Merge pull request #14 from devforth/AdminForth/968

ivictbor · web-flow · commit 6150802f0fb5 · 2025-10-29T13:33:16.000+02:00
fix: allow to skip 2FA reauthorization if users role mentioned in use…
diff --git a/index.ts b/index.ts
@@ -27,6 +27,33 @@ export default class TwoFactorsAuthPlugin extends AdminForthPlugin {
     return `single`;
   }
 
+  public async checkIfSkipSetupAllowSkipVerify(adminUser: AdminUser): Promise<{ skipAllowed: boolean }> {
+    if (this.options.usersFilterToAllowSkipSetup) {
+      const res = await this.options.usersFilterToAllowSkipSetup(adminUser); // recieve result of usersFilterToAllowSkipSetup
+      if (res === false) { // if false, user is not allowed to skip anyway, so doesn't matter if they have 2FA set up or not
+        return { skipAllowed: false };
+      }
+      
+      //recieve user's record
+      const usersResource = this.adminforth.config.resources.find(r => r.resourceId === this.adminforth.config.auth.usersResourceId);
+      const usersPrimaryKeyColumn = usersResource.columns.find((col) => col.primaryKey);
+      const userPkFieldName = usersPrimaryKeyColumn.name;
+      const userRecord = await this.adminforth.resource(this.adminforth.config.auth.usersResourceId).get([Filters.EQ(userPkFieldName, adminUser.pk)])
+
+      //check if user has 2FA set up
+      const users2FASecret = userRecord[this.options.twoFaSecretFieldName];
+      //check if user has any passkeys registered
+      const passkeys = await this.adminforth.resource(this.options.passkeys.credentialResourceID).list( [Filters.EQ(this.options.passkeys.credentialUserIdFieldName, adminUser.dbUser[userPkFieldName])] );
+
+      // If user has either 2FA secret or any passkeys, they cannot skip
+      if (users2FASecret || (passkeys && passkeys.length > 0)) {
+        return { skipAllowed: false };
+      }
+      return { skipAllowed: res };
+    }
+    return { skipAllowed: false };
+  }
+
   public async verify(
     confirmationResult: Record<string, any>,
     opts?: { adminUser?: AdminUser; userPk?: string; cookies?: any }
@@ -38,6 +65,12 @@ export default class TwoFactorsAuthPlugin extends AdminForthPlugin {
         return { ok: true };
       }
     }
+    if (this.options.usersFilterToAllowSkipSetup) {
+      const res = await this.checkIfSkipSetupAllowSkipVerify(opts.adminUser);
+      if ( res.skipAllowed === true ) {
+        return { ok: true };
+      }
+    }
     if (confirmationResult.mode === "totp") {
       const code = confirmationResult.result;
       const authRes = this.adminforth.config.resources
@@ -553,6 +586,12 @@ export default class TwoFactorsAuthPlugin extends AdminForthPlugin {
             return { skipAllowed: true };
           }
         }
+        if ( this.options.usersFilterToAllowSkipSetup ) {
+          const res = await this.checkIfSkipSetupAllowSkipVerify(adminUser);
+          if ( res.skipAllowed === true ) {
+            return { skipAllowed: true };
+          }
+        }
         return { skipAllowed: false };
       },
     });
