fix email as 2fa for sso (#6495)

* fix email as 2fa for sso * allow saving device without updating `updated_at` * check if email is some * allow device to be saved in postgresql * use twofactor_incomplete table * no need to update device.updated_at
2026-04-03 07:39:20 -07:00 · 2025-12-06 22:22:33 +01:00
parent 8f689d8795
commit 4ad8baf7be
7 changed files with 94 additions and 61 deletions
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -1409,7 +1409,7 @@ async fn put_device_token(device_id: DeviceId, data: Json<PushToken>, headers: H
    }

    device.push_token = Some(token);
-    if let Err(e) = device.save(&conn).await {
+    if let Err(e) = device.save(true, &conn).await {
        err!(format!("An error occurred while trying to save the device push token: {e}"));
    }

--- a/src/api/core/two_factor/email.rs
+++ b/src/api/core/two_factor/email.rs
@@ -10,7 +10,7 @@ use crate::{
    auth::Headers,
    crypto,
    db::{
-        models::{EventType, TwoFactor, TwoFactorType, User, UserId},
+        models::{DeviceId, EventType, TwoFactor, TwoFactorType, User, UserId},
        DbConn,
    },
    error::{Error, MapResult},
@@ -24,10 +24,12 @@ pub fn routes() -> Vec<Route> {
 #[derive(Deserialize)]
 #[serde(rename_all = "camelCase")]
 struct SendEmailLoginData {
+    #[serde(alias = "DeviceIdentifier")]
+    device_identifier: DeviceId,
    #[serde(alias = "Email")]
-    email: String,
+    email: Option<String>,
    #[serde(alias = "MasterPasswordHash")]
-    master_password_hash: String,
+    master_password_hash: Option<String>,
 }

 /// User is trying to login and wants to use email 2FA.
@@ -36,25 +38,40 @@ struct SendEmailLoginData {
 async fn send_email_login(data: Json<SendEmailLoginData>, conn: DbConn) -> EmptyResult {
    let data: SendEmailLoginData = data.into_inner();

-    use crate::db::models::User;
-
-    // Get the user
-    let Some(user) = User::find_by_mail(&data.email, &conn).await else {
-        err!("Username or password is incorrect. Try again.")
-    };
-
    if !CONFIG._enable_email_2fa() {
        err!("Email 2FA is disabled")
    }

-    // Check password
-    if !user.check_valid_password(&data.master_password_hash) {
-        err!("Username or password is incorrect. Try again.")
-    }
+    // Get the user
+    let email = match &data.email {
+        Some(email) if !email.is_empty() => Some(email),
+        _ => None,
+    };
+    let user = if let Some(email) = email {
+        let Some(master_password_hash) = &data.master_password_hash else {
+            err!("No password hash has been submitted.")
+        };

-    send_token(&user.uuid, &conn).await?;
+        let Some(user) = User::find_by_mail(email, &conn).await else {
+            err!("Username or password is incorrect. Try again.")
+        };

-    Ok(())
+        // Check password
+        if !user.check_valid_password(master_password_hash) {
+            err!("Username or password is incorrect. Try again.")
+        }
+
+        user
+    } else {
+        // SSO login only sends device id, so we get the user by the most recently used device
+        let Some(user) = User::find_by_device_for_email2fa(&data.device_identifier, &conn).await else {
+            err!("Username or password is incorrect. Try again.")
+        };
+
+        user
+    };
+
+    send_token(&user.uuid, &conn).await
 }

 /// Generate the token, save the data for later verification and send email to user