feat(SW-162): Updated MFA to use basic cookie validation
This commit is contained in:
Hrishikesh Vaipurkar
@@ -15,7 +15,7 @@ export async function GET(
|
|||||||
let redirectTo: string
|
let redirectTo: string
|
||||||
|
|
||||||
const returnUrl = request.headers.get("x-returnurl")
|
const returnUrl = request.headers.get("x-returnurl")
|
||||||
const isMFA = request.headers.get("mfa-login")
|
const isMFA = request.headers.get("x-mfa-login")
|
||||||
|
|
||||||
if (returnUrl) {
|
if (returnUrl) {
|
||||||
// Seamless login request from Current web
|
// Seamless login request from Current web
|
||||||
|
|||||||
21
auth.ts
21
auth.ts
@@ -143,18 +143,15 @@ export const config = {
|
|||||||
async jwt({ account, session, token, trigger, user }) {
|
async jwt({ account, session, token, trigger, user }) {
|
||||||
if (account?.provider == "curity-mfa") {
|
if (account?.provider == "curity-mfa") {
|
||||||
const cookieStore = cookies()
|
const cookieStore = cookies()
|
||||||
const value = token.access_token
|
// As new scope/token is added to existing session we will add separate cookie to validate MFA done
|
||||||
const secret = env.NEXTAUTH_SECRET
|
cookieStore.set({
|
||||||
const maxAge = 60 * 15
|
name: "_MFA-validated-cookie",
|
||||||
const name = "_SecureMFA-token"
|
value: "true",
|
||||||
const mfaCookie = await encode({
|
httpOnly: true,
|
||||||
secret,
|
sameSite: "lax",
|
||||||
maxAge,
|
expires: token.expires_at
|
||||||
token: value,
|
? token.expires_at * 1000
|
||||||
salt: name,
|
: Date.now() + 10 * 60 * 1000,
|
||||||
})
|
|
||||||
cookieStore.set("_SecureMFA-token", mfaCookie.toString(), {
|
|
||||||
maxAge: maxAge,
|
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -1,4 +1,3 @@
|
|||||||
import { decode } from "@auth/core/jwt"
|
|
||||||
import { cookies } from "next/headers"
|
import { cookies } from "next/headers"
|
||||||
import { NextResponse } from "next/server"
|
import { NextResponse } from "next/server"
|
||||||
|
|
||||||
@@ -55,36 +54,19 @@ export const middleware = auth(async (request) => {
|
|||||||
nextUrlClone.host = publicUrl.host
|
nextUrlClone.host = publicUrl.host
|
||||||
nextUrlClone.hostname = publicUrl.hostname
|
nextUrlClone.hostname = publicUrl.hostname
|
||||||
|
|
||||||
async function isMFAInvalid() {
|
/**
|
||||||
|
* Function to validate MFA cookie expiry
|
||||||
|
* @returns boolean
|
||||||
|
*/
|
||||||
|
function isMFAInvalid() {
|
||||||
|
const isMFAPath = mfaRequired.includes(nextUrl.pathname)
|
||||||
const cookieStore = cookies()
|
const cookieStore = cookies()
|
||||||
const mfaCookieValue = cookieStore.get("_SecureMFA-token")?.value
|
return isMFAPath && !cookieStore.get("_MFA-validated-cookie")?.value
|
||||||
if (mfaCookieValue) {
|
|
||||||
try {
|
|
||||||
const mfaToken = await decode({
|
|
||||||
token: mfaCookieValue,
|
|
||||||
secret: env.NEXTAUTH_SECRET,
|
|
||||||
salt: "_SecureMFA-token",
|
|
||||||
})
|
|
||||||
if (mfaToken?.exp) {
|
|
||||||
return false
|
|
||||||
} else {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
} catch (e) {
|
|
||||||
console.log("JWT decode failed", e)
|
|
||||||
cookieStore.set("_SecureMFA-token", "", { maxAge: 0 })
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
const isMFAPath = mfaRequired.includes(nextUrl.pathname)
|
|
||||||
const mfaInvalid = isMFAPath ? await isMFAInvalid() : false
|
|
||||||
|
|
||||||
if (isLoggedIn && mfaInvalid) {
|
if (isLoggedIn && isMFAInvalid()) {
|
||||||
const headers = new Headers(request.headers)
|
const headers = new Headers(request.headers)
|
||||||
headers.set("mfa-login", "true")
|
headers.set("x-mfa-login", "true")
|
||||||
headers.set("x-returnurl", request.nextUrl.href)
|
headers.set("x-returnurl", request.nextUrl.href)
|
||||||
return NextResponse.rewrite(new URL(`/${lang}/login`, request.nextUrl), {
|
return NextResponse.rewrite(new URL(`/${lang}/login`, request.nextUrl), {
|
||||||
request: {
|
request: {
|
||||||
|
|||||||
Reference in New Issue
Block a user