Skip to content

Commit

Permalink
fix: validate MFA claim before allowing TOTP device removal
Browse files Browse the repository at this point in the history
  • Loading branch information
porcellus committed Nov 22, 2024
1 parent 6420511 commit 7797099
Show file tree
Hide file tree
Showing 11 changed files with 39 additions and 9 deletions.
4 changes: 3 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
/node_modules
/examples/**/node_modules
/examples/**/dist
.DS_Store
/.history
*.js.map
Expand All @@ -12,4 +13,5 @@ releasePassword
/test_report
/temp_test_exports
/temp_*
/.nyc_output
/.nyc_output
.circleci/.pat
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [unreleased]

## [20.0.6] - 2024-11-22

- Fixes an issue where `removeDevice` API allowed removing TOTP devices without the user completing MFA.

## [20.0.5] - 2024-09-02

- Optional form fields are now truly optional, can be omitted from the payload.
Expand Down
6 changes: 6 additions & 0 deletions examples/express/with-m2m/clients.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"assistant": {
"clientId": "stcl_e06aa4a8-d070-430c-be94-2803ba35ef12",
"clientSecret": "JND.Z5162vBtyMCJ4UV6PZ.5Sq"
}
}
6 changes: 5 additions & 1 deletion lib/build/recipe/totp/api/removeDevice.js
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,11 @@ async function removeDeviceAPI(apiImplementation, options, userContext) {
const session = await session_1.default.getSession(
options.req,
options.res,
{ overrideGlobalClaimValidators: () => [], sessionRequired: true },
{
overrideGlobalClaimValidators: (globalClaimValidators) =>
globalClaimValidators.filter((v) => v.id === "st-mfa"),
sessionRequired: true,
},
userContext
);
const bodyParams = await options.req.getJSONBody();
Expand Down
2 changes: 1 addition & 1 deletion lib/build/version.d.ts

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion lib/build/version.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 5 additions & 1 deletion lib/ts/recipe/totp/api/removeDevice.ts
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,11 @@ export default async function removeDeviceAPI(
const session = await Session.getSession(
options.req,
options.res,
{ overrideGlobalClaimValidators: () => [], sessionRequired: true },
{
overrideGlobalClaimValidators: (globalClaimValidators) =>
globalClaimValidators.filter((v) => v.id === "st-mfa"),
sessionRequired: true,
},
userContext
);

Expand Down
2 changes: 1 addition & 1 deletion lib/ts/version.ts
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
* License for the specific language governing permissions and limitations
* under the License.
*/
export const version = "20.0.5";
export const version = "20.0.6";

export const cdiSupported = ["5.1"];

Expand Down
4 changes: 2 additions & 2 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "supertokens-node",
"version": "20.0.5",
"version": "20.0.6",
"description": "NodeJS driver for SuperTokens core",
"main": "index.js",
"scripts": {
Expand Down
10 changes: 10 additions & 0 deletions test/test-server/src/testFunctionMapper.ts
Original file line number Diff line number Diff line change
Expand Up @@ -347,6 +347,16 @@ export function getFunc(evalStr: string): (...args: any[]) => any {
}

if (evalStr.startsWith("multifactorauth.init.override.functions")) {
if (evalStr.includes(`getMFARequirementsForAuth:async()=>["totp"]`)) {
return (e) => {
return {
...e,
getMFARequirementsForAuth: (e) => {
return ["totp"];
},
};
};
}
return (e) => {
return {
...e,
Expand Down

0 comments on commit 7797099

Please sign in to comment.