-
Notifications
You must be signed in to change notification settings - Fork 439
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(login): improve auth handlers #7969
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
Thanks for your contribution! 🎉Please make sure you tick the following checkboxes before marking this Pull Request (PR) as ready for review:
|
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #7969 +/- ##
==========================================
- Coverage 62.75% 62.45% -0.30%
==========================================
Files 1341 1342 +1
Lines 111029 110812 -217
==========================================
- Hits 69672 69213 -459
- Misses 37431 37721 +290
+ Partials 3926 3878 -48
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
internal/auth/repository/eventsourcing/handler/refresh_token.go
Outdated
Show resolved
Hide resolved
# Which Problems Are Solved As already mentioned and (partially) fixed in #7992 we discovered, issues with v2 tokens that where obtained through an IDP, with passwordless authentication or with password authentication (wihtout any 2FA set up) using the v1 login for zitadel API calls - (Previous) authentication through an IdP is now correctly treated as auth method in case of a reauth even when the user is not redirected to the IdP - There were some cases where passwordless authentication was successfully checked but not correctly set as auth method, which denied access to ZITADEL API - Users with password and passwordless, but no 2FA set up which authenticate just wich password can access the ZITADEL API again Additionally while testing we found out that because of #7969 the login UI could completely break / block with the following error: `sql: Scan error on column index 3, name "state": converting NULL to int32 is unsupported (Internal)` # How the Problems Are Solved - IdP checks are treated the same way as other factors and it's ensured that a succeeded check within the configured timeframe will always provide the idp auth method - `MFATypesAllowed` checks for possible passwordless authentication - As with the v1 login, the token check now only requires MFA if the policy is set or the user has 2FA set up - UserAuthMethodsRequirements now always uses the correctly policy to check for MFA enforcement - `State` column is handled as nullable and additional events set the state to active (as before #7969) # Additional Changes - Console now also checks for 403 (mfa required) errors (e.g. after setting up the first 2FA in console) and redirects the user to the login UI (with the current id_token as id_token_hint) - Possible duplicates in auth methods / AMRs are removed now as well. # Additional Context - Bugs were introduced in #7822 and # and 7969 and only part of a pre-release. - partially already fixed with #7992 - Reported internally.
🎉 This PR is included in version 2.53.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
# Which Problems Are Solved A customer noted that after upgrade to 2.53.0, users were no longer able to reset their passwords through the login UI. This was due to a accidental change in #7969 # How the Problems Are Solved The `preferred_login_name` is now correctly read from the database. # Additional Changes None. # Additional Context relates to #7969
# Which Problems Are Solved A customer noted that after upgrade to 2.53.0, users were no longer able to reset their passwords through the login UI. This was due to a accidental change in #7969 # How the Problems Are Solved The `preferred_login_name` is now correctly read from the database. # Additional Changes None. # Additional Context relates to #7969 (cherry picked from commit eca8ffd)
Which Problems Are Solved
During the implementation of #7486 it was noticed, that projections in the
auth
database schema could be blocked.Investigations suggested, that this is due to the use of GORM and it's inability to use an existing (sql) transaction.
With the improved / simplified handling (see below) there should also be a minimal improvement in performance, resp. reduced database update statements.
How the Problems Are Solved
The handlers in
auth
are exchanged to proper (sql) statements and gorm usage is removed for any writing part.To further improve / simplify the handling of the users, a new
auth.users3
table is created, where only attributes are handled, which are not yet available from theprojections.users
,projections.login_name
andprojections.user_auth_methods
do not provide. This reduces the events handled in that specific handler by a lot.Additional Changes
None
Additional Context
relates to #7486