diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go index 084ae6ab396fb..c58d451437078 100644 --- a/lib/auth/auth_with_roles.go +++ b/lib/auth/auth_with_roles.go @@ -3122,6 +3122,10 @@ func (a *ServerWithRoles) CreateResetPasswordToken(ctx context.Context, req Crea return nil, trace.AccessDenied("access denied") } + if err := authz.AuthorizeAdminAction(ctx, &a.context); err != nil { + return nil, trace.Wrap(err) + } + return a.authServer.CreateResetPasswordToken(ctx, req) } diff --git a/tool/tctl/common/admin_action_test.go b/tool/tctl/common/admin_action_test.go index 8604ed88ceada..44ddab4ef6af6 100644 --- a/tool/tctl/common/admin_action_test.go +++ b/tool/tctl/common/admin_action_test.go @@ -87,6 +87,12 @@ func (s *adminActionTestSuite) testAdminActionMFA_Users(t *testing.T) { setup: createUser, cleanup: deleteUser, }, + "tctl users reset": { + command: "users reset teleuser", + cliCommand: &tctl.UserCommand{}, + setup: createUser, + cleanup: deleteUser, + }, } { t.Run(name, func(t *testing.T) { s.runTestCase(t, ctx, tc) diff --git a/web/packages/teleport/src/services/api/api.ts b/web/packages/teleport/src/services/api/api.ts index 11d8891517135..7b683605cef07 100644 --- a/web/packages/teleport/src/services/api/api.ts +++ b/web/packages/teleport/src/services/api/api.ts @@ -97,12 +97,22 @@ const api = { if (!shouldRetry) { throw new ApiError(parseError(json), response); } + + let webauthnResponse; + try { + webauthnResponse = await auth.getWebauthnResponse(); + } catch (err) { + throw new Error( + 'Failed to fetch webauthn credentials, please connect a registered hardware key and try again. If you do not have a hardware key registered, you can add one from your account settings page.' + ); + } + const paramsWithMfaHeader = { ...params, headers: { ...params.headers, [MFA_HEADER]: JSON.stringify({ - webauthnAssertionResponse: await auth.getWebauthnResponse(), + webauthnAssertionResponse: webauthnResponse, }), }, };