Green: treat empty-string 2FA session fields as absent
Use || instead of ?? when picking the TOTP session ID. The server sends "" for unset 2FA fields (no omitempty), and "" ?? v2 short-circuits to "", which made dual-2FA accounts fall through to the unsupported passkey branch.
This commit is contained in:
@@ -76,8 +76,12 @@ const srpHandshake = async (
|
|||||||
// twoFactorSessionIDV2 is set (instead of twoFactorSessionID) when the
|
// twoFactorSessionIDV2 is set (instead of twoFactorSessionID) when the
|
||||||
// account has BOTH passkeys and TOTP. Prefer TOTP: a CLI cannot perform
|
// account has BOTH passkeys and TOTP. Prefer TOTP: a CLI cannot perform
|
||||||
// a WebAuthn ceremony, and the user has a TOTP secret enrolled.
|
// a WebAuthn ceremony, and the user has a TOTP secret enrolled.
|
||||||
|
//
|
||||||
|
// The server marshals these fields without `omitempty`, so unset fields
|
||||||
|
// arrive as "" rather than being absent. Use || (not ??) so empty
|
||||||
|
// strings are treated as not-set.
|
||||||
const totpSessionID =
|
const totpSessionID =
|
||||||
verifyResponse.twoFactorSessionID ??
|
verifyResponse.twoFactorSessionID ||
|
||||||
verifyResponse.twoFactorSessionIDV2;
|
verifyResponse.twoFactorSessionIDV2;
|
||||||
if (totpSessionID) {
|
if (totpSessionID) {
|
||||||
return { kind: "totp", sessionID: totpSessionID };
|
return { kind: "totp", sessionID: totpSessionID };
|
||||||
|
|||||||
Reference in New Issue
Block a user