Can enforce 2FA for specific clients
This commit is contained in:
@ -13,7 +13,7 @@ use crate::actors::openid_sessions_actor::{OpenIDSessionsActor, Session, Session
|
||||
use crate::actors::users_actor::UsersActor;
|
||||
use crate::actors::{openid_sessions_actor, users_actor};
|
||||
use crate::constants::*;
|
||||
use crate::controllers::base_controller::build_fatal_error_page;
|
||||
use crate::controllers::base_controller::{build_fatal_error_page, redirect_user};
|
||||
use crate::data::action_logger::{Action, ActionLogger};
|
||||
use crate::data::app_config::AppConfig;
|
||||
use crate::data::client::{ClientID, ClientManager};
|
||||
@ -21,6 +21,7 @@ use crate::data::code_challenge::CodeChallenge;
|
||||
use crate::data::current_user::CurrentUser;
|
||||
use crate::data::id_token::IdToken;
|
||||
use crate::data::jwt_signer::{JWTSigner, JsonWebKey};
|
||||
use crate::data::login_redirect::{get_2fa_url, LoginRedirect};
|
||||
|
||||
use crate::data::session_identity::SessionIdentity;
|
||||
use crate::data::user::User;
|
||||
@ -128,6 +129,7 @@ fn error_redirect(query: &AuthorizeQuery, error: &str, description: &str) -> Htt
|
||||
}
|
||||
|
||||
pub async fn authorize(
|
||||
req: HttpRequest,
|
||||
user: CurrentUser,
|
||||
id: Identity,
|
||||
query: web::Query<AuthorizeQuery>,
|
||||
@ -142,6 +144,12 @@ pub async fn authorize(
|
||||
Some(c) => c,
|
||||
};
|
||||
|
||||
// Check if 2FA is required
|
||||
if client.enforce_2fa_auth && user.should_request_2fa_for_critical_functions() {
|
||||
let uri = get_2fa_url(&LoginRedirect::from_req(&req), true);
|
||||
return redirect_user(&uri);
|
||||
}
|
||||
|
||||
let redirect_uri = query.redirect_uri.trim().to_string();
|
||||
if !redirect_uri.starts_with(&client.redirect_uri) {
|
||||
return HttpResponse::BadRequest().body(build_fatal_error_page("Redirect URI is invalid!"));
|
||||
|
Reference in New Issue
Block a user