From 68d8cfb7fe560bf019f4efa0b764872a49483351 Mon Sep 17 00:00:00 2001 From: sneak Date: Wed, 10 Jun 2026 11:26:15 -0700 Subject: [PATCH] Green: treat empty-string 2FA session fields as absent Use || instead of ?? when picking the TOTP session ID. The server sends "" for unset 2FA fields (no omitempty), and "" ?? v2 short-circuits to "", which made dual-2FA accounts fall through to the unsupported passkey branch. --- src/auth/login.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/auth/login.ts b/src/auth/login.ts index 4123b1b..fac00eb 100644 --- a/src/auth/login.ts +++ b/src/auth/login.ts @@ -76,8 +76,12 @@ const srpHandshake = async ( // twoFactorSessionIDV2 is set (instead of twoFactorSessionID) when the // account has BOTH passkeys and TOTP. Prefer TOTP: a CLI cannot perform // a WebAuthn ceremony, and the user has a TOTP secret enrolled. + // + // The server marshals these fields without `omitempty`, so unset fields + // arrive as "" rather than being absent. Use || (not ??) so empty + // strings are treated as not-set. const totpSessionID = - verifyResponse.twoFactorSessionID ?? + verifyResponse.twoFactorSessionID || verifyResponse.twoFactorSessionIDV2; if (totpSessionID) { return { kind: "totp", sessionID: totpSessionID };