Skip to content

Issues with "Updates all authentication methods by replacing them with the given ones." #476

New issue
New issue
Open
Open
Issues with "Updates all authentication methods by replacing them with the given ones."#476
Labels
bugThis points to a verified bug in the code
@elja

Description

@elja
elja
opened on May 19, 2023

Checklist

  • I have looked into the Readme and Examples, and have not found a suitable solution or answer.
  • I have looked into the API documentation and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Description

There an API that supposed to update all MFA factors for a given user. Here is URL to the documentation: https://auth0.com/docs/api/management/v2#!/Users/put_authentication_methods

First of all, documentation itself is invalid. It has an example with a payload that is an object "{}", however if you send an object to the API it will respond with error:

Auth0::BadRequest ({"statusCode":400,"error":"Bad Request","message":"Payload validation error: 'Expected type array but found type object'.","errorCode":"invalid_body"})

Okay, but now if we send an array instead it will be send to the API as empty body. Moreover payload argument will be mutated. This is due how HTTProxy mixin work (auth0/mixins/httpproxy.rb):

%i(get post post_file put patch delete delete_with_body).each do |method|
  define_method(method) do |uri, body = {}, extra_headers = {}|
    body = body.delete_if { |_, v| v.nil? }
    token = get_token()
    authorization_header(token) unless token.nil?
    request_with_retry(method, uri, body, extra_headers)
  end
end

take a look on this line:

body = body.delete_if { |_, v| v.nil? }

Since body is an Array and not a ruby Hash, all elements will be filtered from here, original array will be mutated and empty body to be send to the API. This is definitely a bug that need to be fixed.

There is a similar issue listed here, but it's a bit different: #309

I think the line should be changed to be something like:

body = body.dup.delete_if { |_, v| v.nil? } if body.kind_of?(Hash)

Reproduction

Request:

auth0_payload = {"type"=>"totp", "totp_secret"=>"MY_SECRET_ENCODED_IN_BASE32"}
auth0_client.update_all_user_authentication_methods(user.idp_sub, auth0_payload)

Error
Auth0::BadRequest ({"statusCode":400,"error":"Bad Request","message":"Payload validation error: 'Expected type array but found type object'.","errorCode":"invalid_body"})

OR if you do the following:

auth0_payload = [{"type"=>"totp", "totp_secret"=>"MY_SECRET_ENCODED_IN_BASE32"}]
auth0_client.update_all_user_authentication_methods(user.idp_sub, auth0_payload)

it will make auth0_payload to became empty array, and empty body will be send to the API

Additional context

No response

ruby-auth0 version

5.12.0

Ruby version

2.7.2+ (doesn't really matter)

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugThis points to a verified bug in the code

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions