fix: mfa recovery codes not working due to dual otp & recovery code checks

2026-02-12 19:22:45 +00:00 · 2023-02-14 18:02:17 +05:00
parent c560f2ac5f
commit 061a07120c
1 changed files with 9 additions and 7 deletions
--- a/Streetwriters.Identity/Validation/MFAGrantValidator.cs
+++ b/Streetwriters.Identity/Validation/MFAGrantValidator.cs
@@ -118,14 +118,16 @@ namespace Streetwriters.Identity.Validation
                    return;
                }
            }
-
-            var provider = mfaMethod == MFAMethods.Email || mfaMethod == MFAMethods.SMS ? TokenOptions.DefaultPhoneProvider : UserManager.Options.Tokens.AuthenticatorTokenProvider;
-            var isMFACodeValid = await MFAService.VerifyOTPAsync(user, mfaCode, mfaMethod);
-            if (!isMFACodeValid)
+            else
            {
-                await UserManager.AccessFailedAsync(user);
-                await EmailSender.SendFailedLoginAlertAsync(user.Email, httpContext.GetClientInfo(), client).ConfigureAwait(false);
-                return;
+                var provider = mfaMethod == MFAMethods.Email || mfaMethod == MFAMethods.SMS ? TokenOptions.DefaultPhoneProvider : UserManager.Options.Tokens.AuthenticatorTokenProvider;
+                var isMFACodeValid = await MFAService.VerifyOTPAsync(user, mfaCode, mfaMethod);
+                if (!isMFACodeValid)
+                {
+                    await UserManager.AccessFailedAsync(user);
+                    await EmailSender.SendFailedLoginAlertAsync(user.Email, httpContext.GetClientInfo(), client).ConfigureAwait(false);
+                    return;
+                }
            }

            context.Result.IsError = false;