teamhanko · shentschel · May 21, 2024 · May 30, 2024 · Jun 6, 2024 · Jun 20, 2024
diff --git a/server/api/dto/request/requests.go b/server/api/dto/request/requests.go
@@ -97,5 +97,5 @@ type InitLoginDto struct {
 }
 
 type InitMfaLoginDto struct {
-	UserId *string `json:"user_id" validate:"required,min=1"`
+	UserId string `json:"user_id" validate:"required,min=1"`
 }
diff --git a/server/api/handler/admin/user.go b/server/api/handler/admin/user.go
@@ -32,9 +32,16 @@ func NewUserHandler(persister persistence.Persister) UserHandler {
 
 func (uh *userHandler) List(ctx echo.Context) error {
 	var request adminRequest.UserListRequest
-	err := (&echo.DefaultBinder{}).BindQueryParams(ctx, &request)
+	err := ctx.Bind(&request)
 	if err != nil {
-		return echo.NewHTTPError(http.StatusBadRequest, "unable to parse request")
+		ctx.Logger().Error(err)
+		return echo.NewHTTPError(http.StatusBadRequest, "unable to list users").SetInternal(err)
+	}
+
+	err = ctx.Validate(&request)
+	if err != nil {
+		ctx.Logger().Error(err)
+		return echo.NewHTTPError(http.StatusBadRequest, "unable to list users").SetInternal(err)
 	}
 
 	if request.Page == 0 {
@@ -92,12 +99,12 @@ func (uh *userHandler) Get(ctx echo.Context) error {
 
 	userIdString := ctx.Param("user_id")
 	if userIdString == "" {
-		return echo.NewHTTPError(http.StatusBadRequest, "missing user_id")
+		return echo.NewHTTPError(http.StatusBadRequest, "user_id must be a valid uuid4")
 	}
 
 	userId, err := uuid.FromString(userIdString)
 	if err != nil {
-		return echo.NewHTTPError(http.StatusBadRequest, "invalid user_id")
+		return echo.NewHTTPError(http.StatusBadRequest, "user_id must be a valid uuid4")
 	}
 
 	return uh.persister.GetConnection().Transaction(func(tx *pop.Connection) error {
@@ -126,12 +133,12 @@ func (uh *userHandler) Remove(ctx echo.Context) error {
 
 	userIdString := ctx.Param("user_id")
 	if userIdString == "" {
-		return echo.NewHTTPError(http.StatusBadRequest, "missing user_id")
+		return echo.NewHTTPError(http.StatusBadRequest, "user_id must be a valid uuid4")
 	}
 
 	userId, err := uuid.FromString(userIdString)
 	if err != nil {
-		return echo.NewHTTPError(http.StatusBadRequest, "invalid user_id")
+		return echo.NewHTTPError(http.StatusBadRequest, "user_id must be a valid uuid4")
 	}
 
 	return uh.persister.GetConnection().Transaction(func(tx *pop.Connection) error {

diff --git a/server/api/handler/credentials.go b/server/api/handler/credentials.go
@@ -42,13 +42,26 @@ func (credHandler *credentialsHandler) List(ctx echo.Context) error {
 		return err
 	}
 
-	service := services.NewCredentialService(ctx, *h.Tenant, credHandler.persister.GetWebauthnCredentialPersister(nil))
-	dtos, err := service.List(*requestDto)
-	if err != nil {
-		return err
-	}
+	return credHandler.persister.Transaction(func(tx *pop.Connection) error {
+		user, err := credHandler.persister.GetWebauthnUserPersister(tx).GetByUserId(requestDto.UserId, h.Tenant.ID)
+		if err != nil {
+			ctx.Logger().Error(err)
+			return echo.NewHTTPError(http.StatusInternalServerError, "Unable to get credentials for user").SetInternal(err)
+		}
+
+		if user == nil {
+			return echo.NewHTTPError(http.StatusNotFound, "User not found")
+		}
+
+		service := services.NewCredentialService(ctx, *h.Tenant, credHandler.persister.GetWebauthnCredentialPersister(tx))
+		dtos, err := service.List(*requestDto)
+		if err != nil {
+			return err
+		}
+
+		return ctx.JSON(http.StatusOK, dtos)
+	})
 
-	return ctx.JSON(http.StatusOK, dtos)
 }
 
 func (credHandler *credentialsHandler) Update(ctx echo.Context) error {

diff --git a/server/api/handler/mfa_login.go b/server/api/handler/mfa_login.go
@@ -48,20 +48,20 @@ func (lh *mfaLoginHandler) Init(ctx echo.Context) error {
 			Ctx:                 ctx,
 			Tenant:              *h.Tenant,
 			WebauthnClient:      *h.WebauthnClient,
-			UserId:              dto.UserId,
+			UserId:              &dto.UserId,
 			UserPersister:       userPersister,
 			SessionPersister:    sessionPersister,
 			CredentialPersister: credentialPersister,
 			UseMFA:              true,
 		})
 
 		credentialAssertion, err := service.Initialize()
-		err = lh.handleError(h.AuditLog, models.AuditLogMfaAuthenticationInitFailed, tx, ctx, dto.UserId, nil, err)
+		err = lh.handleError(h.AuditLog, models.AuditLogMfaAuthenticationInitFailed, tx, ctx, &dto.UserId, nil, err)
 		if err != nil {
 			return err
 		}
 
-		auditErr := h.AuditLog.CreateWithConnection(tx, models.AuditLogMfaAuthenticationInitSucceeded, dto.UserId, nil, nil)
+		auditErr := h.AuditLog.CreateWithConnection(tx, models.AuditLogMfaAuthenticationInitSucceeded, &dto.UserId, nil, nil)
 		if auditErr != nil {
 			ctx.Logger().Error(auditErr)
 			return fmt.Errorf(auditlog.CreationFailureFormat, auditErr)