Skip to content

Commit

Permalink
fix: Respect the --no-allow-passwordless flag (#49934)
Browse files Browse the repository at this point in the history
  • Loading branch information
codingllama authored Dec 9, 2024
1 parent 03077a4 commit 9f16c3e
Showing 1 changed file with 10 additions and 8 deletions.
18 changes: 10 additions & 8 deletions tool/tsh/common/mfa.go
Original file line number Diff line number Diff line change
Expand Up @@ -197,12 +197,14 @@ type mfaAddCommand struct {
devName string
devType string

// allowPasswordless is initially true if --allow-passwordless is set, false
// if not explicitly requested.
// It can only be set by users if wancli.IsFIDO2Available() is true.
// allowPasswordless and allowPasswordlessSet hold the state of the
// --(no-)allow-passwordless flag.
//
// allowPasswordless can only be set by users if wancli.IsFIDO2Available() is
// true.
// Note that Touch ID registrations are always passwordless-capable,
// regardless of other settings.
allowPasswordless bool
allowPasswordless, allowPasswordlessSet bool
}

func newMFAAddCommand(parent *kingpin.CmdClause) *mfaAddCommand {
Expand All @@ -213,7 +215,9 @@ func newMFAAddCommand(parent *kingpin.CmdClause) *mfaAddCommand {
c.Flag("type", fmt.Sprintf("Type of the new MFA device (%s)", strings.Join(defaultDeviceTypes, ", "))).
EnumVar(&c.devType, defaultDeviceTypes...)
if wancli.IsFIDO2Available() {
c.Flag("allow-passwordless", "Allow passwordless logins").BoolVar(&c.allowPasswordless)
c.Flag("allow-passwordless", "Allow passwordless logins").
IsSetByUser(&c.allowPasswordlessSet).
BoolVar(&c.allowPasswordless)
}
return c
}
Expand Down Expand Up @@ -265,9 +269,7 @@ func (c *mfaAddCommand) run(cf *CLIConf) error {
switch c.devType {
case webauthnDeviceType:
// Ask the user?
// c.allowPasswordless=false at this point only means that the flag wasn't
// explicitly set.
if !c.allowPasswordless && wancli.IsFIDO2Available() {
if !c.allowPasswordlessSet && wancli.IsFIDO2Available() {
answer, err := prompt.PickOne(ctx, os.Stdout, prompt.Stdin(), "Allow passwordless logins", []string{"YES", "NO"})
if err != nil {
return trace.Wrap(err)
Expand Down

0 comments on commit 9f16c3e

Please sign in to comment.