feat: can verify OTP during OAuth login (#3531)

* feat: support verify OTP during OAuth login * fix: fail to login if mfa not enable * fix: fail to login if mfa not enable * fix: fix mfaRequired not valid in saml/auth
2025-07-02 03:00:18 +08:00 · 2025-01-27 19:37:26 +08:00
parent 802b6812a9
commit 558b168477
8 changed files with 278 additions and 178 deletions
--- a/controllers/auth.go
+++ b/controllers/auth.go
@ -306,6 +306,35 @@ func isProxyProviderType(providerType string) bool {
 	return false
 }

+func checkMfaEnable(c *ApiController, user *object.User, organization *object.Organization, verificationType string) bool {
+	if object.IsNeedPromptMfa(organization, user) {
+		// The prompt page needs the user to be srigned in
+		c.SetSessionUsername(user.GetId())
+		c.ResponseOk(object.RequiredMfa)
+		return true
+	}
+
+	if user.IsMfaEnabled() {
+		c.setMfaUserSession(user.GetId())
+		mfaList := object.GetAllMfaProps(user, true)
+		mfaAllowList := []*object.MfaProps{}
+		for _, prop := range mfaList {
+			if prop.MfaType == verificationType || !prop.Enabled {
+				continue
+			}
+			mfaAllowList = append(mfaAllowList, prop)
+		}
+		if len(mfaAllowList) >= 1 {
+			c.SetSession("verificationCodeType", verificationType)
+			c.Ctx.Input.CruSession.SessionRelease(c.Ctx.ResponseWriter)
+			c.ResponseOk(object.NextMfa, mfaAllowList)
+			return true
+		}
+	}
+
+	return false
+}
+
 // Login ...
 // @Title Login
 // @Tag Login API
@ -523,30 +552,10 @@ func (c *ApiController) Login() {
 				c.ResponseError(err.Error())
 			}

-			if object.IsNeedPromptMfa(organization, user) {
-				// The prompt page needs the user to be signed in
-				c.SetSessionUsername(user.GetId())
-				c.ResponseOk(object.RequiredMfa)
+			if checkMfaEnable(c, user, organization, verificationType) {
 				return
 			}

-			if user.IsMfaEnabled() {
-				c.setMfaUserSession(user.GetId())
-				mfaList := object.GetAllMfaProps(user, true)
-				mfaAllowList := []*object.MfaProps{}
-				for _, prop := range mfaList {
-					if prop.MfaType == verificationType || !prop.Enabled {
-						continue
-					}
-					mfaAllowList = append(mfaAllowList, prop)
-				}
-				if len(mfaAllowList) >= 1 {
-					c.SetSession("verificationCodeType", verificationType)
-					c.ResponseOk(object.NextMfa, mfaAllowList)
-					return
-				}
-			}
-
 			resp = c.HandleLoggedIn(application, user, &authForm)

 			c.Ctx.Input.SetParam("recordUserId", user.GetId())
@ -679,6 +688,11 @@ func (c *ApiController) Login() {
 					c.ResponseError(err.Error())
 					return
 				}
+
+				if checkMfaEnable(c, user, organization, verificationType) {
+					return
+				}
+
 				resp = c.HandleLoggedIn(application, user, &authForm)

 				c.Ctx.Input.SetParam("recordUserId", user.GetId())
@ -914,7 +928,11 @@ func (c *ApiController) Login() {
 		}

 		var application *object.Application
-		application, err = object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
+		if authForm.ClientId == "" {
+			application, err = object.GetApplication(fmt.Sprintf("admin/%s", authForm.Application))
+		} else {
+			application, err = object.GetApplicationByClientId(authForm.ClientId)
+		}
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@ -944,6 +962,10 @@ func (c *ApiController) Login() {
 				return
 			}

+			if authForm.Provider == "" {
+				authForm.Provider = authForm.ProviderBack
+			}
+
 			user := c.getCurrentUser()
 			resp = c.HandleLoggedIn(application, user, &authForm)