fix: validate MFA claim before allowing TOTP device removal

supertokens · Nov 22, 2024 · 28d90c3 · 28d90c3
1 parent 1896eab
commit 28d90c3
Show file tree

Hide file tree

Showing 10 changed files with 34 additions and 9 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,6 @@
 /node_modules
 /examples/**/node_modules
+/examples/**/dist
 .DS_Store
 /.history
 *.js.map
@@ -12,4 +13,6 @@ releasePassword
 /test_report
 /temp_test_exports
 /temp_*
-/.nyc_output
+/.nyc_output
+.circleci/.pat
+examples/express/with-m2m/clients.json
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+## [20.1.6] - 2024-11-22
+
+-   Fixes an issue where `removeDevice` API allowed removing TOTP devices without the user completing MFA.
+
 ## [20.1.5] - 2024-10-09
 
 -   Fixes an issue where users were not able to reset their password if a user with the same email address was created before account linking was enabled.

diff --git a/lib/build/recipe/totp/api/removeDevice.js b/lib/build/recipe/totp/api/removeDevice.js
@@ -28,7 +28,11 @@ async function removeDeviceAPI(apiImplementation, options, userContext) {
     const session = await session_1.default.getSession(
         options.req,
         options.res,
-        { overrideGlobalClaimValidators: () => [], sessionRequired: true },
+        {
+            overrideGlobalClaimValidators: (globalClaimValidators) =>
+                globalClaimValidators.filter((v) => v.id === "st-mfa"),
+            sessionRequired: true,
+        },
         userContext
     );
     const bodyParams = await options.req.getJSONBody();

diff --git a/lib/build/version.d.ts b/lib/build/version.d.ts
diff --git a/lib/build/version.js b/lib/build/version.js
diff --git a/lib/ts/recipe/totp/api/removeDevice.ts b/lib/ts/recipe/totp/api/removeDevice.ts
@@ -30,7 +30,11 @@ export default async function removeDeviceAPI(
     const session = await Session.getSession(
         options.req,
         options.res,
-        { overrideGlobalClaimValidators: () => [], sessionRequired: true },
+        {
+            overrideGlobalClaimValidators: (globalClaimValidators) =>
+                globalClaimValidators.filter((v) => v.id === "st-mfa"),
+            sessionRequired: true,
+        },
         userContext
     );
 

diff --git a/lib/ts/version.ts b/lib/ts/version.ts
@@ -12,7 +12,7 @@
  * License for the specific language governing permissions and limitations
  * under the License.
  */
-export const version = "20.1.5";
+export const version = "20.1.6";
 
 export const cdiSupported = ["5.1"];
 

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
     "name": "supertokens-node",
-    "version": "20.1.5",
+    "version": "20.1.6",
     "description": "NodeJS driver for SuperTokens core",
     "main": "index.js",
     "scripts": {

diff --git a/test/test-server/src/testFunctionMapper.ts b/test/test-server/src/testFunctionMapper.ts
@@ -385,6 +385,16 @@ export function getFunc(evalStr: string): (...args: any[]) => any {
     }
 
     if (evalStr.startsWith("multifactorauth.init.override.functions")) {
+        if (evalStr.includes(`getMFARequirementsForAuth:async()=>["totp"]`)) {
+            return (e) => {
+                return {
+                    ...e,
+                    getMFARequirementsForAuth: (e) => {
+                        return ["totp"];
+                    },
+                };
+            };
+        }
         return (e) => {
             return {
                 ...e,