Focus fix down for apps.

gravitational · Jan 31, 2025 · 98892fa · 98892fa
1 parent de47e12
commit 98892fa
Showing 4 changed files with 15 additions and 24 deletions.
diff --git a/lib/web/mfa.go b/lib/web/mfa.go
@@ -199,18 +199,14 @@ func (h *Handler) createAuthenticateChallengeHandle(w http.ResponseWriter, r *ht
 			return nil, trace.Wrap(err)
 		}
 
-		// If this is an app session request and we're missing the ClusterID argument, we can
-		// get the target cluster ID from the app resolved by the request. This is useful when
-		// connecting directly to a leaf cluster app through the root cluster rather than through
-		// the launcher.
+		// If this is an mfa required check for a leaf host, we need to check the requirement through
+		// the leaf cluster, rather than through root in the authenticate challenge request below
+		//
+		// TODO(Joerger): Currently, we only leafs hosts that we check mfa requirements for directly
+		// are apps. If we need to check other hosts directly, rather than through websocket flow,
+		// we'll need to include their clusterID in the request like we do for apps.
 		appReq := mfaRequiredCheckProto.GetApp()
-		if appReq != nil && req.IsMFARequiredRequest.ClusterID == "" {
-			req.IsMFARequiredRequest.ClusterID = appReq.GetClusterName()
-		}
-
-		// If the MFA requirement check is being performed for a leaf host, we must check directly
-		// with the leaf cluster before the authentication challenge request through root.
-		if req.IsMFARequiredRequest.ClusterID != "" && req.IsMFARequiredRequest.ClusterID != c.cfg.RootClusterName {
+		if appReq != nil && req.IsMFARequiredRequest.ClusterID != c.cfg.RootClusterName {
 			site, err := h.getSiteByClusterName(ctx, c, req.IsMFARequiredRequest.ClusterID)
 			if err != nil {
 				return nil, trace.Wrap(err)

diff --git a/web/packages/teleport/src/AppLauncher/AppLauncher.tsx b/web/packages/teleport/src/AppLauncher/AppLauncher.tsx
@@ -41,7 +41,6 @@ export function AppLauncher() {
     req: {
       scope: MfaChallengeScope.USER_SESSION,
       isMfaRequiredRequest: {
-        clusterId: pathParams.clusterId,
         app: {
           fqdn: pathParams.fqdn,
           cluster_name: pathParams.clusterId,

diff --git a/web/packages/teleport/src/config.ts b/web/packages/teleport/src/config.ts
@@ -749,10 +749,8 @@ const cfg = {
     return generatePath(cfg.api.connectionDiagnostic, { clusterId });
   },
 
-  getMfaRequiredUrl(clusterId?: string) {
-    if (!clusterId) {
-      clusterId = cfg.proxyCluster;
-    }
+  getMfaRequiredUrl() {
+    const clusterId = cfg.proxyCluster;
     return generatePath(cfg.api.mfaRequired, { clusterId });
   },
 

diff --git a/web/packages/teleport/src/services/auth/auth.ts b/web/packages/teleport/src/services/auth/auth.ts
@@ -412,7 +412,7 @@ function checkMfaRequired(
   params: IsMfaRequiredRequest,
   abortSignal?
 ): Promise<IsMfaRequiredResponse> {
-  return api.post(cfg.getMfaRequiredUrl(params.clusterId), params, abortSignal);
+  return api.post(cfg.getMfaRequiredUrl(), params, abortSignal);
 }
 
 function base64EncodeUnicode(str: string) {
@@ -450,18 +450,16 @@ function waitForMessage(
 
 export default auth;
 
-export type IsMfaRequiredRequest = {
-  // clusterId is the cluster to check mfa requirement against. When connecting to
-  // leaf hosts, this should be set to the leaf clusterId.
-  clusterId?: string;
-} & (
+// Note: In order to check if mfa is required for a leaf host, the leaf
+// clusterID must be included in the request. Currently, only IsMfaRequiredApp
+// supports this functionality.
+export type IsMfaRequiredRequest =
   | IsMfaRequiredDatabase
   | IsMfaRequiredNode
   | IsMfaRequiredKube
   | IsMfaRequiredWindowsDesktop
   | IsMfaRequiredApp
-  | IsMfaRequiredAdminAction
-);
+  | IsMfaRequiredAdminAction;
 
 export type IsMfaRequiredResponse = {
   required: boolean;