From 35a321c1d2afbd1a56ce14003ec8c57375ad8e27 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Thu, 11 Jun 2026 18:28:12 +0200 Subject: [PATCH] providers/ldap: remove incorrect validation for code authenticator extraction Signed-off-by: Jens Langhammer --- internal/outpost/flow/solvers_mfa.go | 22 +++------------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/internal/outpost/flow/solvers_mfa.go b/internal/outpost/flow/solvers_mfa.go index 30de3e3718..62ba160961 100644 --- a/internal/outpost/flow/solvers_mfa.go +++ b/internal/outpost/flow/solvers_mfa.go @@ -1,15 +1,11 @@ package flow import ( - "regexp" - "strconv" "strings" ) const CodePasswordSeparator = ";" -var alphaNum = regexp.MustCompile(`^[a-zA-Z0-9]*$`) - // Sets the secret answers for the flow executor for protocols that only support username/password // according to used options func (fe *FlowExecutor) SetSecrets(password string, mfaCodeBased bool) { @@ -33,21 +29,9 @@ func (fe *FlowExecutor) SetSecrets(password string, mfaCodeBased bool) { } idx := strings.LastIndex(password, CodePasswordSeparator) authenticator := password[idx+1:] - // Authenticator is either 6 chars (totp code) or 8 chars (long totp or static) - if len(authenticator) == 6 { - // authenticator answer isn't purely numerical, so won't be value - if _, err := strconv.Atoi(authenticator); err != nil { - return - } - } else if len(authenticator) == 8 { - // 8 chars can be a long totp or static token, so it needs to be alphanumerical - if !alphaNum.MatchString(authenticator) { - return - } - } else { - // Any other length, doesn't contain an answer - return - } + // Authenticator is either 6 / 8 digits (TOTP) or any length (static code) + // and as a result we can't really validate whether what we've + // extracted is a valid recovery code. fe.Answers[StagePassword] = password[:idx] fe.Answers[StageAuthenticatorValidate] = authenticator }