fix(core): check user mfa when binding backup code (#4790)

2025-01-20 21:32:31 -05:00 · 2023-11-02 13:05:12 +08:00 · 2023-11-02 13:05:12 +08:00 · 9ed7be3f67
commit 9ed7be3f67
parent e515c04d44
2 changed files with 21 additions and 2 deletions
--- a/packages/core/src/routes/interaction/mfa.test.ts
+++ b/packages/core/src/routes/interaction/mfa.test.ts
@ -149,6 +149,21 @@ describe('interaction routes (MFA verification)', () => {
      expect(response.status).toEqual(400);
    });

+    it('should pass when backup code is the only item in bindMfa, but is not in user mfaVerifications', async () => {
+      getInteractionStorage.mockReturnValueOnce({
+        event: InteractionEvent.SignIn,
+        bindMfas: [],
+        accountId: 'accountId',
+      });
+
+      const body = {
+        type: MfaFactor.BackupCode,
+      };
+
+      const response = await sessionRequest.post(path).send(body);
+      expect(response.status).toEqual(204);
+    });
+
    it('should return 204 for totp and backup code combination', async () => {
      getInteractionStorage.mockReturnValueOnce({
        event: InteractionEvent.SignIn,
--- a/packages/core/src/routes/interaction/mfa.ts
+++ b/packages/core/src/routes/interaction/mfa.ts
@ -58,11 +58,15 @@ export default function mfaRoutes<T extends IRouterParamContext>(
        verifyMfaSettings(bindMfaPayload.type, signInExperience);
      }

-      const { bindMfas = [] } = interactionStorage;
+      const { bindMfas = [], accountId } = interactionStorage;

      if (bindMfaPayload.type === MfaFactor.BackupCode) {
+        const { mfaVerifications } = accountId
+          ? await queries.users.findUserById(accountId)
+          : { mfaVerifications: [] };
        assertThat(
-          bindMfas.some(({ type }) => type !== MfaFactor.BackupCode),
+          bindMfas.some(({ type }) => type !== MfaFactor.BackupCode) ||
+            mfaVerifications.some(({ type }) => type !== MfaFactor.BackupCode),
          'session.mfa.backup_code_can_not_be_alone'
        );
      } else {