fix: check for 2fa even if not enforced

# Which Problems Are Solved Zitadel enforces MFA if required by the organization's policy, but did not ensure in all cases, if a user voluntarily set it up. # How the Problems Are Solved Ensure 2FA/MFA is required in any call to Zitadel if set up by user even if policy does not require. # Additional Changes None # Additional Context - requires backports (cherry picked from commit b284f8474e)
2025-12-24 07:56:48 +00:00 · 2025-10-29 10:12:50 +01:00
parent d3713dfaed
commit f7309f8295
6 changed files with 122 additions and 19 deletions
--- a/internal/query/user_auth_method.go
+++ b/internal/query/user_auth_method.go
@@ -12,6 +12,7 @@ import (
 	"github.com/zitadel/logging"

 	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/database"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/query/projection"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
@@ -222,9 +223,11 @@ func (q *Queries) ListUserAuthMethodTypes(ctx context.Context, userID string, ac
 }

 type UserAuthMethodRequirements struct {
-	UserType          domain.UserType
-	ForceMFA          bool
-	ForceMFALocalOnly bool
+	UserType             domain.UserType
+	ForceMFA             bool
+	ForceMFALocalOnly    bool
+	AllowedSecondFactors []domain.SecondFactorType
+	SetUpFactors         []domain.UserAuthMethodType
 }

 //go:embed user_auth_method_types_required.sql
@@ -245,10 +248,14 @@ func (q *Queries) ListUserAuthMethodTypesRequired(ctx context.Context, userID st
 			var userType sql.NullInt32
 			var forceMFA sql.NullBool
 			var forceMFALocalOnly sql.NullBool
+			var allowedSecondFactors database.NumberArray[domain.SecondFactorType]
+			var setUpFactors database.NumberArray[domain.UserAuthMethodType]
 			err := row.Scan(
 				&userType,
 				&forceMFA,
 				&forceMFALocalOnly,
+				&allowedSecondFactors,
+				&setUpFactors,
 			)
 			if err != nil {
 				if errors.Is(err, sql.ErrNoRows) {
@@ -257,9 +264,11 @@ func (q *Queries) ListUserAuthMethodTypesRequired(ctx context.Context, userID st
 				return zerrors.ThrowInternal(err, "QUERY-Sf3rt", "Errors.Internal")
 			}
 			requirements = &UserAuthMethodRequirements{
-				UserType:          domain.UserType(userType.Int32),
-				ForceMFA:          forceMFA.Bool,
-				ForceMFALocalOnly: forceMFALocalOnly.Bool,
+				UserType:             domain.UserType(userType.Int32),
+				ForceMFA:             forceMFA.Bool,
+				ForceMFALocalOnly:    forceMFALocalOnly.Bool,
+				AllowedSecondFactors: allowedSecondFactors,
+				SetUpFactors:         setUpFactors,
 			}
 			return nil
 		},