Skip to content

Commit e1a858d

Browse files
namsnathnamsnath
authored
fix: validate MFA claim before allowing TOTP device removal (supertokens#579)
- Fixes an issue where `removeDevice` API allowed removing TOTP devices without the user completing MFA.
1 parent 1273c46 commit e1a858d

File tree

5 files changed

+12
-3
lines changed

5 files changed

+12
-3
lines changed

CHANGELOG.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
88

99
## [unreleased]
1010

11+
## [0.29.1] - 2025-04-11
12+
- Fixes an issue where `removeDevice` API allowed removing TOTP devices without the user completing MFA.
13+
1114
## [0.29.0] - 2025-03-03
1215
### Breaking changes
1316
- Makes URL path normalization case sensitive

setup.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -82,7 +82,7 @@
8282

8383
setup(
8484
name="supertokens_python",
85-
version="0.29.0",
85+
version="0.29.1",
8686
author="SuperTokens",
8787
license="Apache 2.0",
8888
author_email="team@supertokens.com",

supertokens_python/constants.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@
1515
from __future__ import annotations
1616

1717
SUPPORTED_CDI_VERSIONS = ["5.2"]
18-
VERSION = "0.29.0"
18+
VERSION = "0.29.1"
1919
TELEMETRY = "/telemetry"
2020
USER_COUNT = "/users/count"
2121
USER_DELETE = "/user/remove"

supertokens_python/recipe/totp/api/remove_device.py

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,9 @@ async def handle_remove_device_api(
3535

3636
session = await get_session(
3737
api_options.request,
38-
override_global_claim_validators=lambda _, __, ___: [],
38+
override_global_claim_validators=lambda global_claim_validators, __, ___: [
39+
gcv for gcv in global_claim_validators if gcv.id == "st-mfa"
40+
],
3941
session_required=True,
4042
user_context=user_context,
4143
)

tests/test-server/test_functions_mapper.py

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -142,6 +142,10 @@ async def get_mfa_requirements_for_auth(
142142
required_secondary_factors_for_tenant: Any,
143143
user_context: Dict[str, Any],
144144
) -> MFARequirementList:
145+
# Test specifies an override, return the required data
146+
if 'getMFARequirementsForAuth:async()=>["totp"]' in eval_str:
147+
return ["totp"]
148+
145149
return ["otp-phone"] if user_context.get("requireFactor") else []
146150

147151
original_implementation.get_mfa_requirements_for_auth = (

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy