pangolin_mirror/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-03-02 08:46:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(auth): improve security key login flow.

Browse Source 
- Fix login to verify password before showing security key prompt
- Add proper 2FA verification flow when deleting security keys

Previously, users with security keys would see the security key prompt
even if they entered an incorrect password. Now the password is verified
first. Additionally, security key deletion now properly handles 2FA
verification when enabled.
This commit is contained in:
Adrian Astles
2025-07-07 17:48:23 +08:00
parent 813992141a
commit f0a1c10ec5
4 changed files with 294 additions and 155 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
server/routers/auth/login.ts
View File

@@ -92,22 +92,6 @@ export async function login(
const existingUser = existingUserRes[0];
// Check if user has security keys registered
const userSecurityKeys = await db
.select()
.from(securityKeys)
.where(eq(securityKeys.userId, existingUser.userId));
if (userSecurityKeys.length > 0) {
return response<{ useSecurityKey: boolean }>(res, {
data: { useSecurityKey: true },
success: true,
error: false,
message: "Please use your security key to sign in",
status: HttpCode.UNAUTHORIZED
});
}
const validPassword = await verifyPassword(
password,
existingUser.passwordHash!
@@ -126,6 +110,22 @@ export async function login(
);
}
// Check if user has security keys registered
const userSecurityKeys = await db
.select()
.from(securityKeys)
.where(eq(securityKeys.userId, existingUser.userId));
if (userSecurityKeys.length > 0) {
return response<LoginResponse>(res, {
data: { useSecurityKey: true },
success: true,
error: false,
message: "Security key authentication required",
status: HttpCode.OK
});
}
if (existingUser.twoFactorEnabled) {
if (!code) {
return response<{ codeRequested: boolean }>(res, {