Green: treat empty-string 2FA session fields as absent

Use || instead of ?? when picking the TOTP session ID. The server
sends "" for unset 2FA fields (no omitempty), and "" ?? v2
short-circuits to "", which made dual-2FA accounts fall through to
the unsupported passkey branch.
This commit is contained in:
2026-06-10 11:26:15 -07:00
parent 2c51074294
commit 68d8cfb7fe

View File

@@ -76,8 +76,12 @@ const srpHandshake = async (
// twoFactorSessionIDV2 is set (instead of twoFactorSessionID) when the
// account has BOTH passkeys and TOTP. Prefer TOTP: a CLI cannot perform
// a WebAuthn ceremony, and the user has a TOTP secret enrolled.
//
// The server marshals these fields without `omitempty`, so unset fields
// arrive as "" rather than being absent. Use || (not ??) so empty
// strings are treated as not-set.
const totpSessionID =
verifyResponse.twoFactorSessionID ??
verifyResponse.twoFactorSessionID ||
verifyResponse.twoFactorSessionIDV2;
if (totpSessionID) {
return { kind: "totp", sessionID: totpSessionID };