Merge pull request #1024 from supertokens/fix/fix-credential-listing-multiple-users

porcellus · web-flow · commit ab1f7fd6c56f · 2025-07-30T23:05:57.000+02:00
fix: WebAuthn credential listing/removal not working for non-primary WebAuthn users and multiple linked WebAuthn users
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 -   Updated FDI support to 4.2
 -   Added `recipeUserId` in the WebAuthn list credentials response
+-   Fix WebAuthn credential listing and removal to work even when the WebAuthn user is not the primary user and when there are multiple WebAuthn users linked
 -   Prevent removal of WebAuthn credentials unless all session claims are satisfied
 -   Change how sessions are fetched before listing, removing and adding WebAuthn credentials
 
@@ -987,7 +988,7 @@ Session.init({
                             input.userId,
                             input.recipeUserId,
                             input.tenantId,
-                            input.userContext,
+                            input.userContext
                         )),
                     };
 
@@ -1015,7 +1016,7 @@ Session.init({
                             input.recipeUserId,
                             input.tenantId,
                             input.accessTokenPayload,
-                            input.userContext,
+                            input.userContext
                         )),
                     };
 
diff --git a/lib/build/recipe/webauthn/api/implementation.js b/lib/build/recipe/webauthn/api/implementation.js
diff --git a/lib/ts/recipe/webauthn/api/implementation.ts b/lib/ts/recipe/webauthn/api/implementation.ts
@@ -986,14 +986,36 @@ export default function getAPIImplementation(): APIInterface {
         },
 
         listCredentialsGET: async function ({ options, userContext, session }) {
-            const credentials = await options.recipeImplementation.listCredentials({
-                recipeUserId: session.getRecipeUserId().getAsString(),
-                userContext,
-            });
+            const existingUser = await getUser(session.getUserId(), userContext);
+            if (!existingUser) {
+                return {
+                    status: "GENERAL_ERROR",
+                    message: "User not found",
+                };
+            }
+
+            const recipeUserIds = existingUser.loginMethods
+                .filter((lm) => lm.recipeId === "webauthn")
+                ?.map((lm) => lm.recipeUserId);
+
+            const credentials: {
+                webauthnCredentialId: string;
+                relyingPartyId: string;
+                createdAt: number;
+                recipeUserId: string;
+            }[] = [];
+            for (const recipeUserId of recipeUserIds) {
+                const listCredentialsResponse = await options.recipeImplementation.listCredentials({
+                    recipeUserId: recipeUserId.getAsString(),
+                    userContext,
+                });
+
+                credentials.push(...listCredentialsResponse.credentials);
+            }
 
             return {
                 status: "OK",
-                credentials: credentials.credentials.map((credential) => ({
+                credentials: credentials.map((credential) => ({
                     recipeUserId: credential.recipeUserId,
                     webauthnCredentialId: credential.webauthnCredentialId,
                     relyingPartyId: credential.relyingPartyId,
@@ -1076,9 +1098,28 @@ export default function getAPIImplementation(): APIInterface {
                 ]);
             }
 
+            const user = await getUser(session.getUserId(), userContext);
+            if (!user) {
+                return {
+                    status: "GENERAL_ERROR",
+                    message: "User not found",
+                };
+            }
+
+            const recipeUserId = user.loginMethods.find(
+                (lm) => lm.recipeId === "webauthn" && lm.webauthn?.credentialIds.includes(webauthnCredentialId)
+            )?.recipeUserId;
+
+            if (!recipeUserId) {
+                return {
+                    status: "GENERAL_ERROR",
+                    message: "User not found",
+                };
+            }
+
             const removeCredentialResponse = await options.recipeImplementation.removeCredential({
                 webauthnCredentialId,
-                recipeUserId: session.getRecipeUserId().getAsString(),
+                recipeUserId: recipeUserId.getAsString(),
                 userContext,
             });
             if (removeCredentialResponse.status !== "OK") {
