[PM-21281] Email TOTP sent twice when user only has Email MFA enabled (#5782)

* fix: addressed bug where email token is sent twice, * test: updating tests to have correct DI and removing test for automatic email of TOTP.
2025-05-12 07:02:16 -05:00 · 2025-05-09 12:13:01 -04:00 · 2025-05-09 12:13:01 -04:00 · ead5bbdd2a
commit ead5bbdd2a
parent 3f95513d11
3 changed files with 11 additions and 15 deletions
--- a/src/Core/Auth/Models/Business/Tokenables/SsoEmail2faSessionTokenable.cs
+++ b/src/Core/Auth/Models/Business/Tokenables/SsoEmail2faSessionTokenable.cs
@ -4,9 +4,10 @@ using Bit.Core.Tokens;

 namespace Bit.Core.Auth.Models.Business.Tokenables;

-// This token just provides a verifiable authN mechanism for the API service
-// TwoFactorController.cs SendEmailLogin anonymous endpoint so it cannot be
-// used maliciously.
+/// <summary>
+/// This token provides a verifiable authN mechanism for the TwoFactorController.SendEmailLoginAsync
+/// anonymous endpoint so it cannot used maliciously.
+/// </summary>
 public class SsoEmail2faSessionTokenable : ExpiringTokenable
 {
    // Just over 2 min expiration (client expires session after 2 min)
--- a/src/Identity/IdentityServer/RequestValidators/TwoFactorAuthenticationValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/TwoFactorAuthenticationValidator.cs
@ -91,7 +91,10 @@ public class TwoFactorAuthenticationValidator(
            { "TwoFactorProviders2", providers },
        };

-        // If we have email as a 2FA provider, we might need an SsoEmail2fa Session Token
+        // If we have an Email 2FA provider we need this session token so SSO users
+        // can re-request an email TOTP. The TwoFactorController.SendEmailLoginAsync
+        // endpoint requires a way to authenticate the user before sending another email with
+        // a TOTP, this token acts as the authentication mechanism.
        if (enabledProviders.Any(p => p.Key == TwoFactorProviderType.Email))
        {
            twoFactorResultDict.Add("SsoEmail2faSessionToken",
@ -100,12 +103,6 @@ public class TwoFactorAuthenticationValidator(
            twoFactorResultDict.Add("Email", user.Email);
        }

-        if (enabledProviders.Count == 1 && enabledProviders.First().Key == TwoFactorProviderType.Email)
-        {
-            // Send email now if this is their only 2FA method
-            await _userService.SendTwoFactorEmailAsync(user);
-        }
-
        return twoFactorResultDict;
    }

--- a/test/Identity.Test/IdentityServer/TwoFactorAuthenticationValidatorTests.cs
+++ b/test/Identity.Test/IdentityServer/TwoFactorAuthenticationValidatorTests.cs
@ -252,9 +252,9 @@ public class TwoFactorAuthenticationValidatorTests

    [Theory]
    [BitAutoData(TwoFactorProviderType.Email)]
-    public async void BuildTwoFactorResultAsync_IndividualEmailProvider_SendsEmail_SetsSsoToken_ReturnsNotNull(
-        TwoFactorProviderType providerType,
-        User user)
+    public async void BuildTwoFactorResultAsync_SetsSsoToken_ReturnsNotNull(
+    TwoFactorProviderType providerType,
+    User user)
    {
        // Arrange
        var providerTypeInt = (int)providerType;
@ -276,8 +276,6 @@ public class TwoFactorAuthenticationValidatorTests
        Assert.True(providers.ContainsKey(providerTypeInt.ToString()));
        Assert.True(result.ContainsKey("SsoEmail2faSessionToken"));
        Assert.True(result.ContainsKey("Email"));
-
-        await _userService.Received(1).SendTwoFactorEmailAsync(Arg.Any<User>());
    }

    [Theory]