From c7f6172d56080e82699e77ff60c3efd80ee15b14 Mon Sep 17 00:00:00 2001
From: garrettmills <garrett@glmdev.tech>
Date: Wed, 12 Aug 2020 22:13:46 -0500
Subject: [PATCH] Do not let login message clobber MFA

---
 app/controllers/api/v1/Auth.controller.js | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/app/controllers/api/v1/Auth.controller.js b/app/controllers/api/v1/Auth.controller.js
index 1346560..b8bba7b 100644
--- a/app/controllers/api/v1/Auth.controller.js
+++ b/app/controllers/api/v1/Auth.controller.js
@@ -608,7 +608,7 @@ class AuthController extends Controller {
         // If there are login messages, show those
         const LoginMessage = this.models.get('LoginMessage')
         const messages = await LoginMessage.for_user(user)
-        if ( messages.length > 0 ) {
+        if ( !req.trap.has_trap('mfa_challenge') && messages.length > 0 ) {
             await req.trap.begin('login_message', { session_only: true })
         }
 
@@ -688,8 +688,18 @@ class AuthController extends Controller {
         if ( is_valid ) {
             if ( req.trap.has_trap('mfa_challenge') )
                 await req.trap.end()
+
+            // If there are login messages, show those
+            const LoginMessage = this.models.get('LoginMessage')
+            const messages = await LoginMessage.for_user(req.user)
+            if ( messages.length > 0 ) {
+                await req.trap.begin('login_message', { session_only: true })
+            }
+
             next_destination = req.session.auth.flow || this.configs.get('auth.default_login_route')
-            delete req.session.auth.flow
+
+            if ( messages.length < 1 )
+                delete req.session.auth.flow
         }
 
         req.session.mfa_remember = true