fix: Always prompt if multiple MFA methods are running #47114
Conversation
|
Backport to v14 is unlikely to happen, but I'll give it a shot when we get there. |
codingllama
force-pushed
the
codingllama/otp-prompt
branch
from
bc6d9db
to
55ad68e
Compare
|
Rebased and resolved conflicts. No noteworthy changes. |
|
I've tested various combinations manually to make sure that it works and no other prompts are affected (they shouldn't be, but no harm in testing). I've also tested tsh on Windows. Scenarios include:
Plus the same matrix but on Windows. |
| type WebauthnLoginFunc func(ctx context.Context, origin string, assertion *wantypes.CredentialAssertion, prompt wancli.LoginPrompt, opts *wancli.LoginOpts) (*proto.MFAAuthenticateResponse, string, error) | ||
| // WebauthnLoginFunc is a function that performs WebAuthn login. | ||
| // Mimics the signature of [webauthncli.Login]. | ||
| type WebauthnLoginFunc = libmfa.WebauthnLoginFunc |
There was a problem hiding this comment.
Do you actually want a type alias here or do you want a new type definition (like you had before).
There was a problem hiding this comment.
The type alias is fine here, I think. I would rather have l/c/mfa.WebauthnLoginFunc everywhere, but I'm afraid the larger refactor would make backports more difficult.
codingllama
force-pushed
the
codingllama/otp-prompt
branch
from
a260bf6
to
cefcc3f
Compare
|
Friendly ping @Joerger @marcoandredinis @probakowski ? |
public-teleport-github-review-bot
bot
removed request for
probakowski and
Joerger
|
@codingllama See the table below for backport results.
|
* fix: Always prompt if multiple MFA methods are running * Fix deadlock on OTP+WebAuthn+PIN prompts * Fix races on wanwin.PromptPlatformMessage
* fix: Always prompt if multiple MFA methods are running * Fix deadlock on OTP+WebAuthn+PIN prompts * Fix races on wanwin.PromptPlatformMessage
* fix: Always prompt if multiple MFA methods are running * Fix deadlock on OTP+WebAuthn+PIN prompts * Fix races on wanwin.PromptPlatformMessage
Fixes a scenario where the MFA prompt wouldn't show if the user has both OTP and WebAuthn devices, but no WebAuthn device is plugged.
I've moved the prompt for "dual prompt" scenarios (OTP+WebAuthn) outside of
wancliand directly intolib/client/mfa. This prompts earlier, but is overall more resilient to some goroutine failing (which was the case here).I also fixed a (theoretical?) deadlock on the "WebAuthn with PIN" scenario (
otpDoneis never closed in that branch). I can't quite make it happen with the devices I have today (MFA scenarios don't prompt for PIN and passkeys go to other branches), but that doesn't mean it couldn't happen with some other/future device.#43072
Changelog: Fix missing tsh MFA prompt in certain OTP+WebAuthn scenarios