From 99259ebf2bac6ca14f4695ecf2aa31a8e310dd6b Mon Sep 17 00:00:00 2001 From: Torsten Dittmann Date: Thu, 11 Jan 2024 20:24:37 +0100 Subject: [PATCH] fix: enable mfa in console --- app/controllers/api/account.php | 14 ++++++++++---- app/controllers/general.php | 8 ++++++-- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/app/controllers/api/account.php b/app/controllers/api/account.php index 2742c09803..ef294a6856 100644 --- a/app/controllers/api/account.php +++ b/app/controllers/api/account.php @@ -3346,9 +3346,10 @@ App::put('/v1/account/mfa/:provider') ->inject('requestTimestamp') ->inject('response') ->inject('user') + ->inject('project') ->inject('dbForProject') ->inject('queueForEvents') - ->action(function (string $provider, string $otp, ?\DateTime $requestTimestamp, Response $response, Document $user, Database $dbForProject, Event $queueForEvents) { + ->action(function (string $provider, string $otp, ?\DateTime $requestTimestamp, Response $response, Document $user, Document $project, Database $dbForProject, Event $queueForEvents) { $success = match ($provider) { 'totp' => Challenge\TOTP::verify($user, $otp), @@ -3369,6 +3370,11 @@ App::put('/v1/account/mfa/:provider') $user = $dbForProject->withRequestTimestamp($requestTimestamp, fn () => $dbForProject->updateDocument('users', $user->getId(), $user)); + $authDuration = $project->getAttribute('auths', [])['duration'] ?? Auth::TOKEN_EXPIRATION_LOGIN_LONG; + $sessionId = Auth::sessionVerify($user->getAttribute('sessions', []), Auth::$secret, $authDuration); + $session = $dbForProject->getDocument('sessions', $sessionId); + $dbForProject->updateDocument('sessions', $sessionId, $session->setAttribute('factors', $provider, Document::SET_TYPE_APPEND)); + $queueForEvents->setParam('userId', $user->getId()); $response->dynamic($user, Response::MODEL_ACCOUNT); @@ -3451,10 +3457,10 @@ App::post('/v1/account/mfa/challenge') ->inject('user') ->inject('project') ->inject('queueForEvents') - ->inject('messaging') - ->inject('mails') + ->inject('queueForMessaging') + ->inject('queueForMails') ->inject('locale') - ->action(function (string $provider, Response $response, Database $dbForProject, Document $user, Document $project, Event $queueForEvents, EventPhone $messaging, Mail $mails, Locale $locale) { + ->action(function (string $provider, Response $response, Database $dbForProject, Document $user, Document $project, Event $queueForEvents, Messaging $queueForMessaging, Mail $queueForMails, Locale $locale) { $expire = DateTime::addSeconds(new \DateTime(), Auth::TOKEN_EXPIRATION_CONFIRM); $challenge = new Document([ diff --git a/app/controllers/general.php b/app/controllers/general.php index 266c9fccf9..3b4cfd3bd1 100644 --- a/app/controllers/general.php +++ b/app/controllers/general.php @@ -563,8 +563,12 @@ App::init() throw new AppwriteException(AppwriteException::USER_PASSWORD_RESET_REQUIRED); } - if ($mode !== APP_MODE_ADMIN && $project->getId() !== 'console') { - $minFactors = $project->getAttribute('minFactors') ?? 2; + if ($mode !== APP_MODE_ADMIN) { + $minFactors = $project->getAttribute('minFactors') ?? 1; + $mfaEnabled = $user->getAttribute('mfa', false); + if ($mfaEnabled && $minFactors === 1) { + $minFactors = 2; + } if (!in_array('mfa', $route->getGroups())) { if ($session && \count($session->getAttribute('factors')) < $minFactors) { throw new AppwriteException(AppwriteException::USER_MORE_FACTORS_REQUIRED);