fix: don't require code credential for MFA flows (#3753)

ory · Feb 16, 2024 · 40ed809 · 40ed809
1 parent cfa3074
commit 40ed809
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 6 deletions.
diff --git a/internal/testhelpers/config.go b/internal/testhelpers/config.go
@@ -24,11 +24,17 @@ func UseConfigFile(t *testing.T, path string) *pflag.FlagSet {
 	return flags
 }
 
-func SetDefaultIdentitySchema(conf *config.Config, url string) {
+func SetDefaultIdentitySchema(conf *config.Config, url string) func() {
+	schemaUrl, _ := conf.DefaultIdentityTraitsSchemaURL(context.Background())
 	conf.MustSet(context.Background(), config.ViperKeyDefaultIdentitySchemaID, "default")
 	conf.MustSet(context.Background(), config.ViperKeyIdentitySchemas, config.Schemas{
 		{ID: "default", URL: url},
 	})
+	return func() {
+		conf.MustSet(context.Background(), config.ViperKeyIdentitySchemas, config.Schemas{
+			{ID: "default", URL: schemaUrl.String()},
+		})
+	}
 }
 
 // UseIdentitySchema registeres an identity schema in the config with a random ID and returns the ID

diff --git a/selfservice/strategy/code/strategy_login.go b/selfservice/strategy/code/strategy_login.go
@@ -293,10 +293,21 @@ func (s *Strategy) loginVerifyCode(ctx context.Context, r *http.Request, f *logi
 
 	p.Identifier = maybeNormalizeEmail(p.Identifier)
 
-	// Step 1: Get the identity
-	i, isFallback, err := s.findIdentityByIdentifier(ctx, p.Identifier)
-	if err != nil {
-		return nil, err
+	isFallback := false
+	var i *identity.Identity
+	if f.RequestedAAL > identity.AuthenticatorAssuranceLevel1 {
+		// Don't require the code credential if the user already has a session (e.g. this is an MFA flow)
+		sess, err := s.deps.SessionManager().FetchFromRequest(ctx, r)
+		if err != nil {
+			return nil, err
+		}
+		i = sess.Identity
+	} else {
+		// Step 1: Get the identity
+		i, isFallback, err = s.findIdentityByIdentifier(ctx, p.Identifier)
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	loginCode, err := s.deps.LoginCodePersister().UseLoginCode(ctx, f.ID, i.ID, p.Code)

diff --git a/selfservice/strategy/code/strategy_login_test.go b/selfservice/strategy/code/strategy_login_test.go
@@ -586,7 +586,8 @@ func TestLoginCodeStrategy(t *testing.T) {
 				})
 
 				t.Run("case=should be able to get AAL2 session", func(t *testing.T) {
-					identity := createIdentity(ctx, t, false)
+					t.Cleanup(testhelpers.SetDefaultIdentitySchema(conf, "file://./stub/default.schema.json")) // doesn't have the code credential
+					identity := createIdentity(ctx, t, true)
 					var cl *http.Client
 					var f *oryClient.LoginFlow
 					if tc.apiType == ApiTypeNative {