Session upgrade does not work with 2FA
Concerned version
Version: %2.0
Platform: NGinx + Debian
Summary
- Configure authentication choice with two demo modules
- name them "strong" and "weak"
- Configure any 2F module with
- condition:
$_choice eq "strong"
- authentication level: 5
- condition:
- Configure test1.example.com to require authentication level 3
- Login with the "weak" choice
- Browse to test1.example.com
- Accept session upgrade
- Select "strong" authentication choice
- 2F widow appears
- Fill in 2F token
- You session does not get updated, depending on whether or not #1821 (closed) happens, you either go back to the portal or go back to the "Session upgrade" prompt
Possible fixes
The problem is that when you POST your credentials to /sessionupgrade, you are being redirected to /*2fcheck, but since you already have a session, there are no corresponding authenticated routes. So you end up back on the portal, with the same authentication level as before
Adding Authenticated routes to /*2fcheck seems to take care of the issue, see the attached PR. I'm not entirely sure this is the right approach