Use Web MFA dialog for admin actions

[Joerger]

Changelog: Add MFA dialog in the WebUI for Admin actions instead of automatically opening up a webauthn/sso pop up.

Adds a global MFA context for prompting MFA from non-react contexts. Currently this is only used for admin actions, which prompts for MFA from basic API requests.

Depends on #49794

[ryanclark]

This recreates the object and sets it on every re-render

Suggested change

	const mfaCtx = {
	getAdminActionMfaResponse,
	useMfa,
	};
	auth.setMfaContext(mfaCtx);
	useEffect(() => {
	const mfaCtx = {
	getAdminActionMfaResponse,
	useMfa,
	};
	auth.setMfaContext(mfaCtx);
	}, [getAdminActionMfaResponse, useMfa]);

[gzdunek]

I'm afraid useEffect could be called too late. If we must do this (see my other comment) then I would try something like:

if (!auth.mfaContext) {
  const mfaCtx = {
        getAdminActionMfaResponse,
        useMfa,
      };
  auth.setMfaContext(mfaCtx);
}

[gzdunek]

Ah, we really shouldn't do this, but I see where it came from :/
It's soooo poor that auth and api are global objects that live outside of React scope, so there is no way to pass mfaContext as a dependency to them.

The main problem now is that we rely on this side effect, we need to ensure proper coordination so that this function is executed before the callsites attempt to use the value.
Did you consider passing that mfaCtx as a parameter to all the methods that need it? Is there a lot of them?

[Joerger]

Did you consider passing that mfaCtx as a parameter to all the methods that need it? Is there a lot of them?

Yeah, it will be needed for every api call so I was trying to avoid that. If it's necessary I can bite the bullet and try that way.

[Joerger]

There's only one callsite to auth.mfaContext. What if we added a conditional there?

 async getAdminActionMfaResponse(allowReuse?: boolean) {
    if (!mfaContext) return;
    return mfaContext.getAdminActionMfaResponse(allowReuse);
  },

[gzdunek]

Yeah, it will be needed for every api call so I was trying to avoid that. If it's necessary I can bite the bullet and try that way.

Then I think we have to stay with this side effect.

There's only one callsite to auth.mfaContext. What if we added a conditional there?

async getAdminActionMfaResponse(allowReuse?: boolean) {
if (!mfaContext) return;
return mfaContext.getAdminActionMfaResponse(allowReuse);
},

I think it makes sense, but I'd throw an error if there's no mfa context.

[Joerger]

Got it, I'll also add a 1 second timeout to try again before throwing the error.

[gzdunek]

Three levels of dialogs 💀

Maybe this one should be closed as soon as the user selects a method? I see an error in the background anyways and here I can't take any action.

[Joerger]

@gzdunek

Three levels of dialogs 💀

Yeah, it might be nice to do some type of moving flow like we do for device management. e.g. edit user -> verify your identity in the same dialog, with option to continue (mfa challenge) or back (edit user page with error telling user mfa is required).

Maybe this one should be closed as soon as the user selects a method? I see an error in the background anyways and here I can't take any action.

Thanks for pointing this out, the cancellation logic turned out to be pretty fragile and only worked well for per-session MFA with SSH sessions. I've fixed it so you should now see just one error at a time - 0149c12

Also, you should be able to retry or cancel in the mfa dialog. Let me know if you still get locked with my changes. useMfa isn't safe to be called multiple times at the same time, so it's possible you're running into the consequences of that somehow?

[gzdunek]

I'm not sure how this works. Don't we always throw resp? err is always undefined since we never reject the promise. So it seems that we always throw MfaChallengeResponse or Error.

In case you wanted to use the assertion resp as Error to check if resp is an error, then it can't work. This assertion exists only at the compile-time. I'd come back to rejecting the promise instead of resolving it with Error.

Also, you should be able to retry or cancel in the mfa dialog. Let me know if you still get locked with my changes. useMfa isn't safe to be called multiple times at the same time, so it's possible you're running into the consequences of that somehow?

I just tested this, and as I expected, we always throw an error (and there is no way to cancel or retry in the dialog)

mfa.error.mov

[Joerger]

Throwing the error inside of the useAsync method getReponse causes the error to appear in the AuthnDialog (Verify Identity) rather than the parent dialog, which is the issue I am trying to solve.

I misunderstood how the as operator works, I though it would work as a type switch, setting it to null | undefined if the type didn't match. Is the issue that the value is both of type MfaChallengeResponse | Error rather than any?

Anyways, it looks like this works instead:

if (resp instanceof Error) {
    throw resp;
}

Any issues with this?

[gzdunek]

There's a circular dependency here. auth depends on api and api depends on auth (I know that's not a new thing). Let me know if this doesn't make sense, but maybe it could be api responsibility to take care of MFA?
I can imagine that instead of manually calling auth.getAdminActionMfaResponse(true) in every place where we need the MFA response, we would do:

    return api
      .post(cfg.getAwsRdsDbsDeployServicesUrl(integrationName), req, null, {
        scope: 'admin-action',
        reusable: true
      })

And then api would call the mfa context.

[Joerger]

In some cases we need to reuse the same MFA response for multiple API calls, hence the reusable response:

const mfaResponse = await auth.getAdminActionMfaResponse(true);
    return ctx.userService
      .createUser(u, ExcludeUserField.Traits, mfaResponse)
      .then(result => setUsers([result, ...users]))
      .then(() =>
        ctx.userService.createResetPasswordToken(u.name, 'invite', mfaResponse)
      );

We could include an mfaContext in both auth and api instead?

[avatus]

@bl-nero take a look at this one when you get some time please