Skip to content

Commit

Permalink
fix: restrict mfa enrollment to aal2 if verified factors are present (s…
Browse files Browse the repository at this point in the history
…upabase#1439)

## What kind of change does this PR introduce?

as per internal discussion

Co-authored-by: Kang Ming <kang.ming1996@gmail.com>
  • Loading branch information
J0 and kangmingtay authored Feb 19, 2024
1 parent f974bdb commit 7e10d45
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions internal/api/mfa.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ const (
func (a *API) EnrollFactor(w http.ResponseWriter, r *http.Request) error {
ctx := r.Context()
user := getUser(ctx)
session := getSession(ctx)
config := a.config

params := &EnrollFactorParams{}
Expand Down Expand Up @@ -110,6 +111,10 @@ func (a *API) EnrollFactor(w http.ResponseWriter, r *http.Request) error {
return forbiddenError("Maximum number of enrolled factors reached, unenroll to continue")
}

if numVerifiedFactors > 0 && !session.IsAAL2() {
return forbiddenError("AAL2 required to enroll a new factor")
}

key, err := totp.Generate(totp.GenerateOpts{
Issuer: issuer,
AccountName: user.GetEmail(),
Expand Down

0 comments on commit 7e10d45

Please sign in to comment.