7606 PPG-1354 MFA again while navigating to the client dashboard (#2275)

Crown-Commercial-Service · Oct 10, 2024 · e7f5f3e · e7f5f3e
1 parent 781706a
commit e7f5f3e
Showing 1 changed file with 29 additions and 17 deletions.
diff --git a/Auth0Actions/mfa-custom-attribute-action.js b/Auth0Actions/mfa-custom-attribute-action.js
@@ -12,40 +12,52 @@
 
 exports.onExecutePostLogin = async (event, api) => {
 
-  if (event.transaction?.protocol === 'oauth2-refresh-token') {
+  if(event.transaction?.protocol === 'oauth2-refresh-token'){    
     return;
   }
-  //Avoid prompting a user for multifactor authentication if they have successfully completed MFA in their current session
+
+  // To skip MFA prompt just after enrollment
+  // https://crowncommercialservice.atlassian.net/browse/PPG-1354
+  // We’ve added a condition to skip the MFA challenge for this particular scenario, where we don’t want the user to be challenged for MFA immediately after enrollment. The condition will bypass the challenge in this case, but for other scenarios, MFA will still be required.
+  // We don’t have access to multifactor_last_modified and last_login in this action, so we have to use authenticated_at and updated_at instead.
+  let session_authenticated_at = event.session?.authenticated_at;
+  let user_update_at = event.user?.updated_at;
+  if(session_authenticated_at && user_update_at && session_authenticated_at < user_update_at){    
+    console.log("Skip-MFA");
+    return;
+  }
+
+ //Avoid prompting a user for multifactor authentication if they have successfully completed MFA in their current session
   let authMethods = [];
   if (event.authentication && Array.isArray(event.authentication.methods)) {
     authMethods = event.authentication.methods;
     console.log("MFA log2  context.authentication.methods");
     console.log(event.authentication.methods);
   }
-
-  let findMFA = authMethods.find((method) => method.name === 'mfa');
-  console.log("Finding authMethods for mfa", findMFA);
-  console.log("Finding authMethods for !!mfa", !!findMFA);
-
-
+  
+   let findMFA = authMethods.find((method) => method.name === 'mfa');
+   console.log("Finding authMethods for mfa", findMFA);  
+   console.log("Finding authMethods for !!mfa", !!findMFA);  
+  
+  
   const completedMfa = !!authMethods.find((method) => method.name === 'mfa');
-  console.log("MFA log3  ccompletedMfa");
-  console.log(completedMfa);
+    console.log("MFA log3  ccompletedMfa");
+    console.log(completedMfa);
   if (completedMfa) {
     return;
   }
-
-  let socialLogin = !!event.user.identities.find((identity) => identity.provider === "google-oauth2");
-  console.log('user.user_metadata-', event.user.user_metadata);
-
+  
+  let socialLogin = !!event.user.identities.find((identity)=>identity.provider==="google-oauth2");
+   console.log('user.user_metadata-',event.user.user_metadata);
+  
   // run only for the specified clients
   //if (CLIENTS_WITH_MFA.indexOf(context.clientID) !== -1) {
   // uncomment the following if clause in case you want to request a second factor only from user's that have user_metadata.use_mfa === true
-  if (event.user.user_metadata && event.user.user_metadata.use_mfa === true) {
+  if (event.user.user_metadata && event.user.user_metadata.use_mfa === true){
     console.log('Inside mfa true condition');
-    api.multifactor.enable('any', { allowRememberBrowser: false });
+  api.multifactor.enable('any', { allowRememberBrowser: false });
   }
-  return;
+   return;
 };