From a09a09a7a96310fcab34742d0176e635f1ff81b2 Mon Sep 17 00:00:00 2001 From: Steven Nguyen Date: Fri, 7 Jun 2024 16:45:14 -0700 Subject: [PATCH] fix(auth): fix MFA verification for OAuth2 sessions Before this, users who only signed in with OAuth2 were not able to verify their sessions with MFA because their session already used an email factor and they couldn't use an additional email factor. This commit changes the OAuth2 session to include 2 factors: email and oauth2. This second special factor is used to bypass MFA checks. It is fine to bypass MFA checks because OAuth2 is supposed to handle the entire authentication process, verifying who the user is and we, as the resource provider, only need to trust the OAuth2 provider. --- app/controllers/api/account.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index e1ddeb6b68..9461af661b 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -86,8 +86,8 @@ $createSession = function (string $userId, string $secret, Request $request, Res $factor = (match ($verifiedToken->getAttribute('type')) { Auth::TOKEN_TYPE_MAGIC_URL, Auth::TOKEN_TYPE_OAUTH2, - Auth::TOKEN_TYPE_EMAIL => 'email', - Auth::TOKEN_TYPE_PHONE => 'phone', + Auth::TOKEN_TYPE_EMAIL => Type::EMAIL, + Auth::TOKEN_TYPE_PHONE => Type::PHONE, Auth::TOKEN_TYPE_GENERIC => 'token', default => throw new Exception(Exception::USER_INVALID_TOKEN) }); @@ -1506,7 +1506,7 @@ App::get('/v1/account/sessions/oauth2/:provider/redirect') 'secret' => Auth::hash($secret), // One way hash encryption to protect DB leak 'userAgent' => $request->getUserAgent('UNKNOWN'), 'ip' => $request->getIP(), - 'factors' => ['email'], + 'factors' => [TYPE::EMAIL, 'oauth2'], // include a special oauth2 factor to bypass MFA checks 'countryCode' => ($record) ? \strtolower($record['country']['iso_code']) : '--', 'expire' => DateTime::addSeconds(new \DateTime(), $duration) ], $detector->getOS(), $detector->getClient(), $detector->getDevice()));