fix handling for 2FA device approval via Duo Push (#42)

Keeper-Security · Feb 7, 2024 · 6a7c943 · 6a7c943
1 parent 0c11534
commit 6a7c943
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 7 deletions.
diff --git a/keeperapi/package-lock.json b/keeperapi/package-lock.json
diff --git a/keeperapi/package.json b/keeperapi/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@keeper-security/keeperapi",
   "description": "Keeper API Javascript SDK",
-  "version": "16.0.52",
+  "version": "16.0.53",
   "browser": "dist/index.es.js",
   "main": "dist/index.cjs.js",
   "types": "dist/node/index.d.ts",

diff --git a/keeperapi/src/auth.ts b/keeperapi/src/auth.ts
@@ -684,14 +684,19 @@ export class Auth {
 
             const processPushNotification = (wssRs: Record<string, any>) => {
                 if (wssRs.event === 'received_totp') {
-                    const token = wssRs.encryptedLoginToken ? normal64Bytes(wssRs.encryptedLoginToken) : loginToken
-                    if (wssRs.passcode) {
+                    // Duo
+                    if (wssRs.encryptedLoginToken) {
+                        const token = normal64Bytes(wssRs.encryptedLoginToken)
+                        resumeWithToken(token)
+                    }
+                    // DNA
+                    else if (wssRs.passcode) {
                         const tfaChannel = channels.find(x => x.channel === DeviceVerificationMethods.TFA)
                         if (tfaChannel && tfaChannel.validateCode) {
                             tfaChannel.validateCode(wssRs.passcode)
                         }
                     } else {
-                        resumeWithToken(token)
+                        // do nothing, we don't leak rejection during device approvals
                     }
                 } else if (wssRs.message === 'device_approved') {
                     if (wssRs.approved) {
@@ -871,10 +876,13 @@ export class Auth {
 
             const processPushNotification = (wssRs: Record<string, any>) => {
                 if (wssRs.event === 'received_totp') {
+                    // Duo
                     if (wssRs.encryptedLoginToken) {
                         const token = normal64Bytes(wssRs.encryptedLoginToken)
                         resumeWithToken(token)
-                    } else if (wssRs.passcode) {
+                    }
+                    // DNA
+                    else if (wssRs.passcode) {
                         (async () => {
                             await submitCode(lastPushChannel, wssRs.passcode)
                         })()