Bug #13626
openImprovements #13384: List of MFA improvements
AuthWidget::processEnvironment doesn't process MFA tokens
100%
Description
In the AuthWidget::createMfaView method, processEnvironment searches for a remember me cookie for MFA, which will immediately log the user in with a weak authentication state.
This triggers the loginChanged method to clear the current view and create a logged-in view.
Consequently, createMfaView attempts to bind the input view after processing the environment, which fails.
We should check whether the login state is still requiresMfa after processing the environment, to determine if we should still create the input view.
Updated by Marnik Roosen 19 days ago
- Subject changed from AuthWidget::createMfaView fails to bind input view after process environment triggers a login state change to AuthWidget::processEnvironment doesn't process MFA tokens
AuthWidget::processEnvironment should be called initially to process environmental information relevant for authentication.
The login state can become RequiresMfa if the user has a valid auth token and also has a Mfa step.
Checking whether the user also has a valid auth token is delayed until the widget is actually rendered, as part of createMfaView.
As a consequence, we cannot know whether the user will actually be logged in with a weak state until the widget is rendered.
If we were to listen for a loginChanged signal to know when the user is actually logged in from a MFA token, we would be notified of thus during the render step.
Applications might connect loginChanged signal to a function which clears the DOM tree and replace it with a logged in view.
However, this result in a JavaScript exception since the authentication widget was still being rendered.
It seems more appropriate that processEnvironment also checks for a valid MFA token.
This would ensure that the login state initialization from the environment is fully determined before the widget is rendered.
Applications can immediately render the correct widget (input MFA view or a logged in view), thus avoiding the JavaScript exception.
Updated by Marnik Roosen 19 days ago
- Status changed from InProgress to Review
- Assignee deleted (
Marnik Roosen)
Updated by Matthias Van Ceulebroeck 16 days ago
- Status changed from Review to Implemented @Emweb
- Assignee changed from Romain Mardulyn to Marnik Roosen
- % Done changed from 0 to 100
Updated by Matthias Van Ceulebroeck 5 days ago
- Status changed from Implemented @Emweb to Implemented @Test