Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Per-session MFA for desktops #50793

Merged
merged 2 commits into from
Jan 13, 2025
Merged

Fix Per-session MFA for desktops #50793

merged 2 commits into from
Jan 13, 2025

Conversation

Joerger
Copy link
Contributor

@Joerger Joerger commented Jan 6, 2025
edited
Loading

Restore EventEmitterMfaSender implementation for desktop access mistakenly removed in #49794.

This will be backported in #50529

Closes #50557

@github-actions github-actions bot requested review from gzdunek and ryanclark January 6, 2025 19:35
@Joerger Joerger requested a review from avatus January 6, 2025 21:01
@Joerger Joerger mentioned this pull request Jan 6, 2025
Closed
zmb3
zmb3 reviewed Jan 7, 2025
View reviewed changes
web/packages/teleport/src/lib/useMfa.ts
@@ -172,7 +172,7 @@ export function useMfa({ req, isMfaRequired }: MfaProps): MfaState {
};
}

export function useMfaTty(emitterSender: EventEmitterMfaSender): MfaState {
export function useMfaEmitter(emitterSender: EventEmitterMfaSender): MfaState {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Something still feels off about this.

Are you sure desktop code should be calling this? AFAIK, the TermEvent enum is a bunch of events that our web SSH console depends on. I wouldn't expect the desktop player to depend on any term events since it is not a terminal.

If your intent is some refactoring so that SSH and desktop MFA share more code I think that's a fine goal, but I think the abstraction is probably not quite right. I don't think desktop code should depend on TermEvent.

Copy link
Contributor Author

@Joerger Joerger Jan 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't make any significant refactor to the Desktop session MFA code, it was already using useMfa, which took Tty or EventEmitterMfaSender as an argument (tdpClient implements EventEmitterMfaSender). I renamed it to useMfaTty or useMfaEmitter so that I could make useMfa more generally usable.

EventEmitterMfaSender just represents the websocket used in WebUI sessions to send MFA challenges from the proxy and retrieve a challenge response from the client. Tty extends that for Terminal purposes. I can take a stab at renaming to make this more clear.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@avatus Can you help provide any more clarification? It is a dense section of the code base.

Copy link
Contributor

@avatus avatus Jan 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is a result of poor naming/abstractions from the past. desktop and ssh docs both implemented the old EventWebAuthnEmitter or whatever it was called, which had a single non-implemented sendWebauthn method that tty and tdpClient had to implement themselves. And we've since updated it from useWebauthn to useMfa but that weird abstraction layer should probably just go imo, we don't need it. Outside of this PR probably

@Joerger Joerger added the no-changelog Indicates that a PR does not require a changelog entry label Jan 7, 2025
avatus
avatus approved these changes Jan 7, 2025
View reviewed changes
Copy link
Contributor

@avatus avatus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MFA works for me locally on windows desktop now

@Joerger Joerger mentioned this pull request Jan 8, 2025
Merged
@Joerger
Copy link
Contributor Author

Joerger commented Jan 8, 2025

@zmb3 @gzdunek @ryanclark Friendly reminder to review, this should go into v17.2

@Joerger Joerger requested a review from zmb3 January 8, 2025 23:40
@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from gzdunek January 9, 2025 10:52
@Joerger Joerger added this pull request to the merge queue Jan 13, 2025
Merged via the queue into master with commit b6e2bad Jan 13, 2025
44 of 46 checks passed
@Joerger Joerger deleted the joerger/fix-per-session-mfa-desktop branch January 13, 2025 18:09
@public-teleport-github-review-bot
Copy link

@Joerger See the table below for backport results.

Branch Result
branch/v17 Failed

Joerger added a commit that referenced this pull request Jan 13, 2025
@Joerger
Fix Per-session MFA for desktops (#50793)
5ec8278 
* Add sendChallengeResponse implementation for desktop sessions.

* Rename useMfaTty to useMfaEmitter.
@Joerger Joerger mentioned this pull request Jan 13, 2025
Merged
Joerger added a commit that referenced this pull request Jan 14, 2025
@Joerger
Fix Per-session MFA for desktops (#50793)
6799f94 
* Add sendChallengeResponse implementation for desktop sessions.

* Rename useMfaTty to useMfaEmitter.
Joerger added a commit that referenced this pull request Jan 16, 2025
@Joerger
Fix Per-session MFA for desktops (#50793)
70a85e3 
* Add sendChallengeResponse implementation for desktop sessions.

* Rename useMfaTty to useMfaEmitter.
Joerger added a commit that referenced this pull request Jan 21, 2025
@Joerger
Fix Per-session MFA for desktops (#50793)
270ce4a 
* Add sendChallengeResponse implementation for desktop sessions.

* Rename useMfaTty to useMfaEmitter.
github-merge-queue bot pushed a commit that referenced this pull request Jan 21, 2025
@Joerger @r0mant
[v17] Add SSO MFA prompt for WebUI MFA flows (#50529)
7916a96 
* Add SSO MFA prompt for WebUI MFA flows (#49794)

* Include sso channel ID in web mfa challenges.

* Handle SSO MFA challenges.

* Handle sso response in backend.

* Handle non-webauthn mfa response for file transfer, admin actions, and app session.

* Simplify useMfa with new helpers.

* Fix lint.

* Use AuthnDialog for file transfers; Fix json backend logic for file transfers.

* Make useMfa and AuthnDialog more reusable and error proof.

* Use AuthnDialog for App sessions.

* Resolve comments.

* Fix broken app launcher; improve mfaRequired logic in useMfa.

* Fix AuthnDialog test.

* Fix merge conflict with Db web access.

* fix stories.

* Refactor mfa required logic.

* Address bl-nero's comments.

* Address Ryan's comments.

* Add useMfa unit test.

* Fix story lint.

* Replace Promise.withResolvers for compatiblity with older browers; Fix bug where MFA couldn't be retried after a failed attempt; Add extra tests.

* Fix Per-session MFA for desktops (#50793)

* Add sendChallengeResponse implementation for desktop sessions.

* Rename useMfaTty to useMfaEmitter.

* Remove unused code.

* Fix `useMfa` error handling (#50844)

* Fix useMfa cancel logic to avoid duplicate error messages across dialog layers.

* Add MfaCanceledError and use promise.reject for mfa cancel.

* Address comments.

* Fix test.

* Remove outdated comment.

* Add comment; Simplify who dialog logic.

---------

Co-authored-by: Roman Tkachenko <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ryanclark ryanclark ryanclark approved these changes

@avatus avatus avatus approved these changes

@zmb3 zmb3 Awaiting requested review from zmb3

Assignees
No one assigned
Labels
backport/branch/v17 no-changelog Indicates that a PR does not require a changelog entry size/sm ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Per-session MFA for desktops is broken
4 participants
@Joerger @avatus @zmb3 @ryanclark