Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WebUI MFA types refactor #49678

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

WebUI MFA types refactor #49678

wants to merge 8 commits into from
+472 −262

Conversation

Joerger
Copy link
Contributor

@Joerger Joerger commented Dec 3, 2024
edited
Loading

Changes:

  • Move, deduplicate, and add MFA types to web/packages/teleport/src/services/mfa
    • Also rename some types/methods and improve type assertions.
  • Refactor MFA options to be derived from MFA challenges rather than listed devices, which is more reliable (backend logic) and removes the need for a lot of extra logic we were doing based off of auth2faType

Prerequisite for SSO MFA changes (TODO).

TODO: Follow up PRs to remove remaining uses of createMfaOptions.

@Joerger Joerger requested a review from avatus December 3, 2024 02:39
This was referenced Dec 3, 2024
Open
Draft
ryanclark
ryanclark reviewed Dec 3, 2024
View reviewed changes
web/packages/shared/utils/createMfaOptions.ts Outdated
};
}

return opt as MfaOption;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't opt already MfaOption here?

Copy link
Contributor Author

@Joerger Joerger Dec 3, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's of type services/mfa/MfaOption but this method needs to return utils/MfaOption. I'm not sure how to how to make the former a type alias of the latter since they have the same name, so I just did a type cast. Is there another way to make this work?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would using satisfies MfaOption work here to coerce it w/out asserting?

web/packages/shared/utils/createMfaOptions.ts
return mfaOptions;
// Deprecated: use getMfaRegisterOptions or getMfaChallengeOptions instead.
// TODO(Joerger): Delete once no longer used.
export default function createMfaOptions(opts: Options): MfaOption[] {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that this no longer handles required, should this just accept auth2faType?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, but I can't change the function signature until the RecoveryFlow in /e starts using the new MfaOptions methods. I'm going to remove the method all existing calls to createMfaOptions in a couple of follow up PRs to avoid merge conflicts and /e shenanigans.

web/packages/teleport/src/services/mfa/mfaOptions.ts Outdated
Comment on lines 14 to 41
mfaOptions.push({ value: 'webauthn', label: 'Passkey or Security Key' });
}

if (mfaChallenge?.totpChallenge) {
mfaOptions.push({ value: 'totp', label: 'Authenticator App' });
}

if (mfaChallenge?.ssoChallenge) {
mfaOptions.push({
value: 'sso',
label:
mfaChallenge.ssoChallenge.device.displayName ||
mfaChallenge.ssoChallenge.device.connectorId,
});
}

return mfaOptions;
}

export function getMfaRegisterOptions(auth2faType: Auth2faType) {
const mfaOptions: MfaOption[] = [];

if (auth2faType === 'webauthn' || auth2faType === 'on') {
mfaOptions.push({ value: 'webauthn', label: 'Passkey or Security Key' });
}

if (auth2faType === 'otp' || auth2faType === 'on') {
mfaOptions.push({ value: 'totp', label: 'Authenticator App' });
Copy link
Contributor

@ryanclark ryanclark Dec 3, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like these objects can be defined outside of the functions and then it's just mfaOptions.push(WEBAUTHN_OPTION) etc in both methods

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, added const webauthnOption, const totpOption, and func getSsoOption.

SSO option is derived from the challenge so I'm not sure if an enum works here (that's generally what all caps like WEBAUTHN_OPTION is for right?).

@Joerger Joerger added no-changelog Indicates that a PR does not require a changelog entry backport/branch/v17 labels Dec 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@avatus avatus Awaiting requested review from avatus

@kiosion kiosion Awaiting requested review from kiosion

@ryanclark ryanclark Awaiting requested review from ryanclark

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
backport/branch/v15 backport/branch/v16 backport/branch/v17 no-changelog Indicates that a PR does not require a changelog entry size/md ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Joerger @ryanclark @kiosion