diff --git a/src/auth/login.ts b/src/auth/login.ts index 4123b1b..fac00eb 100644 --- a/src/auth/login.ts +++ b/src/auth/login.ts @@ -76,8 +76,12 @@ const srpHandshake = async ( // twoFactorSessionIDV2 is set (instead of twoFactorSessionID) when the // account has BOTH passkeys and TOTP. Prefer TOTP: a CLI cannot perform // a WebAuthn ceremony, and the user has a TOTP secret enrolled. + // + // The server marshals these fields without `omitempty`, so unset fields + // arrive as "" rather than being absent. Use || (not ??) so empty + // strings are treated as not-set. const totpSessionID = - verifyResponse.twoFactorSessionID ?? + verifyResponse.twoFactorSessionID || verifyResponse.twoFactorSessionIDV2; if (totpSessionID) { return { kind: "totp", sessionID: totpSessionID };