search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
91 stars 12 forks source link

[Bug]: Login Success failing transactional webhook doesn't stop a SSO session #2806

Open mooreds opened 4 months ago

mooreds commented 4 months ago

What happened?

This is behavior I would not expect, so I'm filing this issue.

If you set up a transactional webhook listening for the login success event and return a 500, it fails a login of authenticationType PASSWORD but not if the login event happens via SSO (authenticationType of PING).

To replicate:

You'll succeed. If you look at the network tab, you can see that the authorize path from FusionAuth is called.

I'd expect it to fail because a non 2xx status code is returned.

<?php
require __DIR__. '/config.php';
require __DIR__ . '/vendor/autoload.php';

$input = file_get_contents('php://input');

$obj = json_decode($input);
if (!$obj) { 
  error_log("Invalid JSON");
  return;
}

$type = $obj->event->type;
if ($type !== "user.login.success") {
  error_log("Sorry, we only handle login success events.");
  http_response_code(200);
  return;
}

/*
$authenticationType = $obj->event->authenticationType;
if ($authenticationType !== "PING") {
  error_log("Sorry, we only handle pings.");
  http_response_code(200);
  return;
}
*/

$applicationId = $obj->event->applicationId;
if ($applicationId == "3c219e58-ed0e-4b18-ad48-f4f92793ae32") {
  error_log("Never prevent login to FusionAuth admin UI");
  http_response_code(200);
  return;
}

http_response_code(500);

?>

Version

1.51.1

Affects Versions

No response

mooreds commented 4 months ago

If we fix this, we should update this doc: https://github.com/FusionAuth/fusionauth-site/pull/3148

jobannon commented 2 months ago

related? https://github.com/FusionAuth/fusionauth-issues/issues/2643