fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

[Bug]: Login Validation Lambda function invoked after MFA and change password required handling

Open mrudatsprint opened this issue 5 months ago • 3 comments

What happened?

A login validation lambda that returns an error result doesn't display the error when MFA is configured. In this case after entering the userid/password, the user is prompted for an MFA challenge. An Invalid code message is then returned after entering the challenge.

Image Image

The user shouldn't have been prompted for an MFA challenge and the error result displayed. In the case of user/password only or when using WebAuthn, the error result from the lambda is returned.

Image

Version

1.57.1

Affects Versions

No response

Alternatives / Workarounds

No response

mrudatsprint avatar Jul 08 '25 19:07 mrudatsprint

Currently, we do process MFA required, and password change required prior to invoking this lambda when configured.

Currently, we authenticate the user, if MFA is required, we force MFA, and upon completion of MFA we invoke this lambda function. I think the reason for that is to ensure we have completed the FusionAuth workflow and performed all checks we wish to perform before invoking the lambda as a last check.

So I don't know that it makes sense to invoke this lambda before we complete MFA. We could in theory - but then I think we have to invoke it again after we complete MFA because the state of the user may have changed. I would rather not invoke this twice.

So maybe the order of operation is correct, but the error isn't being displayed correct on the MFA page after the user completes the correct 2FA challenge.

So, for example - IMO - ideally we want to wait until we actually complete authentication of the user before invoking this lambda function. If a user has MFA enabled, until they complete the MFA challenge we have to assume the user is malicious or not yet fully authenticated.

For that reason, my guess we intentionally are not invoking this lambda function until the user is complete authenticated.

Is your primary concern that the error message Your account has been restricted is not being displayed on the MFA page? If that is the case, that sounds like a bug.

robotdan avatar Jul 09 '25 21:07 robotdan

Thank you @robotdan. Yes, the concern would be that the error message Your account has been restricted is not being displayed on the MFA page.

mrudatsprint avatar Jul 09 '25 21:07 mrudatsprint

See comments above, we may have a bug that would cause us not to correctly display Your account has been restricted to the end user, needs investigation.

robotdan avatar Oct 09 '25 20:10 robotdan