fix: disable totp by default
This commit is contained in:
Lakhan Samani
parent
ad8bd64987
commit
bd343f0b27
|
|
@ -25,7 +25,6 @@ const Features = ({ variables, setVariables }: any) => {
|
||||||
</Flex>
|
</Flex>
|
||||||
</Flex>
|
</Flex>
|
||||||
|
|
||||||
|
|
||||||
<Flex>
|
<Flex>
|
||||||
<Flex w="100%" justifyContent="start" alignItems="center">
|
<Flex w="100%" justifyContent="start" alignItems="center">
|
||||||
<Text fontSize="sm">Email Verification:</Text>
|
<Text fontSize="sm">Email Verification:</Text>
|
||||||
|
|
@ -109,15 +108,12 @@ const Features = ({ variables, setVariables }: any) => {
|
||||||
/>
|
/>
|
||||||
</Flex>
|
</Flex>
|
||||||
</Flex>
|
</Flex>
|
||||||
|
{/** TODO enable after final release */}
|
||||||
{
|
{/* {!variables.DISABLE_MULTI_FACTOR_AUTHENTICATION && (
|
||||||
!variables.DISABLE_MULTI_FACTOR_AUTHENTICATION &&
|
|
||||||
<Flex alignItems="center">
|
<Flex alignItems="center">
|
||||||
<Flex w="100%" alignItems="baseline" flexDir="column">
|
<Flex w="100%" alignItems="baseline" flexDir="column">
|
||||||
<Text fontSize="sm">TOTP:</Text>
|
<Text fontSize="sm">TOTP:</Text>
|
||||||
<Text fontSize="x-small">
|
<Text fontSize="x-small">Note: to enable totp mfa</Text>
|
||||||
Note: to enable totp mfa
|
|
||||||
</Text>
|
|
||||||
</Flex>
|
</Flex>
|
||||||
|
|
||||||
<Flex justifyContent="start" mb={3}>
|
<Flex justifyContent="start" mb={3}>
|
||||||
|
|
@ -129,14 +125,12 @@ const Features = ({ variables, setVariables }: any) => {
|
||||||
/>
|
/>
|
||||||
</Flex>
|
</Flex>
|
||||||
</Flex>
|
</Flex>
|
||||||
}
|
)} */}
|
||||||
{!variables.DISABLE_MULTI_FACTOR_AUTHENTICATION &&
|
{!variables.DISABLE_MULTI_FACTOR_AUTHENTICATION && (
|
||||||
<Flex alignItems="center">
|
<Flex alignItems="center">
|
||||||
<Flex w="100%" alignItems="baseline" flexDir="column">
|
<Flex w="100%" alignItems="baseline" flexDir="column">
|
||||||
<Text fontSize="sm">EMAIL OTP:</Text>
|
<Text fontSize="sm">EMAIL OTP:</Text>
|
||||||
<Text fontSize="x-small">
|
<Text fontSize="x-small">Note: to enable email otp mfa</Text>
|
||||||
Note: to enable email otp mfa
|
|
||||||
</Text>
|
|
||||||
</Flex>
|
</Flex>
|
||||||
|
|
||||||
<Flex justifyContent="start" mb={3}>
|
<Flex justifyContent="start" mb={3}>
|
||||||
|
|
@ -147,7 +141,8 @@ const Features = ({ variables, setVariables }: any) => {
|
||||||
hasReversedValue
|
hasReversedValue
|
||||||
/>
|
/>
|
||||||
</Flex>
|
</Flex>
|
||||||
</Flex>}
|
</Flex>
|
||||||
|
)}
|
||||||
|
|
||||||
<Flex alignItems="center">
|
<Flex alignItems="center">
|
||||||
<Flex w="100%" alignItems="baseline" flexDir="column">
|
<Flex w="100%" alignItems="baseline" flexDir="column">
|
||||||
|
|
|
||||||
6
server/env/env.go
vendored
6
server/env/env.go
vendored
|
|
@ -834,9 +834,10 @@ func InitAllEnv() error {
|
||||||
envData[constants.EnvKeyDisablePlayGround] = boolValue
|
envData[constants.EnvKeyDisablePlayGround] = boolValue
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
// TODO: remove after beta launch
|
||||||
|
envData[constants.EnvKeyDisableTOTPLogin] = true
|
||||||
if _, ok := envData[constants.EnvKeyDisableTOTPLogin]; !ok {
|
if _, ok := envData[constants.EnvKeyDisableTOTPLogin]; !ok {
|
||||||
envData[constants.EnvKeyDisableTOTPLogin] = osDisableTOTPLogin == "false"
|
envData[constants.EnvKeyDisableTOTPLogin] = osDisableTOTPLogin == "true"
|
||||||
}
|
}
|
||||||
if osDisableTOTPLogin != "" {
|
if osDisableTOTPLogin != "" {
|
||||||
boolValue, err := strconv.ParseBool(osDisableTOTPLogin)
|
boolValue, err := strconv.ParseBool(osDisableTOTPLogin)
|
||||||
|
|
@ -847,6 +848,7 @@ func InitAllEnv() error {
|
||||||
envData[constants.EnvKeyDisableTOTPLogin] = boolValue
|
envData[constants.EnvKeyDisableTOTPLogin] = boolValue
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
fmt.Println("=> final value", envData[constants.EnvKeyDisableTOTPLogin])
|
||||||
|
|
||||||
if _, ok := envData[constants.EnvKeyDisableMailOTPLogin]; !ok {
|
if _, ok := envData[constants.EnvKeyDisableMailOTPLogin]; !ok {
|
||||||
envData[constants.EnvKeyDisableMailOTPLogin] = osDisableMailOTPLogin == "true"
|
envData[constants.EnvKeyDisableMailOTPLogin] = osDisableMailOTPLogin == "true"
|
||||||
|
|
|
||||||
|
|
@ -182,45 +182,6 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
|
||||||
}
|
}
|
||||||
return otpData, nil
|
return otpData, nil
|
||||||
}
|
}
|
||||||
// If mfa enabled and also totp enabled
|
|
||||||
// first priority is given to totp
|
|
||||||
if refs.BoolValue(user.IsMultiFactorAuthEnabled) && !isMFADisabled && !isTOTPLoginDisabled {
|
|
||||||
expiresAt := time.Now().Add(3 * time.Minute).Unix()
|
|
||||||
if err := setOTPMFaSession(expiresAt); err != nil {
|
|
||||||
log.Debug("Failed to set mfa session: ", err)
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
authenticator, err := db.Provider.GetAuthenticatorDetailsByUserId(ctx, user.ID, constants.EnvKeyTOTPAuthenticator)
|
|
||||||
// Check if it's the first time user or if their TOTP is not verified
|
|
||||||
if err != nil || ((authenticator == nil) || (authenticator != nil && authenticator.VerifiedAt == nil)) {
|
|
||||||
// Generate a base64 URL and initiate the registration for TOTP
|
|
||||||
authConfig, err := authenticators.Provider.Generate(ctx, user.ID)
|
|
||||||
if err != nil {
|
|
||||||
log.Debug("error while generating base64 url: ", err)
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
recoveryCodes := []*string{}
|
|
||||||
for _, code := range authConfig.RecoveryCodes {
|
|
||||||
recoveryCodes = append(recoveryCodes, refs.NewStringRef(code))
|
|
||||||
}
|
|
||||||
// when user is first time registering for totp
|
|
||||||
res = &model.AuthResponse{
|
|
||||||
Message: `Proceed to totp verification screen`,
|
|
||||||
ShouldShowTotpScreen: refs.NewBoolRef(true),
|
|
||||||
AuthenticatorScannerImage: refs.NewStringRef(authConfig.ScannerImage),
|
|
||||||
AuthenticatorSecret: refs.NewStringRef(authConfig.Secret),
|
|
||||||
AuthenticatorRecoveryCodes: recoveryCodes,
|
|
||||||
}
|
|
||||||
return res, nil
|
|
||||||
} else {
|
|
||||||
//when user is already register for totp
|
|
||||||
res = &model.AuthResponse{
|
|
||||||
Message: `Proceed to totp screen`,
|
|
||||||
ShouldShowTotpScreen: refs.NewBoolRef(true),
|
|
||||||
}
|
|
||||||
return res, nil
|
|
||||||
}
|
|
||||||
}
|
|
||||||
// If multi factor authentication is enabled and is email based login and email otp is enabled
|
// If multi factor authentication is enabled and is email based login and email otp is enabled
|
||||||
if refs.BoolValue(user.IsMultiFactorAuthEnabled) && !isMFADisabled && !isMailOTPDisabled && isEmailServiceEnabled && isEmailLogin {
|
if refs.BoolValue(user.IsMultiFactorAuthEnabled) && !isMFADisabled && !isMailOTPDisabled && isEmailServiceEnabled && isEmailLogin {
|
||||||
expiresAt := time.Now().Add(1 * time.Minute).Unix()
|
expiresAt := time.Now().Add(1 * time.Minute).Unix()
|
||||||
|
|
@ -275,6 +236,44 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
|
||||||
ShouldShowMobileOtpScreen: refs.NewBoolRef(isMobileLogin),
|
ShouldShowMobileOtpScreen: refs.NewBoolRef(isMobileLogin),
|
||||||
}, nil
|
}, nil
|
||||||
}
|
}
|
||||||
|
// If mfa enabled and also totp enabled
|
||||||
|
if refs.BoolValue(user.IsMultiFactorAuthEnabled) && !isMFADisabled && !isTOTPLoginDisabled {
|
||||||
|
expiresAt := time.Now().Add(3 * time.Minute).Unix()
|
||||||
|
if err := setOTPMFaSession(expiresAt); err != nil {
|
||||||
|
log.Debug("Failed to set mfa session: ", err)
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
authenticator, err := db.Provider.GetAuthenticatorDetailsByUserId(ctx, user.ID, constants.EnvKeyTOTPAuthenticator)
|
||||||
|
// Check if it's the first time user or if their TOTP is not verified
|
||||||
|
if err != nil || ((authenticator == nil) || (authenticator != nil && authenticator.VerifiedAt == nil)) {
|
||||||
|
// Generate a base64 URL and initiate the registration for TOTP
|
||||||
|
authConfig, err := authenticators.Provider.Generate(ctx, user.ID)
|
||||||
|
if err != nil {
|
||||||
|
log.Debug("error while generating base64 url: ", err)
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
recoveryCodes := []*string{}
|
||||||
|
for _, code := range authConfig.RecoveryCodes {
|
||||||
|
recoveryCodes = append(recoveryCodes, refs.NewStringRef(code))
|
||||||
|
}
|
||||||
|
// when user is first time registering for totp
|
||||||
|
res = &model.AuthResponse{
|
||||||
|
Message: `Proceed to totp verification screen`,
|
||||||
|
ShouldShowTotpScreen: refs.NewBoolRef(true),
|
||||||
|
AuthenticatorScannerImage: refs.NewStringRef(authConfig.ScannerImage),
|
||||||
|
AuthenticatorSecret: refs.NewStringRef(authConfig.Secret),
|
||||||
|
AuthenticatorRecoveryCodes: recoveryCodes,
|
||||||
|
}
|
||||||
|
return res, nil
|
||||||
|
} else {
|
||||||
|
//when user is already register for totp
|
||||||
|
res = &model.AuthResponse{
|
||||||
|
Message: `Proceed to totp screen`,
|
||||||
|
ShouldShowTotpScreen: refs.NewBoolRef(true),
|
||||||
|
}
|
||||||
|
return res, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
code := ""
|
code := ""
|
||||||
codeChallenge := ""
|
codeChallenge := ""
|
||||||
|
|
|
||||||
|
|
@ -261,7 +261,6 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
|
||||||
}
|
}
|
||||||
if !updatedData[constants.EnvKeyDisableMagicLinkLogin].(bool) {
|
if !updatedData[constants.EnvKeyDisableMagicLinkLogin].(bool) {
|
||||||
updatedData[constants.EnvKeyDisableMailOTPLogin] = true
|
updatedData[constants.EnvKeyDisableMailOTPLogin] = true
|
||||||
updatedData[constants.EnvKeyDisableTOTPLogin] = false
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -276,19 +275,8 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if updatedData[constants.EnvKeyDisableMultiFactorAuthentication].(bool) {
|
if updatedData[constants.EnvKeyDisableMultiFactorAuthentication].(bool) && updatedData[constants.EnvKeyIsEmailServiceEnabled].(bool) {
|
||||||
updatedData[constants.EnvKeyDisableTOTPLogin] = true
|
|
||||||
updatedData[constants.EnvKeyDisableMailOTPLogin] = true
|
updatedData[constants.EnvKeyDisableMailOTPLogin] = true
|
||||||
} else {
|
|
||||||
if !updatedData[constants.EnvKeyDisableMailOTPLogin].(bool) && !updatedData[constants.EnvKeyDisableTOTPLogin].(bool) {
|
|
||||||
errors.New("can't enable both mfa methods at same time")
|
|
||||||
updatedData[constants.EnvKeyDisableMailOTPLogin] = true
|
|
||||||
updatedData[constants.EnvKeyDisableTOTPLogin] = false
|
|
||||||
} else if updatedData[constants.EnvKeyDisableMailOTPLogin].(bool) && updatedData[constants.EnvKeyDisableTOTPLogin].(bool) {
|
|
||||||
errors.New("can't disable both mfa methods at same time")
|
|
||||||
updatedData[constants.EnvKeyDisableMailOTPLogin] = true
|
|
||||||
updatedData[constants.EnvKeyDisableTOTPLogin] = false
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if !currentData[constants.EnvKeyEnforceMultiFactorAuthentication].(bool) && updatedData[constants.EnvKeyEnforceMultiFactorAuthentication].(bool) && !updatedData[constants.EnvKeyDisableMultiFactorAuthentication].(bool) {
|
if !currentData[constants.EnvKeyEnforceMultiFactorAuthentication].(bool) && updatedData[constants.EnvKeyEnforceMultiFactorAuthentication].(bool) && !updatedData[constants.EnvKeyDisableMultiFactorAuthentication].(bool) {
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user