypeExternalAuthentication) if err != nil { l.renderError(w, r, authReq, err) return @@ -144,7 +152,7 @@ func (l *Login) jwtExtractionUserNotFound(w http.ResponseWriter, r *http.Request l.renderError(w, r, authReq, err) return } - userGrants, err := l.customGrants(r.Context(), authReq.UserID, authReq, resourceOwner, domain.FlowTypeExternalAuthentication) + userGrants, err := l.runPostCreationActions(authReq.UserID, authReq, r, resourceOwner, domain.FlowTypeExternalAuthentication) if err != nil { l.renderError(w, r, authReq, err) return diff --git a/internal/api/ui/login/mfa_verify_handler.go b/internal/api/ui/login/mfa_verify_handler.go index afc1bb7433..788e189cb1 100644 --- a/internal/api/ui/login/mfa_verify_handler.go +++ b/internal/api/ui/login/mfa_verify_handler.go @@ -37,7 +37,7 @@ func (l *Login) handleMFAVerify(w http.ResponseWriter, r *http.Request) { userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context()) err = l.authRepo.VerifyMFAOTP(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, authReq.UserOrgID, data.Code, userAgentID, domain.BrowserInfoFromRequest(r)) - metadata, actionErr := l.triggerPostLocalAuthentication(r.Context(), authReq, authMethodOTP, err) + metadata, actionErr := l.runPostInternalAuthenticationActions(authReq, r, authMethodOTP, err) if err == nil && actionErr == nil && len(metadata) > 0 { _, err = l.command.BulkSetUserMetadata(r.Context(), authReq.UserID, authReq.UserOrgID, metadata...) } else if actionErr != nil && err == nil { diff --git a/internal/api/ui/login/mfa_verify_u2f_handler.go b/internal/api/ui/login/mfa_verify_u2f_handler.go index d489845bc4..2fc1361b44 100644 --- a/internal/api/ui/login/mfa_verify_u2f_handler.go +++ b/internal/api/ui/login/mfa_verify_u2f_handler.go @@ -72,7 +72,7 @@ func (l *Login) handleU2FVerification(w http.ResponseWriter, r *http.Request) { userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context()) err = l.authRepo.VerifyMFAU2F(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, authReq.ID, userAgentID, credData, domain.BrowserInfoFromRequest(r)) - metadata, actionErr := l.triggerPostLocalAuthentication(r.Context(), authReq, authMethodU2F, err) + metadata, actionErr := l.runPostInternalAuthenticationActions(authReq, r, authMethodU2F, err) if err == nil && actionErr == nil && len(metadata) > 0 { _, err = l.command.BulkSetUserMetadata(r.Context(), authReq.UserID, authReq.UserOrgID, metadata...) } else if actionErr != nil && err == nil { diff --git a/internal/api/ui/login/password_handler.go b/internal/api/ui/login/password_handler.go index c6fb9bf7f7..9e448842e9 100644 --- a/internal/api/ui/login/password_handler.go +++ b/internal/api/ui/login/password_handler.go @@ -40,7 +40,7 @@ func (l *Login) handlePasswordCheck(w http.ResponseWriter, r *http.Request) { } err = l.authRepo.VerifyPassword(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, authReq.UserOrgID, data.Password, authReq.AgentID, domain.BrowserInfoFromRequest(r)) - metadata, actionErr := l.triggerPostLocalAuthentication(r.Context(), authReq, authMethodPassword, err) + metadata, actionErr := l.runPostInternalAuthenticationActions(authReq, r, authMethodPassword, err) if err == nil && actionErr == nil && len(metadata) > 0 { _, err = l.command.BulkSetUserMetadata(r.Context(), authReq.UserID, authReq.UserOrgID, metadata...) } else if actionErr != nil && err == nil { diff --git a/internal/api/ui/login/passwordless_login_handler.go b/internal/api/ui/login/passwordless_login_handler.go index c3ad7b3cf6..58cba32efb 100644 --- a/internal/api/ui/login/passwordless_login_handler.go +++ b/internal/api/ui/login/passwordless_login_handler.go @@ -64,7 +64,7 @@ func (l *Login) handlePasswordlessVerification(w http.ResponseWriter, r *http.Re } err = l.authRepo.VerifyPasswordless(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, authReq.ID, authReq.AgentID, credData, domain.BrowserInfoFromRequest(r)) - metadata, actionErr := l.triggerPostLocalAuthentication(r.Context(), authReq, authMethodPasswordless, err) + metadata, actionErr := l.runPostInternalAuthenticationActions(authReq, r, authMethodPasswordless, err) if err == nil && actionErr == nil && len(metadata) > 0 { _, err = l.command.BulkSetUserMetadata(r.Context(), authReq.UserID, authReq.UserOrgID, metadata...) } else if actionErr != nil && err == nil { diff --git a/internal/api/ui/login/register_handler.go b/internal/api/ui/login/register_handler.go index 1e8fe6327a..bcc696be13 100644 --- a/internal/api/ui/login/register_handler.go +++ b/internal/api/ui/login/register_handler.go @@ -91,7 +91,7 @@ func (l *Login) handleRegisterCheck(w http.ResponseWriter, r *http.Request) { // without breaking existing actions. // Also, if that field is needed, we probably also should provide it // for ExternalAuthentication. - user, metadatas, err := l.customUserToLoginUserMapping(r.Context(), authRequest, data.toHumanDomain(), make([]*domain.Metadata, 0), resourceOwner, domain.FlowTypeInternalAuthentication) + user, metadatas, err := l.runPreCreationActions(authRequest, r, data.toHumanDomain(), make([]*domain.Metadata, 0), resourceOwner, domain.FlowTypeInternalAuthentication) if err != nil { l.renderRegister(w, r, authRequest, data, err) return @@ -112,7 +112,7 @@ func (l *Login) handleRegisterCheck(w http.ResponseWriter, r *http.Request) { } } - userGrants, err := l.customGrants(r.Context(), user.AggregateID, authRequest, resourceOwner, domain.FlowTypeInternalAuthentication) + userGrants, err := l.runPostCreationActions(user.AggregateID, authRequest, r, resourceOwner, domain.FlowTypeInternalAuthentication) if err != nil { l.renderError(w, r, authRequest, err) return