fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

TrustToken ignored when changing password by loginId

Open sneakylenny opened this issue 3 years ago • 1 comments

TrustToken ignored when changing password by loginId

Description

Whenever I want to change the password using the loginId, currentPassword, password and a trustToken* with mfa enabled on the respective user. The api returns status 400 with error:

"code": "[TrustTokenRequired]"
"message": "This request requires a Trust Token. Use the Start Two-Factor API to obtain a Trust Token required to complete this request."

But the trust token has been supplied in the request.

*obtained from POST /api/login followed by POST /api/two-factor/login or POST /api/two-factor/start followed by POST /api/two-factor/login

Affects versions

As far as I know only on 1.36.4 since that's the current version I'm using right now.

Steps to reproduce

Steps to reproduce the behavior:

Create a user and enable mfa

  1. Create a user.
  2. Enable mfa on the user.

Obtain a twoFactorId. There are 2 methods:

  • Method 1:

  1. Hit POST /api/login with login credentials. This will return status 242 and the response will contain a twoFactorId.
  2. Store the twoFactorId.

  • Method 2:

  1. Hit POST /api/two-factor/start with the user's userId in the response body. This will return status 200 and the response will contain a twoFactorId.
  2. Store the twoFactorId.

Continue from method 1 or 2:

  1. Hit POST /api/two-factor/login with a valid mfa code and the twoFactorId from the previous request. This will return status 200 and the response will contain a trustToken.
  2. Store the trustToken.
  3. Hit POST /api/user/change-password with the user's loginId, currentPassword, password and with the stored trustToken from before.
  4. The API will return status 400 and contains an errorResponse with 1 error with code [TrustTokenRequired].

Expected behavior

Either the password to be changed and return a status 200 or a status 400 containing an error telling me the trustToken is invalid since it is present.

Screenshots

POST /api/two-factor/start

Screenshot_264

POST /api/two-factor/login

Screenshot_265

POST /api/user/change-password

Screenshot_266

Platform

  • Device: Desktop
  • OS: Windows 10 Pro
  • Mozilla Firefox Developer Edition 105.0 Beta 9 (20220908185813)
  • Database MySQL 8.0.23

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Additional context

The steenshots are from Hoppscotch (similar to Postman). But the api gives the same result when using the FusionAuth php client with ->withTenantId($tenantId).

sneakylenny avatar Oct 05 '22 14:10 sneakylenny

Thanks for the detailed repro steps, @timyourivh ! We'll have to take a look and see if we can reproduce on the latest version.

mooreds avatar Oct 07 '22 14:10 mooreds

Internal

  • https://github.com/FusionAuth/fusionauth-app/pull/172

spwitt avatar Dec 20 '22 14:12 spwitt