fix: Fix passkey mfa sign in flow

bcbogdan · bcbogdan · commit f297a87ececc · 2025-08-11T15:22:18.000+03:00
diff --git a/lib/ts/recipe/webauthn/components/features/mfa/index.tsx b/lib/ts/recipe/webauthn/components/features/mfa/index.tsx
@@ -64,6 +64,7 @@ export const useFeatureReducer = (): [WebAuthnMFAState, React.Dispatch<WebAuthnM
                         email: action.email,
                         showBackButton: action.showBackButton,
                         canRegisterPasskey: action.canRegisterPasskey,
+                        hasRegisteredPassKey: action.hasRegisteredPassKey,
                     };
                 default:
                     return oldState;
@@ -73,6 +74,7 @@ export const useFeatureReducer = (): [WebAuthnMFAState, React.Dispatch<WebAuthnM
             error: undefined,
             deviceSupported: false,
             canRegisterPasskey: false,
+            hasRegisteredPassKey: false,
             loaded: false,
             showBackButton: true,
             email: undefined,
@@ -242,7 +244,8 @@ export const MFAFeature: React.FC<
         <ComponentOverrideContext.Provider value={recipeComponentOverrides}>
             <FeatureWrapper
                 useShadowDom={SuperTokens.getInstanceOrThrow().useShadowDom}
-                defaultStore={defaultTranslationsWebauthn}>
+                defaultStore={defaultTranslationsWebauthn}
+            >
                 <MFAFeatureInner {...props} />
             </FeatureWrapper>
         </ComponentOverrideContext.Provider>
@@ -348,12 +351,6 @@ function useOnLoad(
                 }
             }
 
-            const alreadySetup = mfaInfo.factors.alreadySetup.includes(FactorIds.WEBAUTHN);
-            if (alreadySetup) {
-                dispatch({ type: "setError", accessDenied: true, error: "SOMETHING_WENT_WRONG_ERROR_RELOAD" });
-                return;
-            }
-
             // If the next array only has a single option, it means the we were redirected here
             // automatically during the sign in process. In that case, anywhere the back button
             // could go would redirect back here, making it useless.
@@ -365,21 +362,23 @@ function useOnLoad(
             const mfaInfoEmails = mfaInfo.emails[FactorIds.WEBAUTHN];
             const email = mfaInfoEmails ? mfaInfoEmails[0] : undefined;
 
-            const canRegisterPasskey = !mfaInfo.factors.alreadySetup.includes(FactorIds.WEBAUTHN);
+            const canRegisterPasskey = mfaInfo.factors.allowedToSetup.includes(FactorIds.WEBAUTHN);
+            const hasRegisteredPassKey = mfaInfo.factors.alreadySetup.includes(FactorIds.WEBAUTHN);
             const browserSupportsWebauthnResponse = await props.recipe.webJSRecipe.doesBrowserSupportWebAuthn({
                 userContext: userContext,
             });
-            const browserSupportsWebauthn =
+            const deviceSupported =
                 browserSupportsWebauthnResponse.status === "OK" &&
                 browserSupportsWebauthnResponse?.browserSupportsWebauthn;
 
             dispatch({
                 type: "load",
                 canRegisterPasskey,
+                hasRegisteredPassKey,
                 error,
                 showBackButton,
                 email,
-                deviceSupported: browserSupportsWebauthn,
+                deviceSupported,
             });
         },
         [dispatch, recipeImplementation, props.recipe, userContext]
diff --git a/lib/ts/recipe/webauthn/components/themes/mfa/index.tsx b/lib/ts/recipe/webauthn/components/themes/mfa/index.tsx
@@ -37,33 +37,64 @@ function MFAThemeWrapper(props: WebAuthnMFAProps): JSX.Element {
 export default MFAThemeWrapper;
 
 export function MFATheme(props: WebAuthnMFAProps): JSX.Element {
-    const { onBackButtonClicked, onSignIn } = props;
-    const [activeScreen, setActiveScreen] = React.useState<MFAScreens>(MFAScreens.SignIn);
-    const [signUpEmail, setSignUpEmail] = React.useState<string>("");
     const t = useTranslation();
 
-    const onRegisterPasskeyClick = React.useCallback(() => {
-        if (!props.featureState.canRegisterPasskey) {
-            return;
-        }
-        if (props.featureState.email) {
-            setActiveScreen(MFAScreens.SignUpConfirmation);
-        } else {
-            setActiveScreen(MFAScreens.SignUp);
+    if (!props.featureState.loaded) {
+        return <WebauthnMFALoadingScreen />;
+    }
+
+    if (props.featureState.accessDenied) {
+        return (
+            <AccessDeniedScreen
+                useShadowDom={false /* We set this to false, because we are already inside a shadowDom (if required) */}
+                error={t(props.featureState.error!)}
+            />
+        );
+    }
+
+    return (
+        <div data-supertokens="container webauthn-mfa">
+            <div data-supertokens="row">
+                <MFAThemeRouter {...props} />
+            </div>
+            <SuperTokensBranding />
+        </div>
+    );
+}
+
+function MFAThemeRouter(props: WebAuthnMFAProps): JSX.Element {
+    const { onBackButtonClicked, onSignIn } = props;
+    const [activeScreen, setActiveScreen] = React.useState<MFAScreens>(() => {
+        if (!props.featureState.hasRegisteredPassKey) {
+            return props.featureState.email ? MFAScreens.SignUpConfirmation : MFAScreens.SignUp;
         }
-    }, [props.featureState.email, props.featureState.canRegisterPasskey]);
+        return MFAScreens.SignIn;
+    });
+    const [email, setEmail] = React.useState<string>("");
+    const signUpEmail = props.featureState.email || email;
 
     const onSignUpContinue = React.useCallback(
         (email: string) => {
             if (!props.featureState.canRegisterPasskey) {
                 return;
             }
             setActiveScreen(MFAScreens.SignUpConfirmation);
-            setSignUpEmail(email);
+            setEmail(email);
         },
         [props.featureState.canRegisterPasskey]
     );
 
+    const onRegisterPasskeyClick = React.useCallback(() => {
+        if (!props.featureState.canRegisterPasskey) {
+            return;
+        }
+        if (props.featureState.email) {
+            setActiveScreen(MFAScreens.SignUpConfirmation);
+        } else {
+            setActiveScreen(MFAScreens.SignUp);
+        }
+    }, [props.featureState.email, props.featureState.canRegisterPasskey]);
+
     const clearError = React.useCallback(() => {
         props.dispatch({ type: "setError", error: undefined });
     }, [props]);
@@ -75,71 +106,79 @@ export function MFATheme(props: WebAuthnMFAProps): JSX.Element {
         [props]
     );
 
-    const onClickSignUpBackButton = React.useCallback(() => {
-        if (!props.featureState.canRegisterPasskey) {
+    const onClickSignUpConfirmationBackButton = React.useCallback(() => {
+        if (!props.featureState.email) {
+            setActiveScreen(MFAScreens.SignUp);
+            return;
+        }
+        if (!props.featureState.hasRegisteredPassKey && !props.featureState.showBackButton) {
+            return;
+        }
+        if (!props.featureState.hasRegisteredPassKey) {
+            onBackButtonClicked();
             return;
         }
         setActiveScreen(MFAScreens.SignIn);
-    }, [props.featureState.canRegisterPasskey]);
+    }, [
+        props.featureState.email,
+        props.featureState.hasRegisteredPassKey,
+        props.featureState.showBackButton,
+        onBackButtonClicked,
+    ]);
 
-    const onClickSignUpConfirmationBackButton = React.useCallback(() => {
-        if (props.featureState.email) {
-            setActiveScreen(MFAScreens.SignIn);
-        } else {
-            setActiveScreen(MFAScreens.SignUp);
-        }
-    }, [props.featureState.email]);
+    const onSignUp = React.useCallback(async () => {
+        await props.onSignUp(signUpEmail);
+    }, [props.onSignUp, signUpEmail]);
 
     const onFetchError = React.useCallback(() => {
         onError("SOMETHING_WENT_WRONG_ERROR");
     }, [onError]);
 
-    if (!props.featureState.loaded) {
-        return <WebauthnMFALoadingScreen />;
+    const onClickSignUpBackButton = React.useCallback(() => {
+        if (!props.featureState.hasRegisteredPassKey && !props.featureState.showBackButton) {
+            return;
+        }
+        if (!props.featureState.hasRegisteredPassKey) {
+            onBackButtonClicked();
+            return;
+        }
+        setActiveScreen(MFAScreens.SignIn);
+    }, [props.featureState.hasRegisteredPassKey, props.featureState.showBackButton, onBackButtonClicked]);
+
+    if (activeScreen === MFAScreens.SignUp) {
+        return (
+            <WebauthnMFASignUp
+                clearError={clearError}
+                onError={onError}
+                onFetchError={onFetchError}
+                error={props.featureState.error}
+                onContinueClick={onSignUpContinue}
+                email={email}
+                onRecoverAccountClick={props.onRecoverAccountClick}
+                onBackButtonClicked={onClickSignUpBackButton}
+            />
+        );
     }
 
-    if (props.featureState.accessDenied) {
+    if (activeScreen === MFAScreens.SignUpConfirmation) {
         return (
-            <AccessDeniedScreen
-                useShadowDom={false /* We set this to false, because we are already inside a shadowDom (if required) */}
-                error={t(props.featureState.error!)}
+            <WebauthnMFASignUpConfirmation
+                onSignUp={onSignUp}
+                onBackButtonClicked={onClickSignUpConfirmationBackButton}
+                email={signUpEmail}
+                error={props.featureState.error}
             />
         );
     }
 
     return (
-        <div data-supertokens="container webauthn-mfa">
-            <div data-supertokens="row">
-                {activeScreen === MFAScreens.SignIn ? (
-                    <WebauthnMFASignIn
-                        onBackButtonClicked={props.featureState.showBackButton ? onBackButtonClicked : undefined}
-                        canRegisterPasskey={props.featureState.canRegisterPasskey}
-                        onSignIn={onSignIn}
-                        error={props.featureState.error}
-                        onRegisterPasskeyClick={onRegisterPasskeyClick}
-                        deviceSupported={props.featureState.deviceSupported}
-                    />
-                ) : activeScreen === MFAScreens.SignUp ? (
-                    <WebauthnMFASignUp
-                        clearError={clearError}
-                        onError={onError}
-                        onFetchError={onFetchError}
-                        error={props.featureState.error}
-                        onContinueClick={onSignUpContinue}
-                        email={signUpEmail}
-                        onRecoverAccountClick={props.onRecoverAccountClick}
-                        onBackButtonClicked={onClickSignUpBackButton}
-                    />
-                ) : (
-                    <WebauthnMFASignUpConfirmation
-                        onSignUp={props.onSignUp}
-                        onBackButtonClicked={onClickSignUpConfirmationBackButton}
-                        email={props.featureState.email || signUpEmail}
-                        error={props.featureState.error}
-                    />
-                )}
-            </div>
-            <SuperTokensBranding />
-        </div>
+        <WebauthnMFASignIn
+            onBackButtonClicked={props.featureState.showBackButton ? onBackButtonClicked : undefined}
+            canRegisterPasskey={props.featureState.canRegisterPasskey}
+            onSignIn={onSignIn}
+            error={props.featureState.error}
+            deviceSupported={props.featureState.deviceSupported}
+            onRegisterPasskeyClick={onRegisterPasskeyClick}
+        />
     );
 }
diff --git a/lib/ts/recipe/webauthn/components/themes/mfa/signIn.tsx b/lib/ts/recipe/webauthn/components/themes/mfa/signIn.tsx
@@ -12,10 +12,10 @@ import { PasskeyNotSupportedError } from "../error/passkeyNotSupportedError";
 export type MFASignInProps = {
     onBackButtonClicked?: () => void;
     onSignIn: () => Promise<void>;
-    onRegisterPasskeyClick: () => void;
-    canRegisterPasskey: boolean;
     error: string | undefined;
     deviceSupported: boolean;
+    canRegisterPasskey: boolean;
+    onRegisterPasskeyClick: () => void;
 };
 
 export const WebauthnMFASignIn = withOverride(
@@ -64,7 +64,7 @@ export const WebauthnMFASignIn = withOverride(
                         </div>
                         <div data-supertokens="headerSubtitle secondaryText">
                             <span data-supertokens="link" onClick={props.onRegisterPasskeyClick}>
-                                {t("WEBAUTHN_MFA_REGISTER_PASSKEY_LINK")}
+                                {t("WEBAUTHN_MFA_REGISTER_PASSKEY_TITLE")}
                             </span>
                             {t("WEBAUTHN_MFA_REGISTER_PASSKEY_SUBTITLE")}
                         </div>
diff --git a/lib/ts/recipe/webauthn/components/themes/mfa/signUp.tsx b/lib/ts/recipe/webauthn/components/themes/mfa/signUp.tsx
@@ -37,7 +37,7 @@ export const WebauthnMFASignUp = withOverride(
             <Fragment>
                 <div data-supertokens="headerTitle withBackButton webauthn-mfa">
                     <BackButton onClick={props.onBackButtonClicked} />
-                    {t("WEBAUTHN_MFA_REGISTER_PASSKEY_LINK")}
+                    {t("WEBAUTHN_MFA_REGISTER_PASSKEY_TITLE")}
                     <span data-supertokens="backButtonPlaceholder backButtonCommon">
                         {/* empty span for spacing the back button */}
                     </span>
diff --git a/lib/ts/recipe/webauthn/components/themes/mfa/signUpConfirmation.tsx b/lib/ts/recipe/webauthn/components/themes/mfa/signUpConfirmation.tsx
@@ -9,7 +9,7 @@ import GeneralError from "../../../../emailpassword/components/library/generalEr
 import { PasskeyFeatureBlockList } from "../signUp/featureBlocks";
 
 export type MFASignUpConfirmationProps = {
-    onSignUp: (email: string) => Promise<void>;
+    onSignUp: () => Promise<void>;
     onBackButtonClicked: () => void;
     email: string;
     error?: string;
@@ -23,15 +23,15 @@ export const WebauthnMFASignUpConfirmation = withOverride(
 
         const onClick = React.useCallback(async () => {
             setIsLoading(true);
-            await props.onSignUp(props.email);
+            await props.onSignUp();
             setIsLoading(false);
-        }, [props]);
+        }, [props.onSignUp]);
 
         return (
             <Fragment>
                 <div data-supertokens="headerTitle withBackButton webauthn-mfa">
                     <BackButton onClick={props.onBackButtonClicked} />
-                    {t("WEBAUTHN_MFA_REGISTER_PASSKEY_LINK")}
+                    {t("WEBAUTHN_MFA_REGISTER_PASSKEY_TITLE")}
                     <span data-supertokens="backButtonPlaceholder backButtonCommon">
                         {/* empty span for spacing the back button */}
                     </span>
diff --git a/lib/ts/recipe/webauthn/components/themes/signUp/featureBlocks.tsx b/lib/ts/recipe/webauthn/components/themes/signUp/featureBlocks.tsx
@@ -58,8 +58,8 @@ export const PasskeyFeatureBlock = withOverride(
 export const PasskeyFeatureBlockList = () => {
     return (
         <div data-supertokens="passkeyFeatureBlocksContainer">
-            {blockDetails.map((blockDetail) => (
-                <PasskeyFeatureBlock {...blockDetail} />
+            {blockDetails.map((blockDetail, index) => (
+                <PasskeyFeatureBlock key={`${blockDetail.title}-${index}`} {...blockDetail} />
             ))}
         </div>
     );
diff --git a/lib/ts/recipe/webauthn/components/themes/translations.ts b/lib/ts/recipe/webauthn/components/themes/translations.ts
@@ -58,6 +58,6 @@ export const defaultTranslationsWebauthn = {
             "To finish signing in, click the button and follow the browser instructions.",
         WEBAUTHN_MFA_DIVIDER: "or",
         WEBAUTHN_MFA_REGISTER_PASSKEY_SUBTITLE: "Set up a new authentication method to use for future logins.",
-        WEBAUTHN_MFA_REGISTER_PASSKEY_LINK: "Register a passkey",
+        WEBAUTHN_MFA_REGISTER_PASSKEY_TITLE: "Register a passkey",
     },
 };
diff --git a/lib/ts/recipe/webauthn/types.ts b/lib/ts/recipe/webauthn/types.ts
@@ -275,6 +275,7 @@ export type WebAuthnMFAAction =
           email: string | undefined;
           showBackButton: boolean;
           canRegisterPasskey: boolean;
+          hasRegisteredPassKey: boolean;
       };
 
 type WebAuthnMFAInitialState = {
@@ -284,6 +285,7 @@ type WebAuthnMFAInitialState = {
     deviceSupported: boolean;
     showBackButton: boolean;
     canRegisterPasskey: false;
+    hasRegisteredPassKey: false;
     email: undefined;
 };
 
@@ -294,6 +296,7 @@ type WebAuthnMFALoadedState = {
     deviceSupported: boolean;
     showBackButton: boolean;
     canRegisterPasskey: boolean;
+    hasRegisteredPassKey: boolean;
     email: string | undefined;
 };
 
diff --git a/test/end-to-end/mfa.factorscreen.webauthn.test.js b/test/end-to-end/mfa.factorscreen.webauthn.test.js
