[v17] Fix WebUI Admin Action infinite retry with no MFA devices#51513
[v17] Fix WebUI Admin Action infinite retry with no MFA devices#51513Joerger merged 1 commit intobranch/v17from
Conversation
* Fix admin action retry method resulting in an infinite loop. * Return an empty challenge and challenge response instead of undefined. * Add api.getAdminActionMfaResponse and add new custom error message. * Resolve comments. * Don't swallow non-admin-action-required errors. * Remove unnecessary awaits. * Fix try/catch.
Joerger
added
backport
no-changelog
|
Why |
|
Does the |
zmb3
removed
the
no-changelog
| challengeScope: MfaChallengeScope.CHANGE_PASSWORD, | ||
| onMfaResponse: async mfaResponse => | ||
| setWebauthnResponse(mfaResponse?.webauthn_response), | ||
| setWebauthnResponse(mfaResponse.webauthn_response), |
There was a problem hiding this comment.
Why this change?
Before we were tolerant of null/undefined values, now we are not. Is that intended?
There was a problem hiding this comment.
Yes, returning null/undefined is what caused this bug - causing the admin mfa retry logic to think we haven't tried MFA already. Here's the original PR description:
#49679 and subsequently #50570 introduced a change where getMfaChallengeResponse could return null | undefined when the user had no MFA challenges (no devices or not required). fetchJsonWithMfaAuthnRetry expects getMfaChallengeResponse to return {} in these cases, and will retry with MFA until it gets either an empty or non-empty object.
This PR fixes the issue by:
- addressing the recursive fetchJsonWithMfaAuthnRetry which could result in an infinite loop. It's no longer recursive so it will only retry once even if null or undefined is received.
- Reverting part of https://github.com/gravitational/teleport/pull/50570/files and instead making getMfaChallengeResponse return {} so we can properly determine at any point whether an mfa response is undefined or an empty response resulting from a no-op challenge attempt (no devices or not required).
public-teleport-github-review-bot
Bot
removed the request for review
from ryanclark
5 participants
Changelog: Fixed a bug where performing an admin action in the WebUI would hang indefinitely instead of getting an actionable error if the user has no MFA devices registered.
Backport #51134 to branch/v17