-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Always prompt if multiple MFA methods are running #47114
Conversation
Backport to v14 is unlikely to happen, but I'll give it a shot when we get there. |
bc6d9db
to
55ad68e
Compare
Rebased and resolved conflicts. No noteworthy changes. |
I've tested various combinations manually to make sure that it works and no other prompts are affected (they shouldn't be, but no harm in testing). I've also tested tsh on Windows. Scenarios include:
Plus the same matrix but on Windows. |
type WebauthnLoginFunc func(ctx context.Context, origin string, assertion *wantypes.CredentialAssertion, prompt wancli.LoginPrompt, opts *wancli.LoginOpts) (*proto.MFAAuthenticateResponse, string, error) | ||
// WebauthnLoginFunc is a function that performs WebAuthn login. | ||
// Mimics the signature of [webauthncli.Login]. | ||
type WebauthnLoginFunc = libmfa.WebauthnLoginFunc |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you actually want a type alias here or do you want a new type definition (like you had before).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The type alias is fine here, I think. I would rather have l/c/mfa.WebauthnLoginFunc everywhere, but I'm afraid the larger refactor would make backports more difficult.
a260bf6
to
cefcc3f
Compare
Friendly ping @Joerger @marcoandredinis @probakowski ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes look good
I've also tested this locally and it is now asking for the OTP on my use case as well.
Thank you for the quick fix
@codingllama See the table below for backport results.
|
* fix: Always prompt if multiple MFA methods are running * Fix deadlock on OTP+WebAuthn+PIN prompts * Fix races on wanwin.PromptPlatformMessage
* fix: Always prompt if multiple MFA methods are running * Fix deadlock on OTP+WebAuthn+PIN prompts * Fix races on wanwin.PromptPlatformMessage
* fix: Always prompt if multiple MFA methods are running * Fix deadlock on OTP+WebAuthn+PIN prompts * Fix races on wanwin.PromptPlatformMessage
Fixes a scenario where the MFA prompt wouldn't show if the user has both OTP and WebAuthn devices, but no WebAuthn device is plugged.
I've moved the prompt for "dual prompt" scenarios (OTP+WebAuthn) outside of
wancli
and directly intolib/client/mfa
. This prompts earlier, but is overall more resilient to some goroutine failing (which was the case here).I also fixed a (theoretical?) deadlock on the "WebAuthn with PIN" scenario (
otpDone
is never closed in that branch). I can't quite make it happen with the devices I have today (MFA scenarios don't prompt for PIN and passkeys go to other branches), but that doesn't mean it couldn't happen with some other/future device.#43072
Changelog: Fix missing tsh MFA prompt in certain OTP+WebAuthn scenarios