Fix: Enhance post-2FA Lua script handling and user data logging

Refactor runLuaFilterAndPost to improve user existence checking and logging during post-2FA actions. Added additional user attributes to be logged for better traceability and debugging.

Signed-off-by: Christian Roessner <[email protected]>

server/core/auth.go

@@ -1522,6 +1522,7 @@ func (a *AuthState) postVerificationProcesses(ctx *gin.Context, useCache bool, b
 
 	if a.UserFound && !a.NoAuth {
 		accountName, err = a.updateUserAccountInRedis()
+
 		if !passDBResult.Authenticated {
 			a.processPWHist()
 		}

server/core/hydra.go

@@ -1641,10 +1641,19 @@ func (a *ApiConfig) logFailedLoginAndRedirect(auth *AuthState) {
 
 // runLuaFilterAndPost filters and executes post-action Lua scripts based on the given post-2FA authentication result.
 func runLuaFilterAndPost(ctx *gin.Context, auth *AuthState, authResult global.AuthResult) global.AuthResult {
-	userFound, err := auth.userExists()
-	if err != nil {
-		if !stderrors.Is(err, redis.Nil) {
-			level.Error(log.Logger).Log(global.LogKeyGUID, auth.GUID, global.LogKeyError, err)
+	var (
+		userFound bool
+		err       error
+	)
+
+	if authResult == global.AuthResultOK && auth.isMasterUser() {
+		userFound = true
+	} else {
+		userFound, err = auth.userExists()
+		if err != nil {
+			if !stderrors.Is(err, redis.Nil) {
+				level.Error(log.Logger).Log(global.LogKeyGUID, auth.GUID, global.LogKeyError, err)
+			}
 		}
 	}
 
@@ -1656,7 +1665,14 @@ func runLuaFilterAndPost(ctx *gin.Context, auth *AuthState, authResult global.Au
 
 			return false
 		}(),
-		UserFound: userFound,
+		UserFound:         userFound,
+		AccountField:      auth.AccountField,
+		TOTPSecretField:   auth.TOTPSecretField,
+		TOTPRecoveryField: auth.TOTPRecoveryField,
+		UniqueUserIDField: auth.UniqueUserIDField,
+		DisplayNameField:  auth.DisplayNameField,
+		Backend:           auth.UsedPassDBBackend,
+		Attributes:        auth.Attributes,
 	}
 
 	authResult = auth.filterLua(passDBResult, ctx)