fix(auth): ensure session factors don't contain duplicates
This commit is contained in:
parent
7e07f6b958
commit
5b5505cf97
|
@ -3652,10 +3652,10 @@ App::put('/v1/account/mfa/authenticators/:type')
|
|||
->param('otp', '', new Text(256), 'Valid verification token.')
|
||||
->inject('response')
|
||||
->inject('user')
|
||||
->inject('project')
|
||||
->inject('session')
|
||||
->inject('dbForProject')
|
||||
->inject('queueForEvents')
|
||||
->action(function (string $type, string $otp, Response $response, Document $user, Document $project, Database $dbForProject, Event $queueForEvents) {
|
||||
->action(function (string $type, string $otp, Response $response, Document $user, Document $session, Database $dbForProject, Event $queueForEvents) {
|
||||
|
||||
$authenticator = (match ($type) {
|
||||
Type::TOTP => TOTP::getAuthenticatorFromUser($user),
|
||||
|
@ -3684,9 +3684,12 @@ App::put('/v1/account/mfa/authenticators/:type')
|
|||
$dbForProject->updateDocument('authenticators', $authenticator->getId(), $authenticator);
|
||||
$dbForProject->purgeCachedDocument('users', $user->getId());
|
||||
|
||||
$sessionId = Auth::sessionVerify($user->getAttribute('sessions', []), Auth::$secret);
|
||||
$session = $dbForProject->getDocument('sessions', $sessionId);
|
||||
$dbForProject->updateDocument('sessions', $sessionId, $session->setAttribute('factors', $type, Document::SET_TYPE_APPEND));
|
||||
$factors = $session->getAttribute('factors', []);
|
||||
$factors[] = $type;
|
||||
$factors = \array_unique($factors);
|
||||
|
||||
$session->setAttribute('factors', $factors);
|
||||
$dbForProject->updateDocument('sessions', $session->getId(), $session);
|
||||
|
||||
$queueForEvents->setParam('userId', $user->getId());
|
||||
|
||||
|
@ -4075,9 +4078,10 @@ App::put('/v1/account/mfa/challenge')
|
|||
->inject('project')
|
||||
->inject('response')
|
||||
->inject('user')
|
||||
->inject('session')
|
||||
->inject('dbForProject')
|
||||
->inject('queueForEvents')
|
||||
->action(function (string $challengeId, string $otp, Document $project, Response $response, Document $user, Database $dbForProject, Event $queueForEvents) {
|
||||
->action(function (string $challengeId, string $otp, Document $project, Response $response, Document $user, Document $session, Database $dbForProject, Event $queueForEvents) {
|
||||
|
||||
$challenge = $dbForProject->getDocument('challenges', $challengeId);
|
||||
|
||||
|
@ -4123,14 +4127,15 @@ App::put('/v1/account/mfa/challenge')
|
|||
$dbForProject->deleteDocument('challenges', $challengeId);
|
||||
$dbForProject->purgeCachedDocument('users', $user->getId());
|
||||
|
||||
$sessionId = Auth::sessionVerify($user->getAttribute('sessions', []), Auth::$secret);
|
||||
$session = $dbForProject->getDocument('sessions', $sessionId);
|
||||
$factors = $session->getAttribute('factors', []);
|
||||
$factors[] = $type;
|
||||
$factors = \array_unique($factors);
|
||||
|
||||
$session = $session
|
||||
->setAttribute('factors', $type, Document::SET_TYPE_APPEND)
|
||||
$session
|
||||
->setAttribute('factors', $factors)
|
||||
->setAttribute('mfaUpdatedAt', DateTime::now());
|
||||
|
||||
$dbForProject->updateDocument('sessions', $sessionId, $session);
|
||||
$dbForProject->updateDocument('sessions', $session->getId(), $session);
|
||||
|
||||
$queueForEvents
|
||||
->setParam('userId', $user->getId())
|
||||
|
|
Loading…
Reference in a new issue