Do not let login message clobber MFA

4 years ago · c7f6172d56
parent f1bd6e1ad4
commit c7f6172d56
1 changed files with 12 additions and 2 deletions
--- a/app/controllers/api/v1/Auth.controller.js
+++ b/app/controllers/api/v1/Auth.controller.js
@ -608,7 +608,7 @@ class AuthController extends Controller {
        // If there are login messages, show those
        const LoginMessage = this.models.get('LoginMessage')
        const messages = await LoginMessage.for_user(user)
-        if ( messages.length > 0 ) {
+        if ( !req.trap.has_trap('mfa_challenge') && messages.length > 0 ) {
            await req.trap.begin('login_message', { session_only: true })
        }

@ -688,8 +688,18 @@ class AuthController extends Controller {
        if ( is_valid ) {
            if ( req.trap.has_trap('mfa_challenge') )
                await req.trap.end()
+
+            // If there are login messages, show those
+            const LoginMessage = this.models.get('LoginMessage')
+            const messages = await LoginMessage.for_user(req.user)
+            if ( messages.length > 0 ) {
+                await req.trap.begin('login_message', { session_only: true })
+            }
+
            next_destination = req.session.auth.flow || this.configs.get('auth.default_login_route')
-            delete req.session.auth.flow
+
+            if ( messages.length < 1 )
+                delete req.session.auth.flow
        }

        req.session.mfa_remember = true