mirror of
https://github.com/streetwriters/notesnook-sync-server.git
synced 2026-07-07 19:37:56 +02:00
fix: fail by default if user has no 2fa method but is using a recovery code
This commit is contained in:
@@ -109,11 +109,21 @@ namespace Streetwriters.Identity.Validation
|
||||
|
||||
if (mfaMethod == MFAMethods.RecoveryCode)
|
||||
{
|
||||
context.Result.ErrorDescription = "Please provide a valid multi-factor authentication recovery code.";
|
||||
|
||||
// This happens for new users who haven't set up 2FA yet; in which case
|
||||
// we default to email. However, there are no recovery codes for that user
|
||||
// yet.
|
||||
// Without this, RedeemTwoFactorRecoveryCodeAsync succeeds with any recovery
|
||||
// code (valid or invalid).
|
||||
var isTwoFactorEnabled = await UserManager.GetTwoFactorEnabledAsync(user);
|
||||
if (!isTwoFactorEnabled)
|
||||
return;
|
||||
|
||||
var result = await UserManager.RedeemTwoFactorRecoveryCodeAsync(user, mfaCode);
|
||||
if (!result.Succeeded)
|
||||
{
|
||||
await UserManager.AccessFailedAsync(user);
|
||||
context.Result.ErrorDescription = "Please provide a valid multi-factor authentication recovery code.";
|
||||
await EmailSender.SendFailedLoginAlertAsync(user.Email, httpContext.GetClientInfo(), client).ConfigureAwait(false);
|
||||
return;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user