fix: fail by default if user has no 2fa method but is using a recovery code

This commit is contained in:
Abdullah Atta
2023-02-14 19:51:07 +05:00
parent 061a07120c
commit 5d5c179810
@@ -109,11 +109,21 @@ namespace Streetwriters.Identity.Validation
if (mfaMethod == MFAMethods.RecoveryCode)
{
context.Result.ErrorDescription = "Please provide a valid multi-factor authentication recovery code.";
// This happens for new users who haven't set up 2FA yet; in which case
// we default to email. However, there are no recovery codes for that user
// yet.
// Without this, RedeemTwoFactorRecoveryCodeAsync succeeds with any recovery
// code (valid or invalid).
var isTwoFactorEnabled = await UserManager.GetTwoFactorEnabledAsync(user);
if (!isTwoFactorEnabled)
return;
var result = await UserManager.RedeemTwoFactorRecoveryCodeAsync(user, mfaCode);
if (!result.Succeeded)
{
await UserManager.AccessFailedAsync(user);
context.Result.ErrorDescription = "Please provide a valid multi-factor authentication recovery code.";
await EmailSender.SendFailedLoginAlertAsync(user.Email, httpContext.GetClientInfo(), client).ConfigureAwait(false);
return;
}