From 096486ac556fbde6d2c3085c851d671be2d7fffc Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Mon, 9 Dec 2024 15:27:03 +0100
Subject: [PATCH] log issues when validating

---
 apps/login/src/app/login/route.ts | 46 +++++++++++++++++++++++++++++--
 1 file changed, 43 insertions(+), 3 deletions(-)

diff --git a/apps/login/src/app/login/route.ts b/apps/login/src/app/login/route.ts
index ffacab46..25eb87e3 100644
--- a/apps/login/src/app/login/route.ts
+++ b/apps/login/src/app/login/route.ts
@@ -47,6 +47,7 @@ const IDP_SCOPE_REGEX = /urn:zitadel:iam:org:idp:id:(.+)/;
 async function isSessionValid(session: Session): Promise<boolean> {
   // session can't be checked without user
   if (!session.factors?.user) {
+    console.warn("Session has no user");
     return false;
   }
 
@@ -59,21 +60,45 @@ async function isSessionValid(session: Session): Promise<boolean> {
   const authMethods = authMethodTypes.authMethodTypes;
   if (authMethods && authMethods.includes(AuthenticationMethodType.TOTP)) {
     mfaValid = !!session.factors.totp?.verifiedAt;
+    if (!mfaValid) {
+      console.warn(
+        "Session has no valid totpEmail factor",
+        session.factors.totp?.verifiedAt,
+      );
+    }
   } else if (
     authMethods &&
     authMethods.includes(AuthenticationMethodType.OTP_EMAIL)
   ) {
     mfaValid = !!session.factors.otpEmail?.verifiedAt;
+    if (!mfaValid) {
+      console.warn(
+        "Session has no valid otpEmail factor",
+        session.factors.otpEmail?.verifiedAt,
+      );
+    }
   } else if (
     authMethods &&
     authMethods.includes(AuthenticationMethodType.OTP_SMS)
   ) {
     mfaValid = !!session.factors.otpSms?.verifiedAt;
+    if (!mfaValid) {
+      console.warn(
+        "Session has no valid otpSms factor",
+        session.factors.otpSms?.verifiedAt,
+      );
+    }
   } else if (
     authMethods &&
     authMethods.includes(AuthenticationMethodType.U2F)
   ) {
     mfaValid = !!session.factors.webAuthN?.verifiedAt;
+    if (!mfaValid) {
+      console.warn(
+        "Session has no valid u2f factor",
+        session.factors.webAuthN?.verifiedAt,
+      );
+    }
   } else {
     // only check settings if no auth methods are available, as this would require a setup
     const loginSettings = await getLoginSettings(
@@ -87,6 +112,12 @@ async function isSessionValid(session: Session): Promise<boolean> {
 
       // must have one single check
       mfaValid = !!(otpEmail || otpSms || totp || webAuthN);
+      if (!mfaValid) {
+        console.warn(
+          "Session has no valid multifactor",
+          JSON.stringify(session.factors),
+        );
+      }
     } else {
       mfaValid = true;
     }
@@ -97,12 +128,21 @@ async function isSessionValid(session: Session): Promise<boolean> {
   const validIDP = session?.factors?.intent?.verifiedAt;
 
   const stillValid = session.expirationDate
-    ? timestampDate(session.expirationDate) > new Date()
+    ? timestampDate(session.expirationDate).getTime() > new Date().getTime()
     : true;
 
-  const validFactors = !!(validPassword || validPasskey || validIDP);
+  if (!stillValid) {
+    console.warn(
+      "Session is expired",
+      session.expirationDate
+        ? timestampDate(session.expirationDate).toDateString()
+        : "no expiration date",
+    );
+  }
+
+  const validChecks = !!(validPassword || validPasskey || validIDP);
 
-  return stillValid && validFactors && mfaValid;
+  return stillValid && validChecks && mfaValid;
 }
 
 async function findValidSession(