From 8d3b0d6dbf06eb42138e464a1551b11f0b17d607 Mon Sep 17 00:00:00 2001 From: Abdullah Atta Date: Wed, 30 Apr 2025 11:45:18 +0500 Subject: [PATCH] identity: validate mfa method against user's mfa methods --- Streetwriters.Identity/Interfaces/IMFAService.cs | 1 + Streetwriters.Identity/Services/MFAService.cs | 11 +++++++++-- .../Validation/MFAGrantValidator.cs | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/Streetwriters.Identity/Interfaces/IMFAService.cs b/Streetwriters.Identity/Interfaces/IMFAService.cs index e7de264..b8edfd4 100644 --- a/Streetwriters.Identity/Interfaces/IMFAService.cs +++ b/Streetwriters.Identity/Interfaces/IMFAService.cs @@ -34,6 +34,7 @@ namespace Streetwriters.Identity.Interfaces string GetSecondaryMethod(User user); Task GetRemainingValidCodesAsync(User user); bool IsValidMFAMethod(string method); + bool IsValidMFAMethod(string method, User user); Task GetAuthenticatorDetailsAsync(User user, IClient client); Task SendOTPAsync(User user, IClient client, MultiFactorSetupForm form, bool isSetup = false); Task VerifyOTPAsync(User user, string code, string method); diff --git a/Streetwriters.Identity/Services/MFAService.cs b/Streetwriters.Identity/Services/MFAService.cs index b0ddeb4..9b395c5 100644 --- a/Streetwriters.Identity/Services/MFAService.cs +++ b/Streetwriters.Identity/Services/MFAService.cs @@ -121,6 +121,13 @@ namespace Streetwriters.Identity.Services return method == MFAMethods.App || method == MFAMethods.Email || method == MFAMethods.SMS || method == MFAMethods.RecoveryCode; } + public bool IsValidMFAMethod(string method, User user) + { + var primaryMethod = GetPrimaryMethod(user); + var secondaryMethod = GetSecondaryMethod(user); + return IsValidMFAMethod(method) && (method == primaryMethod || method == secondaryMethod); + } + private Task RemoveSecondaryMethodAsync(User user) { return this.RemoveClaimAsync(user, MFAService.SECONDARY_METHOD_CLAIM); @@ -157,8 +164,8 @@ namespace Streetwriters.Identity.Services public async Task SendOTPAsync(User user, IClient client, MultiFactorSetupForm form, bool isSetup = false) { var method = form.Type; - if (method != MFAMethods.Email && method != MFAMethods.SMS) throw new Exception("Invalid method."); - + if ((method != MFAMethods.Email && method != MFAMethods.SMS) || !IsValidMFAMethod(method, user)) + throw new Exception("Invalid method."); if (isSetup && method == MFAMethods.SMS && diff --git a/Streetwriters.Identity/Validation/MFAGrantValidator.cs b/Streetwriters.Identity/Validation/MFAGrantValidator.cs index 788f320..420a4f5 100644 --- a/Streetwriters.Identity/Validation/MFAGrantValidator.cs +++ b/Streetwriters.Identity/Validation/MFAGrantValidator.cs @@ -101,7 +101,7 @@ namespace Streetwriters.Identity.Validation context.Result.ErrorDescription = "Please provide a valid multi-factor authentication code."; if (string.IsNullOrEmpty(mfaCode)) return; - if (string.IsNullOrEmpty(mfaMethod) || !MFAService.IsValidMFAMethod(mfaMethod)) + if (string.IsNullOrEmpty(mfaMethod) || !MFAService.IsValidMFAMethod(mfaMethod, user)) { context.Result.ErrorDescription = "Please provide a valid multi-factor authentication method."; return;