From 76af2cbfc8e6c75ab8f027ee7e84a1e761fa3c4f Mon Sep 17 00:00:00 2001
From: Abdullah Atta <abdullahatta@streetwriters.co>
Date: Tue, 15 Jul 2025 13:35:07 +0500
Subject: [PATCH] identity: fix 2fa recovery codes not working

---
 Streetwriters.Identity/Services/MFAService.cs          | 5 +++--
 Streetwriters.Identity/Validation/MFAGrantValidator.cs | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/Streetwriters.Identity/Services/MFAService.cs b/Streetwriters.Identity/Services/MFAService.cs
index 9b395c5..f8c82e0 100644
--- a/Streetwriters.Identity/Services/MFAService.cs
+++ b/Streetwriters.Identity/Services/MFAService.cs
@@ -125,7 +125,8 @@ namespace Streetwriters.Identity.Services
         {
             var primaryMethod = GetPrimaryMethod(user);
             var secondaryMethod = GetSecondaryMethod(user);
-            return IsValidMFAMethod(method) && (method == primaryMethod || method == secondaryMethod);
+            if (!IsValidMFAMethod(method)) return false;
+            return method == primaryMethod || (!string.IsNullOrEmpty(secondaryMethod) && method == secondaryMethod);
         }
 
         private Task RemoveSecondaryMethodAsync(User user)
@@ -164,7 +165,7 @@ namespace Streetwriters.Identity.Services
         public async Task SendOTPAsync(User user, IClient client, MultiFactorSetupForm form, bool isSetup = false)
         {
             var method = form.Type;
-            if ((method != MFAMethods.Email && method != MFAMethods.SMS) || !IsValidMFAMethod(method, user))
+            if ((method != MFAMethods.Email && method != MFAMethods.SMS) || !IsValidMFAMethod(method))
                 throw new Exception("Invalid method.");
 
             if (isSetup &&
diff --git a/Streetwriters.Identity/Validation/MFAGrantValidator.cs b/Streetwriters.Identity/Validation/MFAGrantValidator.cs
index 420a4f5..7ba1580 100644
--- a/Streetwriters.Identity/Validation/MFAGrantValidator.cs
+++ b/Streetwriters.Identity/Validation/MFAGrantValidator.cs
@@ -101,7 +101,7 @@ namespace Streetwriters.Identity.Validation
             context.Result.ErrorDescription = "Please provide a valid multi-factor authentication code.";
 
             if (string.IsNullOrEmpty(mfaCode)) return;
-            if (string.IsNullOrEmpty(mfaMethod) || !MFAService.IsValidMFAMethod(mfaMethod, user))
+            if (string.IsNullOrEmpty(mfaMethod) || (!MFAService.IsValidMFAMethod(mfaMethod, user) && mfaMethod != MFAMethods.RecoveryCode))
             {
                 context.Result.ErrorDescription = "Please provide a valid multi-factor authentication method.";
                 return;