99import jakarta .validation .Valid ;
1010import myconext .exceptions .ExpiredAuthenticationException ;
1111import myconext .exceptions .ForbiddenException ;
12+ import myconext .exceptions .NotAcceptableException ;
1213import myconext .exceptions .UserNotFoundException ;
1314import myconext .manage .Manage ;
1415import myconext .model .SamlAuthenticationRequest ;
@@ -231,7 +232,7 @@ public ResponseEntity<GeneratedBackupCode> generateBackupCode(
231232 private ResponseEntity <GeneratedBackupCode > doGenerateBackupCode (User user , boolean regenerateSpFlow ) throws TiqrException {
232233 if (!regenerateSpFlow ) {
233234 Registration registration = registrationRepository .findRegistrationByUserId (user .getId ()).orElseThrow (IllegalArgumentException ::new );
234- if (! registration .getStatus ().equals (RegistrationStatus .INITIALIZED )) {
235+ if (registration .getStatus ().equals (RegistrationStatus .FINALIZED )) {
235236 throw new ForbiddenException ("Forbidden backup code, wrong status: " + registration .getStatus ());
236237 }
237238 }
@@ -260,7 +261,7 @@ public ResponseEntity<FinishEnrollment> sendPhoneCodeForSp(HttpServletRequest re
260261 @ Valid @ RequestBody PhoneCode phoneCode ) {
261262 User user = userFromAuthentication (authentication );
262263 String phoneNumber = phoneCode .getPhoneNumber ();
263- return doSendPhoneCode (user , phoneNumber , false , request );
264+ return doSendPhoneCode (user , phoneNumber , false , false , request );
264265 }
265266
266267 @ Operation (summary = "Send new phone code" , description = "Send a new verification code to mobile phone for a finished authentication" )
@@ -275,7 +276,7 @@ public ResponseEntity<FinishEnrollment> resendPhoneCodeForSp(HttpServletRequest
275276 }
276277 User user = userFromAuthentication (secAuthentication );
277278 String phoneNumber = phoneCode .getPhoneNumber ();
278- return doSendPhoneCode (user , phoneNumber , true , request );
279+ return doSendPhoneCode (user , phoneNumber , true , true , request );
279280 }
280281
281282 @ PostMapping ("/send-phone-code" )
@@ -285,10 +286,23 @@ public ResponseEntity<FinishEnrollment> sendPhoneCode(HttpServletRequest request
285286 @ RequestBody Map <String , String > requestBody ) {
286287 User user = getUserFromAuthenticationRequest (hash );
287288 String phoneNumber = requestBody .get ("phoneNumber" );
288- return doSendPhoneCode (user , phoneNumber , false , request );
289- }
289+ return doSendPhoneCode (user , phoneNumber , false , false , request );
290+ }
291+
292+ private ResponseEntity <FinishEnrollment > doSendPhoneCode (User user ,
293+ String phoneNumber ,
294+ boolean regenerateSpFlow ,
295+ boolean deactivationFlow ,
296+ HttpServletRequest request ) {
297+ Registration registration = registrationRepository .findRegistrationByUserId (user .getId ()).orElseThrow (IllegalArgumentException ::new );
298+ //When the 1st factor is compromised, then it is not allowed to reset MFA
299+ if (deactivationFlow && !registration .getStatus ().equals (RegistrationStatus .FINALIZED )) {
300+ throw new NotAcceptableException ("Not allowed to resend phone code, registration is not finalized" );
301+ }
302+ if (!deactivationFlow && registration .getStatus ().equals (RegistrationStatus .FINALIZED )) {
303+ throw new NotAcceptableException ("Not allowed to send phone code, registration is already finalized" );
304+ }
290305
291- private ResponseEntity <FinishEnrollment > doSendPhoneCode (User user , String phoneNumber , boolean regenerateSpFlow , HttpServletRequest request ) {
292306 rateLimitEnforcer .checkSendSMSRateLimit (user );
293307
294308 LOG .info (String .format ("Sending SMS for user %s to number %s" , user .getEmail (), phoneNumber ));
@@ -300,6 +314,8 @@ private ResponseEntity<FinishEnrollment> doSendPhoneCode(User user, String phone
300314 Map <String , Object > surfSecureId = user .getSurfSecureId ();
301315 surfSecureId .put (PHONE_VERIFICATION_CODE , phoneVerification );
302316 surfSecureId .remove (RATE_LIMIT );
317+ //Can't have both
318+ surfSecureId .remove (RECOVERY_CODE );
303319
304320 if (regenerateSpFlow ) {
305321 surfSecureId .put (NEW_UNVERIFIED_PHONE_NUMBER , phoneNumber );
@@ -603,7 +619,7 @@ public ResponseEntity<FinishEnrollment> sendDeactivationPhoneCodeForSp(HttpServl
603619 if (!StringUtils .hasText (phoneNumber )) {
604620 throw new ForbiddenException ("Forbidden empty phone number" );
605621 }
606- return doSendPhoneCode (user , phoneNumber , false , request );
622+ return doSendPhoneCode (user , phoneNumber , false , true , request );
607623 }
608624
609625 @ Operation (summary = "De-activate the app" , description = "De-activate the eduID app for the current user" )
0 commit comments