Okta SMS factors work after deletion

api_calls.md

SMS Factor Works after Delete

Example API calls to reproduce this bug.

1. Create User

1.a. Create User

curl --request POST \
  --url https://<ORG>.okta.com/api/v1/users \
  --header 'authorization: SSWS <TOKEN>' \
  --header 'content-type: application/json' \
  --data '{
  "profile": {
    "firstName": "Fisher",
    "lastName": "Muhdish",
    "email": "[email protected]",
    "login": "fishdish"
  }
}'

1.b. Set Password

curl --request POST \
  --url https://<ORG>.okta.com/api/v1/users/00ubim8fggjStNwJ84x6 \
  --header 'authorization: SSWS <TOKEN>' \
  --header 'content-type: application/json' \
  --data '{
  "credentials": {
    "password": {
      "value": "SomePassword123"
    }
  }
}'

1.c. Add SMS Factor (non-activated)

curl --request POST \
  --url 'https://<ORG>.okta.com/api/v1/users/00ubim8fggjStNwJ84x6/factors?activate=false' \
  --header 'authorization: SSWS <TOKEN>' \
  --header 'content-type: application/json' \
  --data '{
  "factorType": "sms",
  "provider": "OKTA",
  "profile": {
    "phoneNumber": "+18024482036"
  }
}'

1.d. Activate SMS Factor

curl --request POST \
  --url https://<ORG>.okta.com/api/v1/users/00ubim8fggjStNwJ84x6/factors/mblbimqspvmEhZUhN4x6/lifecycle/activate \
  --header 'authorization: SSWS <TOKEN>' \
  --header 'content-type: application/json' \
  --data '{
  "passCode": "421675"
}'

2. Recovery password via SMS

2.a. Start Password Recovery via SMS

curl --request POST \
  --url https://<ORG>.okta.com/api/v1/authn/recovery/password \
  --header 'authorization: SSWS <TOKEN>' \
  --header 'content-type: application/json' \
  --data '{
  "username": "fishdish",
  "factorType": "SMS"
}'

2.b. Verify SMS Password Recovery

curl --request POST \
  --url https://<ORG>.okta.com/api/v1/authn/recovery/factors/SMS/verify \
  --header 'authorization: SSWS <TOKEN>' \
  --header 'content-type: application/json' \
  --data '{
  "stateToken": "00yyEPfI7XVdxM1rVGLXeN8E8B_ddV_nXmyaPCiu-L",
  "passCode": "082061"
}'

2.c. Reset Password

curl --request POST \
  --url https://<ORG>.okta.com/api/v1/authn/credentials/reset_password \
  --header 'authorization: SSWS <TOKEN>' \
  --header 'content-type: application/json' \
  --data '{
  "stateToken": "00yyEPfI7XVdxM1rVGLXeN8E8B_ddV_nXmyaPCiu-L",
  "newPassword": "LastPass1234"
}'

2.d. Authenticate with new password

curl --request POST \
  --url https://<ORG>.okta.com/api/v1/authn \
  --header 'authorization: SSWS <TOKEN>' \
  --header 'content-type: application/json' \
  --data '{
  "username": "fishdish",
  "password": "LastPass1234"
}'

3. Remove SMS Factor

curl --request DELETE \
  --url https://<ORG>.okta.com/api/v1/users/00ubim8fggjStNwJ84x6/factors/smsbimrldFNdxYACR4x6 \
  --header 'authorization: SSWS <TOKEN>'

4. Use deleted SMS factor - SHOULD NOT WORK

4.a. Start Password Recovery via SMS (as second time)

curl --request POST \
  --url https://<ORG>.okta.com/api/v1/authn/recovery/password \
  --header 'authorization: SSWS <TOKEN>' \
  --header 'content-type: application/json' \
  --data '{
  "username": "fishdish",
  "factorType": "SMS"
}'

4.b. Verify SMS Password Recovery (as second time)

curl --request POST \
  --url https://<ORG>.okta.com/api/v1/authn/recovery/factors/SMS/verify \
  --header 'authorization: SSWS <TOKEN>' \
  --header 'content-type: application/json' \
  --data '{
  "stateToken": "006W9WK4UaekCIQvHxjVmPyIEDbjGeZjeIfqrzwm9Q",
  "passCode": "040076"
}'

4.c. Reset Password (as second time)

curl --request POST \
  --url https://<ORG>.okta.com/api/v1/authn/credentials/reset_password \
  --header 'authorization: SSWS <TOKEN>' \
  --header 'content-type: application/json' \
  --data '{
  "stateToken": "006W9WK4UaekCIQvHxjVmPyIEDbjGeZjeIfqrzwm9Q",
  "newPassword": "LastPass1234567"
}'

4.d. Authenticate with new password (as second time)

curl --request POST \
  --url https://<ORG>.okta.com/api/v1/authn \
  --header 'authorization: SSWS <TOKEN>' \
  --header 'content-type: application/json' \
  --data '{
  "username": "fishdish",
  "password": "LastPass1234567"
}'