Merge pull request #4057 from Agnul97/fix-Mfa_wrong_code_exception

FIX - Incorrect exceptions on some wrong MFA login attempts
eclipse-kapua · Jun 14, 2024 · 8e8cbfd · 8e8cbfd
2 parents e498d61 + f05a671
commit 8e8cbfd
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/...a/org/eclipse/kapua/service/authentication/credential/mfa/shiro/MfaOptionServiceImpl.java b/...a/org/eclipse/kapua/service/authentication/credential/mfa/shiro/MfaOptionServiceImpl.java
@@ -14,6 +14,7 @@
 
 import org.apache.commons.lang.time.DateUtils;
 import org.apache.http.client.utils.URIBuilder;
+import org.apache.shiro.authc.IncorrectCredentialsException;
 import org.eclipse.kapua.KapuaEntityNotFoundException;
 import org.eclipse.kapua.KapuaException;
 import org.eclipse.kapua.commons.model.domains.Domains;
@@ -313,16 +314,20 @@ public boolean validateMfaCredentials(KapuaId scopeId, KapuaId userId, String to
             return false;
         });
         if (!res) {
+            if ( (tokenAuthenticationCode != null && !tokenAuthenticationCode.isEmpty()) || (tokenTrustKey != null && !tokenTrustKey.isEmpty())) {
+                throw new IncorrectCredentialsException();
+            }
             // In case both the authenticationCode and the trustKey are null, the MFA login via Rest API must be triggered.
             // Since this method only returns true or false, the MFA request via Rest API is handled through exceptions.
+            // It could also be the case that tokens are not null but empty, in this case we throw same exception...
             throw new MfaRequiredException();
         }
         return res;
     }
 
     private Boolean validateFromTrustKey(TxContext tx, MfaOption mfaOption, String tokenTrustKey) throws KapuaAuthenticationException {
         // Check trust machine authentication on the server side
-        if (mfaOption.getTrustKey() == null) {
+        if (mfaOption.getTrustKey() == null || tokenTrustKey.isEmpty()) {
             return false;
         }
         Date now = new Date(System.currentTimeMillis());
@@ -341,6 +346,9 @@ private Boolean validateFromTrustKey(TxContext tx, MfaOption mfaOption, String t
     private Boolean validateFromTokenAuthenticationCode(TxContext tx, KapuaId scopeId, MfaOption mfaOption, String tokenAuthenticationCode) throws KapuaAuthenticationException {
         // Do MFA match
         try {
+            if (tokenAuthenticationCode.isEmpty()) { //Token is not a numeric value and it's empty, so for sure validation is false even considering scratch codes
+                return false;
+            }
             final int numberToken = Integer.parseInt(tokenAuthenticationCode);
             boolean isCodeValid = mfaAuthenticator.authorize(mfaOption.getMfaSecretKey(), numberToken);
             if (isCodeValid) {