Created
October 22, 2020 18:09
-
-
Save SumanaMalkapuram/38a21110dbd177139d305734009f94e1 to your computer and use it in GitHub Desktop.
decouple enrollment with redirect rules and challenge using Auth0 UL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function performMfa(user, context, callback) { | |
let jwt = require('jsonwebtoken'); | |
let mfaEnrollmentStatus = user.app_metadata.MFAEnrolledStatus || ''; | |
//if(context.connection !== 'your connection name') return callback(null, user, context); | |
// run only for the specified clients | |
/* let CLIENTS_WITH_MFA = context.clientMetadata.clientid; | |
if (CLIENTS_WITH_MFA.indexOf(context.clientID) === -1) { | |
return callback(null, user, context); | |
}*/ | |
//Returning from MFA Enrollment | |
if (context.protocol === 'redirect-callback') { | |
console.log(context.request.query.state, "retrieved state"); | |
let decoded = jwt.verify(context.request.query.id_token, Buffer.from(configuration.Email_MFA_TOKEN_SECRET, 'base64')); | |
console.log("decoded jti", decoded.jti); | |
if (!decoded) return callback(new Error('Invalid Token')); | |
if (decoded.status !== 'ok' && !mfaEnrollmentStatus) { | |
console.log(decoded.status, "MFA status in rule"); | |
return callback(new Error('No MFA')); | |
} | |
if (decoded.jti !== user.jti) return callback(new Error('Invalid JTI')); | |
return callback(null, user, context); | |
//Update user app metadata on the custom form itself with enrolled status - sample below | |
/* user.app_metadata = user.app_metadata || {}; | |
// user.app_metadata.MFAEnrolledStatus = true; | |
/* auth0.users.updateUserMetadata(user.user_id, user.user_metadata) | |
.then(function(){ | |
callback(null, user, context); | |
}) | |
.catch(function(err){ | |
callback(err); | |
}); */ | |
} else if (mfaEnrollmentStatus) { | |
context.multifactor = { | |
provider: 'any', | |
// optional, defaults to true. Set to false to force authentication every time. | |
// See https://auth0.com/docs/multifactor-authentication/custom#change-the-frequency-of-authentication-requests for details | |
allowRememberBrowser: true | |
}; | |
return callback(null, user, context); | |
} else { | |
let token_payload = {}; | |
let jti = crypto.randomBytes(16).toString("hex"); | |
user.jti = jti; | |
console.log("jti in rule", jti); | |
token_payload.jti = jti; | |
token_payload.email = user.email; | |
let token = jwt.sign(token_payload, | |
Buffer.from(configuration.Email_MFA_TOKEN_SECRET, 'base64'), { | |
subject: user.user_id, | |
jti: jti, | |
expiresIn: '5m', | |
audience: context.clientID, | |
issuer: 'urn:auth0:enrollment:mfa' | |
}); | |
//Trigger enrollment | |
context.redirect = { | |
url: configuration.voice_mfa_url + '?token=' + token // check this | |
}; | |
return callback(null, user, context); | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment