stages/authenticator_validation: refuse passwordless flow if flow is not for authentication

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-12-22 18:02:43 +01:00
parent a3c681cc44
commit e72f0ab160

View file

@ -8,7 +8,7 @@ from structlog.stdlib import get_logger
from authentik.events.models import Event, EventAction
from authentik.events.utils import cleanse_dict, sanitize_dict
from authentik.flows.challenge import ChallengeResponse, ChallengeTypes, WithUserInfoChallenge
from authentik.flows.models import NotConfiguredAction, Stage
from authentik.flows.models import FlowDesignation, NotConfiguredAction, Stage
from authentik.flows.planner import PLAN_CONTEXT_PENDING_USER
from authentik.flows.stage import ChallengeStageView
from authentik.stages.authenticator_sms.models import SMSDevice
@ -153,6 +153,9 @@ class AuthenticatorValidateStageView(ChallengeStageView):
if user:
challenges = self.get_device_challenges()
else:
if self.executor.flow.designation != FlowDesignation.AUTHENTICATION:
LOGGER.debug("Refusing passwordless flow in non-authentication flow")
return self.executor.stage_ok()
# Passwordless auth, with just webauthn
if DeviceClasses.WEBAUTHN in stage.device_classes:
LOGGER.debug("Userless flow, getting generic webauthn challenge")