prepare version 2.0.1

CHANGELOG.md

@@ -7,16 +7,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased] (in 'dev')
 
+## [2.0.1] - 2023-07-21
+
 ### Changed
 
-- Set ConsistencyLevel to eventual to enable the use of advanced queries and filters.
+- Set ConsistencyLevel to eventual to enable the use of advanced queries and filters. (#55)
 - Set $count parameter to to true for fetching users and groups, allowing the use of advanced queries and filters.
-- Removed LDAP_BASEDN in dockerfile, because the value is generated by default from LDAP_DOMAIN
+- Removed LDAP_BASEDN in dockerfile, because the value is generated by default from LDAP_DOMAIN.
 
 ### Fixed
 
-- Include specific error from the Graph API as graphErrorDetail instead of displaying only 'Request failed with status code 400' to failing fetching requests.
+- Include specific error from the Graph API as graphErrorDetail instead of displaying only 'Request failed with status code 400' to failing fetching requests. (#55)
 - Detection of external users (#61)
+- Treat error code AADSTS50158 also as successful login if env var `GRAPH_IGNORE_MFA_ERRORS` is set. (#62)
 
 ## [2.0.0] - 2023-06-18
 
@@ -266,6 +269,7 @@ if set to true and the login is failed, the login is retried against the sambaNT
 - Container on hub.docker.cm
 
 [Unreleased]: https://github.com/ahaenggli/AzureAD-LDAP-wrapper/projects/1
+[2.0.1]: https://github.com/ahaenggli/AzureAD-LDAP-wrapper/releases/tag/v2.0.1
 [2.0.0]: https://github.com/ahaenggli/AzureAD-LDAP-wrapper/releases/tag/v2.0.0
 [1.8.2]: https://github.com/ahaenggli/AzureAD-LDAP-wrapper/releases/tag/v1.8.2
 [1.8.1]: https://github.com/ahaenggli/AzureAD-LDAP-wrapper/releases/tag/v1.8.1

docs/content/configuration/bypass-mfa.md

@@ -15,12 +15,12 @@ If you need to use this LDAP-wrapper despite of activated MFA, there are two opt
      [Security defaults](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults) seems to be the only ways for customers using the free Azure AD plan to [enable multi-factor authentication](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-mfa-get-started#free-option) in their whole environment. It looks like there are no workarounds to disable MFA for certain IPs or applications.\
      If a login fails due to this MFA method, the error code is AADSTS50076.
    - Conditional Access\
-     [Conditional Access](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa) can be used to require MFA for some or all the users. This is the most flexible way to activate MFA, but it is a premium feature. The settings allows to exclude certain apps. If a login fails due to this MFA method, the error code is AADSTS50079, too. As a simple workaround, the app used by the LDAP-wrapper can be excluded:
+     [Conditional Access](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa) can be used to require MFA for some or all the users. This is the most flexible way to activate MFA, but it is a premium feature. The settings allows to exclude certain apps. If a login fails due to this MFA method, the error codea are either AADSTS50158 (for external MFA like Duo) or also AADSTS50079. As a simple workaround, the app used by the LDAP-wrapper can be excluded:
      - Add a URL in the app (e.g. "https://localhost")
      ![grafik](../bypass-mfa_addurl.png)
      - The App can now be selected in the exclude list
      ![grafik](../bypass-mfa_exclude.png)
 
 2. Let the LDAP-wrapper internally treat some MFA/2FA related error codes as a successful login.\
   There is an experimental feature to ***bypass*** MFA/2FA. It must be manually enabled by setting the the env var `GRAPH_IGNORE_MFA_ERRORS` to true.\
-  Even if the env var is set to true, the login attempt appears as "Failure" in the AzureAD sign-in logs due to MFA/2FA. Only the LDAP wrapper internally treats some MFA/2FA-related error codes as successful logins. Specifically, these are the error codes AADSTS50076 and AADSTS50079, as mentioned above.
+  Even if the env var is set to true, the login attempt appears as "Failure" in the AzureAD sign-in logs due to MFA/2FA. Only the LDAP wrapper internally treats some MFA/2FA-related error codes as successful logins. Specifically, these are the error codes AADSTS50076, AADSTS50079 and AADSTS50158, as mentioned above.

package.json

@@ -1,6 +1,6 @@
 {
   "name": "AzureAD-LDAP-wrapper",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "type": "commonjs",
   "engines": {
     "node": ">=17"

src/database.js

@@ -541,7 +541,7 @@ async function mergeAzureUserEntries(db) {
                 {
                     mail: user.mail,
                     userPrincipalName: user.userPrincipalName,
-                    info: 'RPOC is not possible for Guest usery without accepted invitation'
+                    info: 'RPOC is not possible for Guest user without accepted invitation'
                 });
         }
         // ignore personal microsoft accounts, because RPOC is not possible 

src/graph.auth.js

@@ -123,7 +123,7 @@ auth.loginWithUsernamePassword = async function loginWithUsernamePassword(userna
             helper.error('graph_azuread.js', "loginWithUsernamePassword", error);
         }
         // if MFA-related errors can be ignored, handle AADSTS50076 (Security defaults) and AADSTS50079 (Per-user MFA, Conditional Access) as successful logins
-        else if (config.GRAPH_IGNORE_MFA_ERRORS && (error.toString().includes("AADSTS50076") || error.toString().includes("AADSTS50079"))) {
+        else if (config.GRAPH_IGNORE_MFA_ERRORS && (error.toString().includes("AADSTS50076") || error.toString().includes("AADSTS50079") || error.toString().includes("AADSTS50158"))) {
             helper.log('graph_azuread.js', "loginWithUsernamePassword", { info: "MFA ignored", username: username, details: error });
             checkCredentials = 1;
         }