fix: don't refresh AuthenticatedAt for pin login (PS-333)

monta-app · Jun 17, 2024 · 27f9c80 · 27f9c80
1 parent 302c013
commit 27f9c80
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/selfservice/flow/login/hook.go b/selfservice/flow/login/hook.go
@@ -136,9 +136,14 @@ func (e *HookExecutor) PostLoginHook(
 		return err
 	}
 
+	authenticatedAt := s.AuthenticatedAt
 	if err := s.Activate(r, i, e.d.Config(), time.Now().UTC()); err != nil {
 		return err
 	}
+	// don't update authenticatedAt if the login method is pin
+	if g == "pin" {
+		s.AuthenticatedAt = authenticatedAt
+	}
 
 	c := e.d.Config()
 	// Verify the redirect URL before we do any other processing.

diff --git a/selfservice/strategy/pin/login_test.go b/selfservice/strategy/pin/login_test.go
@@ -251,4 +251,36 @@ func TestCompleteLogin(t *testing.T) {
 
 	})
 
+	t.Run("should not update authenticated_at field", func(t *testing.T) {
+		identifier, pwd, pin := x.NewUUID().String(), "password", "1234"
+		i := createIdentity(identifier, pwd, pin)
+
+		t.Run("type=api", func(t *testing.T) {
+			var values = func(v url.Values) {
+				v.Set("identifier", identifier)
+				v.Set("password", pwd)
+			}
+			hc := testhelpers.NewHTTPClientWithIdentitySessionToken(t, reg, i)
+
+			// login first
+			body := testhelpers.SubmitLoginForm(t, true, hc, publicTS, values, false, true, 200, "")
+			a := gjson.Get(body, "session.authenticated_at").String()
+
+			values = func(v url.Values) {
+				v.Set("method", "pin")
+				v.Set("pin", "1234")
+			}
+			body = testhelpers.SubmitLoginForm(t, true, hc, publicTS, values,
+				false, false, http.StatusOK, publicTS.URL+login.RouteSubmitFlow,
+				testhelpers.InitFlowWithAAL(identity.NoAuthenticatorAssuranceLevel))
+
+			assert.Equal(t, identifier, gjson.Get(body, "session.identity.traits.subject").String(), "%s", body)
+			st := gjson.Get(body, "session_token").String()
+			assert.NotEmpty(t, st, "%s", body)
+			assert.Equal(t, int64(3), gjson.Get(body, "session.authentication_methods.#").Int(), "%s", body)
+			assert.Equal(t, "pin", gjson.Get(body, "session.authentication_methods.2.method").String(), "%s", body)
+			assert.Equal(t, "aal0", gjson.Get(body, "session.authentication_methods.2.aal").String(), "%s", body)
+			assert.Equal(t, a, gjson.Get(body, "session.authenticated_at").String(), "%s", body)
+		})
+	})
 }