From 5d5c179810209604179d1669da652847d1227186 Mon Sep 17 00:00:00 2001 From: Abdullah Atta Date: Tue, 14 Feb 2023 19:51:07 +0500 Subject: [PATCH] fix: fail by default if user has no 2fa method but is using a recovery code --- .../Validation/MFAGrantValidator.cs | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/Streetwriters.Identity/Validation/MFAGrantValidator.cs b/Streetwriters.Identity/Validation/MFAGrantValidator.cs index f4af01d..25f4dd0 100644 --- a/Streetwriters.Identity/Validation/MFAGrantValidator.cs +++ b/Streetwriters.Identity/Validation/MFAGrantValidator.cs @@ -109,11 +109,21 @@ namespace Streetwriters.Identity.Validation if (mfaMethod == MFAMethods.RecoveryCode) { + context.Result.ErrorDescription = "Please provide a valid multi-factor authentication recovery code."; + + // This happens for new users who haven't set up 2FA yet; in which case + // we default to email. However, there are no recovery codes for that user + // yet. + // Without this, RedeemTwoFactorRecoveryCodeAsync succeeds with any recovery + // code (valid or invalid). + var isTwoFactorEnabled = await UserManager.GetTwoFactorEnabledAsync(user); + if (!isTwoFactorEnabled) + return; + var result = await UserManager.RedeemTwoFactorRecoveryCodeAsync(user, mfaCode); if (!result.Succeeded) { await UserManager.AccessFailedAsync(user); - context.Result.ErrorDescription = "Please provide a valid multi-factor authentication recovery code."; await EmailSender.SendFailedLoginAlertAsync(user.Email, httpContext.GetClientInfo(), client).ConfigureAwait(false); return; }