Skip to content

Commit

Permalink
fix: don't refresh AuthenticatedAt for pin login (PS-333)
Browse files Browse the repository at this point in the history
  • Loading branch information
maoanran committed Jun 7, 2024
1 parent b88d0fb commit 5e443cd
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 0 deletions.
5 changes: 5 additions & 0 deletions selfservice/flow/login/hook.go
Original file line number Diff line number Diff line change
Expand Up @@ -136,9 +136,14 @@ func (e *HookExecutor) PostLoginHook(
return err
}

authenticatedAt := s.AuthenticatedAt
if err := s.Activate(r, i, e.d.Config(), time.Now().UTC()); err != nil {
return err
}
// don't update authenticatedAt if the login method is pin
if g == "pin" {
s.AuthenticatedAt = authenticatedAt
}

c := e.d.Config()
// Verify the redirect URL before we do any other processing.
Expand Down
32 changes: 32 additions & 0 deletions selfservice/strategy/pin/login_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -251,4 +251,36 @@ func TestCompleteLogin(t *testing.T) {

})

t.Run("should not update authenticated_at field", func(t *testing.T) {
identifier, pwd, pin := x.NewUUID().String(), "password", "1234"
i := createIdentity(identifier, pwd, pin)

t.Run("type=api", func(t *testing.T) {
var values = func(v url.Values) {
v.Set("identifier", identifier)
v.Set("password", pwd)
}
hc := testhelpers.NewHTTPClientWithIdentitySessionToken(t, reg, i)

// login first
body := testhelpers.SubmitLoginForm(t, true, hc, publicTS, values, false, true, 200, "")
a := gjson.Get(body, "session.authenticated_at").String()

values = func(v url.Values) {
v.Set("method", "pin")
v.Set("pin", "1234")
}
body = testhelpers.SubmitLoginForm(t, true, hc, publicTS, values,
false, false, http.StatusOK, publicTS.URL+login.RouteSubmitFlow,
testhelpers.InitFlowWithAAL(identity.NoAuthenticatorAssuranceLevel))

assert.Equal(t, identifier, gjson.Get(body, "session.identity.traits.subject").String(), "%s", body)
st := gjson.Get(body, "session_token").String()
assert.NotEmpty(t, st, "%s", body)
assert.Equal(t, int64(3), gjson.Get(body, "session.authentication_methods.#").Int(), "%s", body)
assert.Equal(t, "pin", gjson.Get(body, "session.authentication_methods.2.method").String(), "%s", body)
assert.Equal(t, "aal0", gjson.Get(body, "session.authentication_methods.2.aal").String(), "%s", body)
assert.Equal(t, a, gjson.Get(body, "session.authenticated_at").String(), "%s", body)
})
})
}

0 comments on commit 5e443cd

Please sign in to comment.