From 77be41c83d01344e1f035e9aeb745500366f1049 Mon Sep 17 00:00:00 2001
From: Hamid Ghaf <83242695+hghaf099@users.noreply.github.com>
Date: Tue, 17 May 2022 16:30:36 -0400
Subject: [PATCH] possibly forward cached MFA auth response to leader (#15469)

* possibly forward cached MFA auth response to leader

* adding CL
---
 changelog/15469.txt            | 3 +++
 vault/request_handling.go      | 8 +-------
 vault/request_handling_util.go | 9 +++++++++
 3 files changed, 13 insertions(+), 7 deletions(-)
 create mode 100644 changelog/15469.txt

diff --git a/changelog/15469.txt b/changelog/15469.txt
new file mode 100644
index 000000000..ec873476c
--- /dev/null
+++ b/changelog/15469.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+auth: forward cached MFA auth response to the leader using RPC instead of forwarding all login requests
+```
diff --git a/vault/request_handling.go b/vault/request_handling.go
index c3f03c887..74f6957ae 100644
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@@ -1517,12 +1517,6 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 					}
 				}
 			} else if len(matchedMfaEnforcementList) > 0 && len(req.MFACreds) == 0 {
-				// two-phase login MFA requests should be forwarded
-				// to the active node, as the validation should only
-				// happen in that node
-				if c.perfStandby {
-					return nil, nil, logical.ErrPerfStandbyPleaseForward
-				}
 				mfaRequestID, err := uuid.GenerateUUID()
 				if err != nil {
 					return nil, nil, err
@@ -1552,7 +1546,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
 					TimeOfStorage:         time.Now(),
 					RequestID:             mfaRequestID,
 				}
-				err = c.SaveMFAResponseAuth(respAuth)
+				err = possiblyForwardSaveCachedAuthResponse(ctx, c, respAuth)
 				if err != nil {
 					return nil, nil, err
 				}
diff --git a/vault/request_handling_util.go b/vault/request_handling_util.go
index 42c1327f6..ff0a291aa 100644
--- a/vault/request_handling_util.go
+++ b/vault/request_handling_util.go
@@ -59,3 +59,12 @@ var errCreateEntityUnimplemented = "create entity unimplemented in the server"
 func possiblyForwardEntityCreation(ctx context.Context, c *Core, inErr error, auth *logical.Auth, entity *identity.Entity) (*identity.Entity, error) {
 	return entity, inErr
 }
+
+func possiblyForwardSaveCachedAuthResponse(ctx context.Context, c *Core, respAuth *MFACachedAuthResponse) error {
+	err := c.SaveMFAResponseAuth(respAuth)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}