verifies passkey w/o userHandle when already logged in

DougReeder · DougReeder · commit 5da58b409f58 · 2024-07-22T15:36:27.000-04:00
diff --git a/lib/routes/login.js b/lib/routes/login.js
@@ -61,8 +61,10 @@ module.exports = async function (hostIdentity, jwtSecret, account, isAdminLogin)
         }
 
         const presentedCredential = req.body;
-        const decodedUserId = Buffer.from(presentedCredential.response.userHandle, 'base64url').toString('utf8');
-        const user = await account.getUser(decodedUserId, res.logNotes);
+        const username = presentedCredential.response.userHandle
+          ? Buffer.from(presentedCredential.response.userHandle, 'base64url').toString('utf8')
+          : req.session.user?.username;
+        const user = await account.getUser(username, res.logNotes); // always loads latest values
 
         await verifyCredential(user, req.session.loginChallenge, origin, rpID, presentedCredential);
         delete req.session.loginChallenge; // Kills the challenge for this session.
diff --git a/spec/modular/admin.spec.js b/spec/modular/admin.spec.js
@@ -20,7 +20,10 @@ const INVITE_REQUEST_DIR = 'inviteRequests';
 const ADMIN_INVITE_DIR_NAME = 'invites';
 const CONTACT_URL_DIR = 'contactUrls';
 const HOST_IDENTITY = 'psteniusubi.github.io';
-const { mockAccountFactory, CREDENTIAL_PRESENTED_RIGHT, CREDENTIAL_PRESENTED_WRONG, USER } = require('../util/mockAccount');
+const {
+  mockAccountFactory, CREDENTIAL_PRESENTED_RIGHT, CREDENTIAL_PRESENTED_WRONG, USER,
+  CREDENTIAL_PRESENTED_RIGHT_NO_USERHANDLE
+} = require('../util/mockAccount');
 const crypto = require('crypto');
 const loginFactory = require('../../lib/routes/login');
 const NoSuchBlobError = require('../../lib/util/NoSuchBlobError');
@@ -516,6 +519,17 @@ describe('admin module', function () {
       expect(verifyRes.body.verified).to.equal(true);
       expect(verifyRes.body.username).to.equal(USER.username);
     });
+
+    it('accepts a registered passkey w/o userHandle when already logged in', async function () {
+      this.sessionValues.loginChallenge = LOGIN_CHALLENGE;
+      this.sessionValues.user = structuredClone(USER);
+      const verifyRes = await chai.request(this.app).post('/admin/verify-authentication')
+        .type('application/json').send(JSON.stringify(CREDENTIAL_PRESENTED_RIGHT_NO_USERHANDLE));
+      expect(verifyRes).to.have.status(200);
+      expect(verifyRes).to.be.json;
+      expect(verifyRes.body.verified).to.equal(true);
+      expect(verifyRes.body.username).to.equal(USER.username);
+    });
   });
 
   describe('users list', function () {
