Green: treat empty-string 2FA session fields as absent
Use || instead of ?? when picking the TOTP session ID. The server sends "" for unset 2FA fields (no omitempty), and "" ?? v2 short-circuits to "", which made dual-2FA accounts fall through to the unsupported passkey branch.
This commit is contained in:
@@ -76,8 +76,12 @@ const srpHandshake = async (
|
||||
// twoFactorSessionIDV2 is set (instead of twoFactorSessionID) when the
|
||||
// account has BOTH passkeys and TOTP. Prefer TOTP: a CLI cannot perform
|
||||
// a WebAuthn ceremony, and the user has a TOTP secret enrolled.
|
||||
//
|
||||
// The server marshals these fields without `omitempty`, so unset fields
|
||||
// arrive as "" rather than being absent. Use || (not ??) so empty
|
||||
// strings are treated as not-set.
|
||||
const totpSessionID =
|
||||
verifyResponse.twoFactorSessionID ??
|
||||
verifyResponse.twoFactorSessionID ||
|
||||
verifyResponse.twoFactorSessionIDV2;
|
||||
if (totpSessionID) {
|
||||
return { kind: "totp", sessionID: totpSessionID };
|
||||
|
||||
Reference in New Issue
Block a user