0
Fork 0
mirror of https://github.com/logto-io/logto.git synced 2025-01-27 21:39:16 -05:00

fix(core): check user mfa when binding backup code (#4790)

This commit is contained in:
wangsijie 2023-11-02 13:05:12 +08:00 committed by GitHub
parent e515c04d44
commit 9ed7be3f67
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 21 additions and 2 deletions

View file

@ -149,6 +149,21 @@ describe('interaction routes (MFA verification)', () => {
expect(response.status).toEqual(400); expect(response.status).toEqual(400);
}); });
it('should pass when backup code is the only item in bindMfa, but is not in user mfaVerifications', async () => {
getInteractionStorage.mockReturnValueOnce({
event: InteractionEvent.SignIn,
bindMfas: [],
accountId: 'accountId',
});
const body = {
type: MfaFactor.BackupCode,
};
const response = await sessionRequest.post(path).send(body);
expect(response.status).toEqual(204);
});
it('should return 204 for totp and backup code combination', async () => { it('should return 204 for totp and backup code combination', async () => {
getInteractionStorage.mockReturnValueOnce({ getInteractionStorage.mockReturnValueOnce({
event: InteractionEvent.SignIn, event: InteractionEvent.SignIn,

View file

@ -58,11 +58,15 @@ export default function mfaRoutes<T extends IRouterParamContext>(
verifyMfaSettings(bindMfaPayload.type, signInExperience); verifyMfaSettings(bindMfaPayload.type, signInExperience);
} }
const { bindMfas = [] } = interactionStorage; const { bindMfas = [], accountId } = interactionStorage;
if (bindMfaPayload.type === MfaFactor.BackupCode) { if (bindMfaPayload.type === MfaFactor.BackupCode) {
const { mfaVerifications } = accountId
? await queries.users.findUserById(accountId)
: { mfaVerifications: [] };
assertThat( assertThat(
bindMfas.some(({ type }) => type !== MfaFactor.BackupCode), bindMfas.some(({ type }) => type !== MfaFactor.BackupCode) ||
mfaVerifications.some(({ type }) => type !== MfaFactor.BackupCode),
'session.mfa.backup_code_can_not_be_alone' 'session.mfa.backup_code_can_not_be_alone'
); );
} else { } else {