Merge pull request #711 from numerique-gouv/fix-double-webauthn-authent

fix: double passkey authent when accessing connexion & account page w…
numerique-gouv · Sep 27, 2024 · e0082cf · e0082cf
2 parents 010a35c + dc56630
commit e0082cf
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 5 deletions.
diff --git a/src/controllers/webauthn.ts b/src/controllers/webauthn.ts
@@ -197,7 +197,7 @@ export const postVerifyAuthenticationController =
         ? getUserFromAuthenticatedSession(req).email
         : getEmailFromUnauthenticatedSession(req);
 
-      const { user, userVerified } = await verifyAuthentication({
+      let { user, userVerified } = await verifyAuthentication({
         email,
         response,
         isSecondFactorVerification,
@@ -206,7 +206,7 @@ export const postVerifyAuthenticationController =
       if (isSecondFactorVerification) {
         addAuthenticationMethodReferenceInSession(req, res, user, "pop");
       } else {
-        await createAuthenticatedSession(req, res, user, "pop");
+        user = await createAuthenticatedSession(req, res, user, "pop");
       }
 
       if (userVerified) {

diff --git a/src/managers/session/authenticated.ts b/src/managers/session/authenticated.ts
@@ -44,7 +44,7 @@ export const createAuthenticatedSession = async (
   res: Response,
   user: User,
   authenticationMethodReference: AmrValue,
-): Promise<null> => {
+): Promise<User> => {
   // we store old session value to pass it to the new logged-in session
   // email and needsInclusionconnectWelcomePage are not passed to the new session as it is not useful within logged session
   // csrfToken should not be passed to the new session for security reasons
@@ -66,10 +66,11 @@ export const createAuthenticatedSession = async (
       if (err) {
         reject(err);
       } else {
-        req.session.user = await update(user.id, {
+        const updatedUser = await update(user.id, {
           sign_in_count: user.sign_in_count + 1,
           last_sign_in_at: new Date(),
         });
+        req.session.user = updatedUser;
         // we restore previous session navigation values
         req.session.interactionId = interactionId;
         req.session.mustReturnOneOrganizationInPayload =
@@ -93,7 +94,7 @@ export const createAuthenticatedSession = async (
           setIsTrustedBrowserFromLoggedInSession(req);
         }
 
-        resolve(null);
+        resolve(updatedUser);
       }
     });
   });