From fb306faf3a0450225fe7da7ef600efbdfdafcb2b Mon Sep 17 00:00:00 2001
From: Hamid Ghaf <83242695+hghaf099@users.noreply.github.com>
Date: Wed, 13 Apr 2022 10:11:53 -0400
Subject: [PATCH] forwarding requests subjected to Login MFA to the active node
 (#15009)

* forwarding requests subjected to Login MFA to the active node

* CL, and making fmt happy
---
 changelog/15009.txt           | 3 +++
 sdk/framework/backend_test.go | 3 +--
 vault/request_handling.go     | 6 ++++++
 3 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 changelog/15009.txt

diff --git a/changelog/15009.txt b/changelog/15009.txt
new file mode 100644
index 000000000000..aa2fd741c55b
--- /dev/null
+++ b/changelog/15009.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth: forward requests subject to login MFA from perfStandby to Active node
+```
diff --git a/sdk/framework/backend_test.go b/sdk/framework/backend_test.go
index 6bc59a68aff7..c563a152b605 100644
--- a/sdk/framework/backend_test.go
+++ b/sdk/framework/backend_test.go
@@ -10,10 +10,9 @@ import (
 	"time"
 
 	"github.com/hashicorp/go-secure-stdlib/strutil"
-	"github.com/stretchr/testify/require"
-
 	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/logical"
+	"github.com/stretchr/testify/require"
 )
 
 func BenchmarkBackendRoute(b *testing.B) {
diff --git a/vault/request_handling.go b/vault/request_handling.go
index b013d654a764..e9ebef5fef03 100644
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@@ -1506,6 +1506,12 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 					}
 				}
 			} else if len(matchedMfaEnforcementList) > 0 && len(req.MFACreds) == 0 {
+				// two-phase login MFA requests should be forwarded
+				// to the active node, as the validation should only
+				// happen in that node
+				if c.perfStandby {
+					return nil, nil, logical.ErrPerfStandbyPleaseForward
+				}
 				mfaRequestID, err := uuid.GenerateUUID()
 				if err != nil {
 					return nil, nil, err