From a8c4a104363e3e841de8d46dd237737d03dfe2ea Mon Sep 17 00:00:00 2001 From: Christian Roessner Date: Wed, 6 Nov 2024 10:09:20 +0100 Subject: [PATCH] Fix: Enhance post-2FA Lua script handling and user data logging Refactor runLuaFilterAndPost to improve user existence checking and logging during post-2FA actions. Added additional user attributes to be logged for better traceability and debugging. Signed-off-by: Christian Roessner --- server/core/auth.go | 1 + server/core/hydra.go | 26 +++++++++++++++++++++----- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/server/core/auth.go b/server/core/auth.go index 94e7e736..512de155 100644 --- a/server/core/auth.go +++ b/server/core/auth.go @@ -1522,6 +1522,7 @@ func (a *AuthState) postVerificationProcesses(ctx *gin.Context, useCache bool, b if a.UserFound && !a.NoAuth { accountName, err = a.updateUserAccountInRedis() + if !passDBResult.Authenticated { a.processPWHist() } diff --git a/server/core/hydra.go b/server/core/hydra.go index 3f3f6a6c..d3a2be5b 100644 --- a/server/core/hydra.go +++ b/server/core/hydra.go @@ -1641,10 +1641,19 @@ func (a *ApiConfig) logFailedLoginAndRedirect(auth *AuthState) { // runLuaFilterAndPost filters and executes post-action Lua scripts based on the given post-2FA authentication result. func runLuaFilterAndPost(ctx *gin.Context, auth *AuthState, authResult global.AuthResult) global.AuthResult { - userFound, err := auth.userExists() - if err != nil { - if !stderrors.Is(err, redis.Nil) { - level.Error(log.Logger).Log(global.LogKeyGUID, auth.GUID, global.LogKeyError, err) + var ( + userFound bool + err error + ) + + if authResult == global.AuthResultOK && auth.isMasterUser() { + userFound = true + } else { + userFound, err = auth.userExists() + if err != nil { + if !stderrors.Is(err, redis.Nil) { + level.Error(log.Logger).Log(global.LogKeyGUID, auth.GUID, global.LogKeyError, err) + } } } @@ -1656,7 +1665,14 @@ func runLuaFilterAndPost(ctx *gin.Context, auth *AuthState, authResult global.Au return false }(), - UserFound: userFound, + UserFound: userFound, + AccountField: auth.AccountField, + TOTPSecretField: auth.TOTPSecretField, + TOTPRecoveryField: auth.TOTPRecoveryField, + UniqueUserIDField: auth.UniqueUserIDField, + DisplayNameField: auth.DisplayNameField, + Backend: auth.UsedPassDBBackend, + Attributes: auth.Attributes, } authResult = auth.filterLua(passDBResult, ctx)