mirror of
https://github.com/Infisical/infisical.git
synced 2026-01-07 22:53:55 -05:00
misc: address commnts
This commit is contained in:
Sheen Capadngan
@@ -661,12 +661,8 @@ export const pamAccountServiceFactory = ({
|
|||||||
|
|
||||||
// Determine which MFA method to use
|
// Determine which MFA method to use
|
||||||
// Priority: org-enforced > user-selected > email as fallback
|
// Priority: org-enforced > user-selected > email as fallback
|
||||||
const orgMfaMethod = org.enforceMfa
|
const orgMfaMethod = org.enforceMfa ? (org.selectedMfaMethod as MfaMethod | null) : undefined;
|
||||||
? ((org.selectedMfaMethod as MfaMethod | null) ?? MfaMethod.EMAIL)
|
const userMfaMethod = actorUser.isMfaEnabled ? (actorUser.selectedMfaMethod as MfaMethod | null) : undefined;
|
||||||
: undefined;
|
|
||||||
const userMfaMethod = actorUser.isMfaEnabled
|
|
||||||
? ((actorUser.selectedMfaMethod as MfaMethod | null) ?? MfaMethod.EMAIL)
|
|
||||||
: undefined;
|
|
||||||
const mfaMethod = (orgMfaMethod ?? userMfaMethod ?? MfaMethod.EMAIL) as MfaMethod;
|
const mfaMethod = (orgMfaMethod ?? userMfaMethod ?? MfaMethod.EMAIL) as MfaMethod;
|
||||||
|
|
||||||
// Create MFA session
|
// Create MFA session
|
||||||
@@ -706,7 +702,7 @@ export const pamAccountServiceFactory = ({
|
|||||||
// Verify the session is for the same account
|
// Verify the session is for the same account
|
||||||
if (mfaSession.resourceId !== account.id) {
|
if (mfaSession.resourceId !== account.id) {
|
||||||
throw new BadRequestError({
|
throw new BadRequestError({
|
||||||
message: "MFA session is for a different resource"
|
message: "MFA session is for a different account"
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -357,7 +357,7 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
|
|||||||
attestationObject: z.string()
|
attestationObject: z.string()
|
||||||
})
|
})
|
||||||
.passthrough(),
|
.passthrough(),
|
||||||
clientExtensionResults: z.record(z.unknown()).optional(),
|
clientExtensionResults: z.record(z.unknown()).default({}),
|
||||||
type: z.literal("public-key")
|
type: z.literal("public-key")
|
||||||
})
|
})
|
||||||
.passthrough(),
|
.passthrough(),
|
||||||
@@ -376,7 +376,7 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
|
|||||||
handler: async (req) => {
|
handler: async (req) => {
|
||||||
return server.services.webAuthn.verifyRegistrationResponse({
|
return server.services.webAuthn.verifyRegistrationResponse({
|
||||||
userId: req.permission.id,
|
userId: req.permission.id,
|
||||||
registrationResponse: req.body.registrationResponse as unknown as RegistrationResponseJSON,
|
registrationResponse: req.body.registrationResponse as RegistrationResponseJSON,
|
||||||
name: req.body.name
|
name: req.body.name
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
@@ -437,7 +437,7 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
|
|||||||
handler: async (req) => {
|
handler: async (req) => {
|
||||||
return server.services.webAuthn.verifyAuthenticationResponse({
|
return server.services.webAuthn.verifyAuthenticationResponse({
|
||||||
userId: req.permission.id,
|
userId: req.permission.id,
|
||||||
authenticationResponse: req.body.authenticationResponse as unknown as AuthenticationResponseJSON
|
authenticationResponse: req.body.authenticationResponse as AuthenticationResponseJSON
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|||||||
@@ -68,6 +68,12 @@ export const mfaSessionServiceFactory = ({
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (mfaSession.mfaMethod !== mfaMethod) {
|
||||||
|
throw new BadRequestError({
|
||||||
|
message: "MFA method does not match the session"
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
// Verify the session belongs to the current user
|
// Verify the session belongs to the current user
|
||||||
if (mfaSession.userId !== userId) {
|
if (mfaSession.userId !== userId) {
|
||||||
throw new ForbiddenRequestError({
|
throw new ForbiddenRequestError({
|
||||||
|
|||||||
@@ -1,6 +0,0 @@
|
|||||||
/**
|
|
||||||
* Verify that a credential ID belongs to a user
|
|
||||||
*/
|
|
||||||
export const verifyCredentialOwnership = (userId: string, credentialUserId: string): boolean => {
|
|
||||||
return userId === credentialUserId;
|
|
||||||
};
|
|
||||||
@@ -16,7 +16,6 @@ import { TAuthTokenServiceFactory } from "../auth-token/auth-token-service";
|
|||||||
import { TokenType } from "../auth-token/auth-token-types";
|
import { TokenType } from "../auth-token/auth-token-types";
|
||||||
import { TUserDALFactory } from "../user/user-dal";
|
import { TUserDALFactory } from "../user/user-dal";
|
||||||
import { TWebAuthnCredentialDALFactory } from "./webauthn-credential-dal";
|
import { TWebAuthnCredentialDALFactory } from "./webauthn-credential-dal";
|
||||||
import { verifyCredentialOwnership } from "./webauthn-fns";
|
|
||||||
import {
|
import {
|
||||||
TDeleteWebAuthnCredentialDTO,
|
TDeleteWebAuthnCredentialDTO,
|
||||||
TGenerateAuthenticationOptionsDTO,
|
TGenerateAuthenticationOptionsDTO,
|
||||||
@@ -91,7 +90,6 @@ export const webAuthnServiceFactory = ({
|
|||||||
transports: cred.transports as AuthenticatorTransportFuture[]
|
transports: cred.transports as AuthenticatorTransportFuture[]
|
||||||
})),
|
})),
|
||||||
authenticatorSelection: {
|
authenticatorSelection: {
|
||||||
authenticatorAttachment: "platform",
|
|
||||||
requireResidentKey: true,
|
requireResidentKey: true,
|
||||||
residentKey: "required",
|
residentKey: "required",
|
||||||
userVerification: "required"
|
userVerification: "required"
|
||||||
@@ -240,7 +238,7 @@ export const webAuthnServiceFactory = ({
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Verify the credential belongs to the user
|
// Verify the credential belongs to the user
|
||||||
if (!verifyCredentialOwnership(userId, credential.userId)) {
|
if (userId !== credential.userId) {
|
||||||
throw new ForbiddenRequestError({
|
throw new ForbiddenRequestError({
|
||||||
message: "Credential does not belong to this user"
|
message: "Credential does not belong to this user"
|
||||||
});
|
});
|
||||||
@@ -333,7 +331,7 @@ export const webAuthnServiceFactory = ({
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!verifyCredentialOwnership(userId, credential.userId)) {
|
if (userId !== credential.userId) {
|
||||||
throw new ForbiddenRequestError({
|
throw new ForbiddenRequestError({
|
||||||
message: "Credential does not belong to this user"
|
message: "Credential does not belong to this user"
|
||||||
});
|
});
|
||||||
@@ -358,7 +356,7 @@ export const webAuthnServiceFactory = ({
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!verifyCredentialOwnership(userId, credential.userId)) {
|
if (userId !== credential.userId) {
|
||||||
throw new ForbiddenRequestError({
|
throw new ForbiddenRequestError({
|
||||||
message: "Credential does not belong to this user"
|
message: "Credential does not belong to this user"
|
||||||
});
|
});
|
||||||
|
|||||||
@@ -1 +1,7 @@
|
|||||||
export { MfaSessionStatus, useMfaSessionStatus, useVerifyMfaSession } from "./queries";
|
export { useMfaSessionStatus, useVerifyMfaSession } from "./queries";
|
||||||
|
export type {
|
||||||
|
TMfaSessionStatusResponse,
|
||||||
|
TVerifyMfaSessionRequest,
|
||||||
|
TVerifyMfaSessionResponse
|
||||||
|
} from "./types";
|
||||||
|
export { MfaSessionStatus } from "./types";
|
||||||
|
|||||||
@@ -2,28 +2,12 @@ import { useMutation, useQuery } from "@tanstack/react-query";
|
|||||||
|
|
||||||
import { apiRequest } from "@app/config/request";
|
import { apiRequest } from "@app/config/request";
|
||||||
|
|
||||||
import { MfaMethod } from "../auth/types";
|
import {
|
||||||
|
MfaSessionStatus,
|
||||||
export enum MfaSessionStatus {
|
TMfaSessionStatusResponse,
|
||||||
PENDING = "PENDING",
|
TVerifyMfaSessionRequest,
|
||||||
ACTIVE = "ACTIVE"
|
TVerifyMfaSessionResponse
|
||||||
}
|
} from "./types";
|
||||||
|
|
||||||
export type TMfaSessionStatusResponse = {
|
|
||||||
status: MfaSessionStatus;
|
|
||||||
mfaMethod: MfaMethod;
|
|
||||||
};
|
|
||||||
|
|
||||||
export type TVerifyMfaSessionRequest = {
|
|
||||||
mfaSessionId: string;
|
|
||||||
mfaToken: string;
|
|
||||||
mfaMethod: MfaMethod;
|
|
||||||
};
|
|
||||||
|
|
||||||
export type TVerifyMfaSessionResponse = {
|
|
||||||
success: boolean;
|
|
||||||
message: string;
|
|
||||||
};
|
|
||||||
|
|
||||||
export const useMfaSessionStatus = (mfaSessionId: string, enabled = true) => {
|
export const useMfaSessionStatus = (mfaSessionId: string, enabled = true) => {
|
||||||
return useQuery({
|
return useQuery({
|
||||||
|
|||||||
22
frontend/src/hooks/api/mfaSession/types.ts
Normal file
22
frontend/src/hooks/api/mfaSession/types.ts
Normal file
@@ -0,0 +1,22 @@
|
|||||||
|
import { MfaMethod } from "../auth/types";
|
||||||
|
|
||||||
|
export enum MfaSessionStatus {
|
||||||
|
PENDING = "PENDING",
|
||||||
|
ACTIVE = "ACTIVE"
|
||||||
|
}
|
||||||
|
|
||||||
|
export type TMfaSessionStatusResponse = {
|
||||||
|
status: MfaSessionStatus;
|
||||||
|
mfaMethod: MfaMethod;
|
||||||
|
};
|
||||||
|
|
||||||
|
export type TVerifyMfaSessionRequest = {
|
||||||
|
mfaSessionId: string;
|
||||||
|
mfaToken: string;
|
||||||
|
mfaMethod: MfaMethod;
|
||||||
|
};
|
||||||
|
|
||||||
|
export type TVerifyMfaSessionResponse = {
|
||||||
|
success: boolean;
|
||||||
|
message: string;
|
||||||
|
};
|
||||||
Reference in New Issue
Block a user