MFA - Cannot receive SMS token if maxPasswordHistory != 0

[riccardoch]

New Issue Checklist

• Report security issues confidentially.
• Any contribution is under this license.
• Before posting search existing issues.

Issue Description

If maxPasswordHistory is set to a value != 0, the token request does not work as expected. It appears to be incorrectly interpreted as a password change request, as a result no token is created.

Steps to reproduce

To reproduce the issue you have to set maxPasswordHistory in index.js to a value != 0:

maxPasswordHistory: 5

Then you need to request a token for a user with MFA enabled:

POST {{url}}/login
Content-Type: application/json
Cache-Control: no-cache
X-Parse-REST-API-Key: {{rest_api_key}}
X-Parse-Application-Id: {{application_id}}

{
    "username": "tester",
    "password": "*********",
    "authData": { 
        "mfa": { 
            "mobile": "+11111111111",
            "token": "request"
        }
    }
}

This is the response:

{
  "code": 142,
  "error": "New password should not be the same as last 5 passwords."
}

If you remove maxPasswordHistory the token is sent as expected.

Actual Outcome

sendSMS callback is not called and this is the current result if maxPasswordHistory is != 0:

{
  "code": 142,
  "error": "New password should not be the same as last 5 passwords."
}

Expected Outcome

sendSMS callback returns the token and this is the expected response to the token request:

{
  "code": 141,
  "error": "Please enter the token"
}

Environment

Node: 18.20.5

Server

• Parse Server version: 7.4.0
• Operating system: Ubuntu 20.04
• Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc): Digital Ocean

Database

• System (MongoDB or Postgres): MongoDB
• Database version: 6
• Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc): Digital Ocean

[parse-github-assistant]

Thanks for opening this issue!

• 🚀 You can help us to fix this issue faster by opening a pull request with a failing test. See our Contribution Guide for how to make a pull request, or read our New Contributor's Guide if this is your first time contributing.