v0.7.1
[0.7.1]
Closes an email-enrollment foot-gun surfaced in live integration: the OTP destination was taken
verbatim from the request body, so every host had to remember to substitute an authoritative,
verified address — and any host that forgot enrolled whatever the caller sent. Omni2FA now derives
the address from the authenticated identity by default. OpenAPI moves to 0.7.1.
Added
IUserContextAccessor.GetCurrentUserEmail()— resolves the current user's email from the configuredAspNetCoreOptions.UserEmailClaim(defaultClaimTypes.Email, falling back to the raw JWTemailclaim). Kept distinct fromUserLabelClaimbecause the OTP destination is security-sensitive, not cosmetic.UserContextAccessormethods are nowvirtual, so a host with a non-claim source overrides this one method instead of writing endpoint glue.AspNetCoreOptions.EmailEnrollmentAddressSource—ClaimOnly(default) derives the address from the identity;HostSuppliedpreserves the previous body-supplied behavior for hosts that legitimately enroll an address other than the signed-in one.
Changed
POST /enroll/email/startis secure by default — underClaimOnlythe bodyemailis ignored and the address comes fromGetCurrentUserEmail().EmailEnrollStartRequest.Emailis now optional (was required); the TS client/machine and theuseEmailEnrollmenthook'sstart(email?)accept an omitted address accordingly.
Migration
- Hosts relying on the request-body address (e.g. a decorator that injected the user's email) can delete that glue — the default now does it. Hosts that intentionally enroll a different address than the identity claim must set
EmailEnrollmentAddressSource = HostSupplied.
Refactor
- Extracted repeated store idioms into
ChallengeStoreExtensions(GetActiveEnrollmentAsync,RecordFailedAttemptAsync,AddAndSaveAsync) and reused them across the Email/TOTP/WebAuthn enrollment services and the challenge service. Centralizes the "matching challenge kind" guard and the write-then-save pairs; no behavior change.UserContextAccessor's three claim lookups now share aFindClaimValuehelper.