fix(auth): account enumeration with pseudo u2f and mfa (#709)

This commit is contained in:
Karol Sójko
2023-08-25 12:05:16 +02:00
committed by GitHub
parent ef07045ee9
commit bbb35d16fc
2 changed files with 23 additions and 23 deletions
@@ -257,7 +257,7 @@ describe('VerifyMFA', () => {
})
it('should not pass if user is not found and pseudo u2f is required', async () => {
booleanSelector.select = jest.fn().mockReturnValueOnce(false).mockReturnValueOnce(true)
booleanSelector.select = jest.fn().mockReturnValueOnce(true).mockReturnValueOnce(true)
userRepository.findOneByUsernameOrEmail = jest.fn().mockReturnValue(null)
expect(
+22 -22
View File
@@ -48,33 +48,33 @@ export class VerifyMFA implements UseCaseInterface {
const user = await this.userRepository.findOneByUsernameOrEmail(username)
if (user == null) {
const mfaSelectorHash = crypto
const secondFactorSelectorHash = crypto
.createHash('sha256')
.update(`mfa-selector-${dto.email}${this.pseudoKeyParamsKey}`)
.digest('hex')
const u2fSelectorHash = crypto
.createHash('sha256')
.update(`u2f-selector-${dto.email}${this.pseudoKeyParamsKey}`)
.update(`second-factor-selector-${dto.email}${this.pseudoKeyParamsKey}`)
.digest('hex')
const isPseudoMFARequired = this.booleanSelector.select(mfaSelectorHash, [true, false])
const isPseudoSecondFactorRequired = this.booleanSelector.select(secondFactorSelectorHash, [true, false])
if (isPseudoSecondFactorRequired) {
const u2fSelectorHash = crypto
.createHash('sha256')
.update(`u2f-selector-${dto.email}${this.pseudoKeyParamsKey}`)
.digest('hex')
const isPseudoU2FRequired = this.booleanSelector.select(u2fSelectorHash, [true, false])
const isPseudoU2FRequired = this.booleanSelector.select(u2fSelectorHash, [true, false])
if (isPseudoMFARequired) {
return {
success: false,
errorTag: ErrorTag.MfaRequired,
errorMessage: 'Please enter your two-factor authentication code.',
errorPayload: { mfa_key: `mfa_${uuidv4()}` },
}
}
if (isPseudoU2FRequired) {
return {
success: false,
errorTag: ErrorTag.U2FRequired,
errorMessage: 'Please authenticate with your U2F device.',
if (isPseudoU2FRequired) {
return {
success: false,
errorTag: ErrorTag.U2FRequired,
errorMessage: 'Please authenticate with your U2F device.',
}
} else {
return {
success: false,
errorTag: ErrorTag.MfaRequired,
errorMessage: 'Please enter your two-factor authentication code.',
errorPayload: { mfa_key: `mfa_${uuidv4()}` },
}
}
}