From 7797099b40466a49295be59e85c9935e179854ae Mon Sep 17 00:00:00 2001 From: Mihaly Lengyel Date: Fri, 22 Nov 2024 13:52:07 +0100 Subject: [PATCH] fix: validate MFA claim before allowing TOTP device removal --- .gitignore | 4 +++- CHANGELOG.md | 4 ++++ examples/express/with-m2m/clients.json | 6 ++++++ lib/build/recipe/totp/api/removeDevice.js | 6 +++++- lib/build/version.d.ts | 2 +- lib/build/version.js | 2 +- lib/ts/recipe/totp/api/removeDevice.ts | 6 +++++- lib/ts/version.ts | 2 +- package-lock.json | 4 ++-- package.json | 2 +- test/test-server/src/testFunctionMapper.ts | 10 ++++++++++ 11 files changed, 39 insertions(+), 9 deletions(-) create mode 100644 examples/express/with-m2m/clients.json diff --git a/.gitignore b/.gitignore index a5e771d2c..05d6dd3fd 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ /node_modules /examples/**/node_modules +/examples/**/dist .DS_Store /.history *.js.map @@ -12,4 +13,5 @@ releasePassword /test_report /temp_test_exports /temp_* -/.nyc_output \ No newline at end of file +/.nyc_output +.circleci/.pat \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md index 46f2fc22d..ce85fd202 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [unreleased] +## [20.0.6] - 2024-11-22 + +- Fixes an issue where `removeDevice` API allowed removing TOTP devices without the user completing MFA. + ## [20.0.5] - 2024-09-02 - Optional form fields are now truly optional, can be omitted from the payload. diff --git a/examples/express/with-m2m/clients.json b/examples/express/with-m2m/clients.json new file mode 100644 index 000000000..5e06031d9 --- /dev/null +++ b/examples/express/with-m2m/clients.json @@ -0,0 +1,6 @@ +{ + "assistant": { + "clientId": "stcl_e06aa4a8-d070-430c-be94-2803ba35ef12", + "clientSecret": "JND.Z5162vBtyMCJ4UV6PZ.5Sq" + } +} diff --git a/lib/build/recipe/totp/api/removeDevice.js b/lib/build/recipe/totp/api/removeDevice.js index 3893442a1..b2dbd4a38 100644 --- a/lib/build/recipe/totp/api/removeDevice.js +++ b/lib/build/recipe/totp/api/removeDevice.js @@ -28,7 +28,11 @@ async function removeDeviceAPI(apiImplementation, options, userContext) { const session = await session_1.default.getSession( options.req, options.res, - { overrideGlobalClaimValidators: () => [], sessionRequired: true }, + { + overrideGlobalClaimValidators: (globalClaimValidators) => + globalClaimValidators.filter((v) => v.id === "st-mfa"), + sessionRequired: true, + }, userContext ); const bodyParams = await options.req.getJSONBody(); diff --git a/lib/build/version.d.ts b/lib/build/version.d.ts index 93718a872..b0e0c693c 100644 --- a/lib/build/version.d.ts +++ b/lib/build/version.d.ts @@ -1,4 +1,4 @@ // @ts-nocheck -export declare const version = "20.0.5"; +export declare const version = "20.0.6"; export declare const cdiSupported: string[]; export declare const dashboardVersion = "0.13"; diff --git a/lib/build/version.js b/lib/build/version.js index e256659d6..56f089e51 100644 --- a/lib/build/version.js +++ b/lib/build/version.js @@ -15,7 +15,7 @@ exports.dashboardVersion = exports.cdiSupported = exports.version = void 0; * License for the specific language governing permissions and limitations * under the License. */ -exports.version = "20.0.5"; +exports.version = "20.0.6"; exports.cdiSupported = ["5.1"]; // Note: The actual script import for dashboard uses v{DASHBOARD_VERSION} exports.dashboardVersion = "0.13"; diff --git a/lib/ts/recipe/totp/api/removeDevice.ts b/lib/ts/recipe/totp/api/removeDevice.ts index 65c57fec1..21323c957 100644 --- a/lib/ts/recipe/totp/api/removeDevice.ts +++ b/lib/ts/recipe/totp/api/removeDevice.ts @@ -30,7 +30,11 @@ export default async function removeDeviceAPI( const session = await Session.getSession( options.req, options.res, - { overrideGlobalClaimValidators: () => [], sessionRequired: true }, + { + overrideGlobalClaimValidators: (globalClaimValidators) => + globalClaimValidators.filter((v) => v.id === "st-mfa"), + sessionRequired: true, + }, userContext ); diff --git a/lib/ts/version.ts b/lib/ts/version.ts index 9f9d7d051..12a26b3a0 100644 --- a/lib/ts/version.ts +++ b/lib/ts/version.ts @@ -12,7 +12,7 @@ * License for the specific language governing permissions and limitations * under the License. */ -export const version = "20.0.5"; +export const version = "20.0.6"; export const cdiSupported = ["5.1"]; diff --git a/package-lock.json b/package-lock.json index bcd33c815..f06d6ee38 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "supertokens-node", - "version": "20.0.5", + "version": "20.0.6", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "supertokens-node", - "version": "20.0.5", + "version": "20.0.6", "license": "Apache-2.0", "dependencies": { "content-type": "^1.0.5", diff --git a/package.json b/package.json index b32c64b53..8e3a9575e 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "supertokens-node", - "version": "20.0.5", + "version": "20.0.6", "description": "NodeJS driver for SuperTokens core", "main": "index.js", "scripts": { diff --git a/test/test-server/src/testFunctionMapper.ts b/test/test-server/src/testFunctionMapper.ts index 71addde00..c35c37ae9 100644 --- a/test/test-server/src/testFunctionMapper.ts +++ b/test/test-server/src/testFunctionMapper.ts @@ -347,6 +347,16 @@ export function getFunc(evalStr: string): (...args: any[]) => any { } if (evalStr.startsWith("multifactorauth.init.override.functions")) { + if (evalStr.includes(`getMFARequirementsForAuth:async()=>["totp"]`)) { + return (e) => { + return { + ...e, + getMFARequirementsForAuth: (e) => { + return ["totp"]; + }, + }; + }; + } return (e) => { return { ...e,