feat: treat lookup as aal2 in session

ory · Oct 19, 2021 · 3269028 · 3269028
1 parent 458f559
commit 3269028
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/session/session.go b/session/session.go
@@ -116,6 +116,8 @@ func (s *Session) SetAuthenticatorAssuranceLevel() {
 			firstFactor = true
 		case identity.CredentialsTypeTOTP:
 			secondFactor = true
+		case identity.CredentialsTypeLookup:
+			secondFactor = true
 		}
 	}
 

diff --git a/session/session_test.go b/session/session_test.go
@@ -107,6 +107,14 @@ func TestSession(t *testing.T) {
 				},
 				expected: identity.AuthenticatorAssuranceLevel2,
 			},
+			{
+				d: "password + lookup is aal2",
+				methods: []identity.CredentialsType{
+					identity.CredentialsTypePassword,
+					identity.CredentialsTypeLookup,
+				},
+				expected: identity.AuthenticatorAssuranceLevel2,
+			},
 			{
 				d: "oidc + totp is aal2",
 				methods: []identity.CredentialsType{
@@ -115,6 +123,14 @@ func TestSession(t *testing.T) {
 				},
 				expected: identity.AuthenticatorAssuranceLevel2,
 			},
+			{
+				d: "oidc + lookup is aal2",
+				methods: []identity.CredentialsType{
+					identity.CredentialsTypeOIDC,
+					identity.CredentialsTypeLookup,
+				},
+				expected: identity.AuthenticatorAssuranceLevel2,
+			},
 			{
 				d: "recovery link + totp is aal2",
 				methods: []identity.CredentialsType{
@@ -123,6 +139,14 @@ func TestSession(t *testing.T) {
 				},
 				expected: identity.AuthenticatorAssuranceLevel2,
 			},
+			{
+				d: "recovery link + lookup is aal2",
+				methods: []identity.CredentialsType{
+					identity.CredentialsTypeRecoveryLink,
+					identity.CredentialsTypeLookup,
+				},
+				expected: identity.AuthenticatorAssuranceLevel2,
+			},
 		} {
 			t.Run("case="+tc.d, func(t *testing.T) {
 				s := session.NewInactiveSession()