FusionAuth
[Bug]: User MFA method validation does not check for duplicates if an `id` is provided
What happened?
Attempting to add an MFA/2FA method to an existing user via a user API request or an external connector response validates the values provided in user.twoFactor.methods.
If the method does not have an id field, validation assumes this is a new method and checks for a duplicate email address/phone number.
If the method does have an id field, validation assumes this is an update to an existing method and does not check for duplicate email address/phone number.
Later in the update process, methods in the request are matched against existing methods based on the id. If the id on the request is null or does not have a match for an existing method, FusionAuth creates a new method and generates an id regardless of the value on the request. This behavior does not match the earlier validation which assumes that a method on the request containing an id must be an update to an existing method.
Updates to a user's MFA/2FA methods should only skip the duplicate validation check if the id and email/phone on the request method both match an existing method.
Version
1.57.1
Affects Versions
No response
Alternatives / Workarounds
No response
