diff --git a/changelog/15469.txt b/changelog/15469.txt new file mode 100644 index 000000000..ec873476c --- /dev/null +++ b/changelog/15469.txt @@ -0,0 +1,3 @@ +```release-note:improvement +auth: forward cached MFA auth response to the leader using RPC instead of forwarding all login requests +``` diff --git a/vault/request_handling.go b/vault/request_handling.go index c3f03c887..74f6957ae 100644 --- a/vault/request_handling.go +++ b/vault/request_handling.go @@ -1517,12 +1517,6 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re } } } else if len(matchedMfaEnforcementList) > 0 && len(req.MFACreds) == 0 { - // two-phase login MFA requests should be forwarded - // to the active node, as the validation should only - // happen in that node - if c.perfStandby { - return nil, nil, logical.ErrPerfStandbyPleaseForward - } mfaRequestID, err := uuid.GenerateUUID() if err != nil { return nil, nil, err @@ -1552,7 +1546,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re TimeOfStorage: time.Now(), RequestID: mfaRequestID, } - err = c.SaveMFAResponseAuth(respAuth) + err = possiblyForwardSaveCachedAuthResponse(ctx, c, respAuth) if err != nil { return nil, nil, err } diff --git a/vault/request_handling_util.go b/vault/request_handling_util.go index 42c1327f6..ff0a291aa 100644 --- a/vault/request_handling_util.go +++ b/vault/request_handling_util.go @@ -59,3 +59,12 @@ var errCreateEntityUnimplemented = "create entity unimplemented in the server" func possiblyForwardEntityCreation(ctx context.Context, c *Core, inErr error, auth *logical.Auth, entity *identity.Entity) (*identity.Entity, error) { return entity, inErr } + +func possiblyForwardSaveCachedAuthResponse(ctx context.Context, c *Core, respAuth *MFACachedAuthResponse) error { + err := c.SaveMFAResponseAuth(respAuth) + if err != nil { + return err + } + + return nil +}