From fcb06a131baee583b4cbe959a31b801d2fa94cff Mon Sep 17 00:00:00 2001
From: Alex van Andel <me@alexvanandel.com>
Date: Wed, 15 Mar 2023 14:52:32 +0000
Subject: [PATCH] Bugfix/allow impersonation non cal id p (#7689)

* Only require a password when IdP is CAL

* Also require twoFactorEnabled
---
 packages/features/auth/lib/next-auth-options.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/packages/features/auth/lib/next-auth-options.ts b/packages/features/auth/lib/next-auth-options.ts
index 29ee2ebb58..ea34e9c906 100644
--- a/packages/features/auth/lib/next-auth-options.ts
+++ b/packages/features/auth/lib/next-auth-options.ts
@@ -165,7 +165,12 @@ const providers: Provider[] = [
         }).length > 0;
 
       // authentication success- but does it meet the minimum password requirements?
-      if (user.role === "ADMIN" && !isPasswordValid(credentials.password, false, true)) {
+      if (
+        user.role === "ADMIN" &&
+        ((user.identityProvider === IdentityProvider.CAL &&
+          !isPasswordValid(credentials.password, false, true)) ||
+          !user.twoFactorEnabled)
+      ) {
         return {
           id: user.id,
           username: user.username,