TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 17:57:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(login): make sure first email verification is done before MFA check (#9039)

Browse Source 
# Which Problems Are Solved

During authentication in the login UI, there is a check if the user's
MFA is already checked or needs to be setup.
In cases where the user was just set up or especially, if the user was
just federated without a verified email address, this can lead to the
problem, where OTP Email cannot be setup as there's no verified email
address.

# How the Problems Are Solved

- Added a check if there's no verified email address on the user and
require a mail verification check before checking for MFA.
Note: that if the user had a verified email address, but changed it and
has not verified it, they will still be prompted with an MFA check
before the email verification. This is make sure, we don't break the
existing behavior and the user's authentication is properly checked.

# Additional Changes

None

# Additional Context

- closes https://github.com/zitadel/zitadel/issues/9035
This commit is contained in:
Livio Spring
2024-12-13 12:37:20 +01:00
committed by GitHub
parent fd70a7de5f
commit f20539ef8f
5 changed files with 66 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
internal/auth/repository/eventsourcing/eventstore/auth_request.go
View File

@@ -1081,6 +1081,15 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *domain.Auth
}
}
// If the user never had a verified email, we need to verify it.
// This prevents situations, where OTP email is the only MFA method and no verified email is set.
// If the user had a verified email, but change it and has not yet verified the new one, we'll verify it after we checked the MFA methods.
if user.VerifiedEmail == "" && !user.IsEmailVerified {
return append(steps, &domain.VerifyEMailStep{
InitPassword: !user.PasswordSet && len(idps.Links) == 0,
}), nil
}
step, ok, err := repo.mfaChecked(userSession, request, user, isInternalLogin && len(request.LinkingUsers) == 0)
if err != nil {
return nil, err

56
internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
View File

@@ -156,6 +156,7 @@ type mockViewUser struct {
PasswordChanged time.Time
PasswordChangeRequired bool
IsEmailVerified bool
VerifiedEmail string
OTPState int32
MFAMaxSetUp int32
MFAInitSkipped time.Time
@@ -222,6 +223,7 @@ func (m *mockViewUser) UserByID(context.Context, string, string) (*user_view_mod
PasswordSet: m.PasswordSet,
PasswordChangeRequired: m.PasswordChangeRequired,
IsEmailVerified: m.IsEmailVerified,
VerifiedEmail: m.VerifiedEmail,
OTPState: m.OTPState,
MFAMaxSetUp: m.MFAMaxSetUp,
MFAInitSkipped: m.MFAInitSkipped,
@@ -1403,6 +1405,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
PasswordVerification: testNow.Add(-5 * time.Minute),
},
userViewProvider: &mockViewUser{
VerifiedEmail: "verified",
PasswordSet: true,
PasswordlessTokens: user_view_model.WebAuthNTokens{&user_view_model.WebAuthNView{ID: "id", State: int32(user_model.MFAStateReady)}},
OTPState: int32(user_model.MFAStateReady),
@@ -1439,9 +1442,10 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
PasswordVerification: testNow.Add(-5 * time.Minute),
},
userViewProvider: &mockViewUser{
PasswordSet: true,
OTPState: int32(user_model.MFAStateReady),
MFAMaxSetUp: int32(domain.MFALevelSecondFactor),
VerifiedEmail: "verified",
PasswordSet: true,
OTPState: int32(user_model.MFAStateReady),
MFAMaxSetUp: int32(domain.MFALevelSecondFactor),
},
userEventProvider: &mockEventUser{},
orgViewProvider: &mockViewOrg{State: domain.OrgStateActive},
@@ -1469,6 +1473,45 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
},
{
"external user, mfa not verified, mfa check step",
fields{
userSessionViewProvider: &mockViewUserSession{
PasswordVerification: testNow.Add(-5 * time.Minute),
ExternalLoginVerification: testNow.Add(-5 * time.Minute),
},
userViewProvider: &mockViewUser{
VerifiedEmail: "verified",
PasswordSet: true,
OTPState: int32(user_model.MFAStateReady),
MFAMaxSetUp: int32(domain.MFALevelSecondFactor),
},
userEventProvider: &mockEventUser{},
orgViewProvider: &mockViewOrg{State: domain.OrgStateActive},
lockoutPolicyProvider: &mockLockoutPolicy{
policy: &query.LockoutPolicy{
ShowFailures: true,
},
},
idpUserLinksProvider: &mockIDPUserLinks{},
},
args{
&domain.AuthRequest{
UserID: "UserID",
SelectedIDPConfigID: "IDPConfigID",
LoginPolicy: &domain.LoginPolicy{
AllowUsernamePassword: true,
SecondFactors: []domain.SecondFactorType{domain.SecondFactorTypeTOTP},
PasswordCheckLifetime: 10 * 24 * time.Hour,
ExternalLoginCheckLifetime: 10 * 24 * time.Hour,
SecondFactorCheckLifetime: 18 * time.Hour,
},
}, false},
[]domain.NextStep{&domain.MFAVerificationStep{
MFAProviders: []domain.MFAType{domain.MFATypeTOTP},
}},
nil,
},
{
"external user, mfa not verified, email never verified, email verification step",
fields{
userSessionViewProvider: &mockViewUserSession{
PasswordVerification: testNow.Add(-5 * time.Minute),
@@ -1500,8 +1543,8 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
SecondFactorCheckLifetime: 18 * time.Hour,
},
}, false},
[]domain.NextStep{&domain.MFAVerificationStep{
MFAProviders: []domain.MFAType{domain.MFATypeTOTP},
[]domain.NextStep{&domain.VerifyEMailStep{
InitPassword: false,
}},
nil,
},
@@ -1573,13 +1616,14 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
nil,
},
{
"email not verified and password change required, mail verification step",
"email not verified (but had before) and password change required, mail verification step",
fields{
userSessionViewProvider: &mockViewUserSession{
PasswordVerification: testNow.Add(-5 * time.Minute),
SecondFactorVerification: testNow.Add(-5 * time.Minute),
},
userViewProvider: &mockViewUser{
VerifiedEmail: "verified",
PasswordSet: true,
PasswordChangeRequired: true,
MFAMaxSetUp: int32(domain.MFALevelSecondFactor),