[BUG] Fix issues with multiple authenticators for a single task #7149
Conversation
Firesphere
force-pushed
the
pulls/multiple-logout-authenticators
branch
2 times, most recently
from
ff8654e
to
fd5a5cc
Compare
|
Explanation: My test case is based on the usage of @camfindlay his 2FA method side-by-side with my YubiAuth module. The reason for failure, is that both Authenticators support logout (or reset password, or what else), and therefore, will respond with a valid HTTPResponse the Security::handleMultiple doesn't support. This PR resolves the handle multiple, by returning the first successful response. This works, because the user at this point is already logged out, so there's no further need for confirmation. With the exception of a user with an expired logout token. In which case, the confirmation screen by @kinglozzer is shown. |
Using multiple 2FA authenticators, logging out, resetting password etc. proved to be handled wrong. Example scenario: The result is an error, because the `renderWrappedController` was called, despite the responses being a set of either array with Content or Form, or a redirect action. The default action should be followed and not try to render if there is nothing to render Because the logout (or changepassword, or resetpassword, etc.) has already been handled, the first response is the default authenticator's response. This _could_ be a form (in case of logout without valid token), a content set (reset password) or a form (change password). This edge case only happens when there are multiple authenticators supporting the requested method that is _not_ login.
Firesphere
force-pushed
the
pulls/multiple-logout-authenticators
branch
from
fd5a5cc
to
2790fa8
Compare
|
No new tests, as there is no new scenario to test. Happy to add if requested! |
Using multiple 2FA authenticators, logging out, resetting password etc. proved to be handled wrong.
Example scenario:
Person logs out while multiple authenticators support logout
The result is an error, because the
renderWrappedControllerwas called, despite the responses being a set of either array with Content or Form, or a redirect action.The default action should be followed and not try to render if there is nothing to render
Because the logout (or changepassword, or resetpassword, etc.) has already been handled, the first response is the default authenticator's response. This could be a form (in case of logout without valid token), a content set (reset password) or a form (change password).
This edge case only happens when there are multiple authenticators supporting the requested method that is not login.