Merge pull request #1023 from supertokens/fix/webauth-mng-endpoints-session-requirements

fix: Change how WebAuthn credential management endpoints handle session requirements

Author: porcellus

CHANGELOG.md

@@ -7,8 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
+## [23.0.1] - 2025-07-31
+
 -   Updated FDI support to 4.2
 -   Added `recipeUserId` in the WebAuthn list credentials response
+-   Prevent removal of WebAuthn credentials unless all session claims are satisfied
+-   Change how sessions are fetched before listing, removing and adding WebAuthn credentials
 
 ## [23.0.0] - 2025-07-21
 

lib/build/recipe/webauthn/api/implementation.js

@@ -20,6 +20,8 @@ import { getRecoverAccountLink } from "../utils";
 import { logDebugMessage } from "../../../logger";
 import { RecipeLevelUser } from "../../accountlinking/types";
 import { getUser } from "../../..";
+import MultiFactorAuth from "../../multifactorauth";
+import MultiFactorAuthRecipe from "../../multifactorauth/recipe";
 
 export default function getAPIImplementation(): APIInterface {
     return {
@@ -183,7 +185,7 @@ export default function getAPIImplementation(): APIInterface {
                     recipeId: "webauthn",
                     email,
                 },
-                factorIds: ["webauthn"],
+                factorIds: [MultiFactorAuth.FactorIds.WEBAUTHN],
                 isSignUp: true,
                 isVerified: isFakeEmail(email),
                 signInVerifiesLoginMethod: false,
@@ -366,7 +368,7 @@ export default function getAPIImplementation(): APIInterface {
                     recipeId,
                     email,
                 },
-                factorIds: [recipeId],
+                factorIds: [MultiFactorAuth.FactorIds.WEBAUTHN],
                 isSignUp: false,
                 authenticatingUser: authenticatingUser?.user,
                 isVerified,
@@ -1017,6 +1019,15 @@ export default function getAPIImplementation(): APIInterface {
                     "The credentials are incorrect. Please make sure you are using the correct credentials. (ERR_CODE_025)",
             };
 
+            const mfaInstance = MultiFactorAuthRecipe.getInstance();
+            if (mfaInstance) {
+                await MultiFactorAuth.assertAllowedToSetupFactorElseThrowInvalidClaimError(
+                    session,
+                    MultiFactorAuth.FactorIds.WEBAUTHN,
+                    userContext
+                );
+            }
+
             const generatedOptions = await options.recipeImplementation.getGeneratedOptions({
                 webauthnGeneratedOptionsId,
                 tenantId,
@@ -1058,6 +1069,13 @@ export default function getAPIImplementation(): APIInterface {
             };
         },
         removeCredentialPOST: async function ({ webauthnCredentialId, options, userContext, session }) {
+            const mfaInstance = MultiFactorAuthRecipe.getInstance();
+            if (mfaInstance) {
+                await session.assertClaims([
+                    MultiFactorAuth.MultiFactorAuthClaim.validators.hasCompletedMFARequirementsForAuth(),
+                ]);
+            }
+
             const removeCredentialResponse = await options.recipeImplementation.removeCredential({
                 webauthnCredentialId,
                 recipeUserId: session.getRecipeUserId().getAsString(),

lib/build/recipe/webauthn/api/listCredentials.js

@@ -15,9 +15,8 @@
 
 import { send200Response } from "../../../utils";
 import { APIInterface, APIOptions } from "..";
-import STError from "../error";
 import { UserContext } from "../../../types";
-import { AuthUtils } from "../../../authUtils";
+import Session from "../../session";
 
 export default async function listCredentialsAPI(
     apiImplementation: APIInterface,
@@ -29,13 +28,12 @@ export default async function listCredentialsAPI(
         return false;
     }
 
-    const session = await AuthUtils.loadSessionInAuthAPIIfNeeded(options.req, options.res, undefined, userContext);
-    if (session === undefined) {
-        throw new STError({
-            type: STError.BAD_INPUT_ERROR,
-            message: "A valid session is required to list credentials",
-        });
-    }
+    const session = await Session.getSession(
+        options.req,
+        options.res,
+        { overrideGlobalClaimValidators: () => [], sessionRequired: true },
+        userContext
+    );
 
     const result = await apiImplementation.listCredentialsGET({
         options,

lib/build/recipe/webauthn/api/registerCredential.js

@@ -16,9 +16,8 @@
 import { send200Response } from "../../../utils";
 import { validateWebauthnGeneratedOptionsIdOrThrowError, validateCredentialOrThrowError } from "./utils";
 import { APIInterface, APIOptions } from "..";
-import STError from "../error";
 import { UserContext } from "../../../types";
-import { AuthUtils } from "../../../authUtils";
+import Session from "../../session";
 
 export default async function registerCredentialAPI(
     apiImplementation: APIInterface,
@@ -30,20 +29,19 @@ export default async function registerCredentialAPI(
         return false;
     }
 
+    const session = await Session.getSession(
+        options.req,
+        options.res,
+        { overrideGlobalClaimValidators: () => [], sessionRequired: true },
+        userContext
+    );
+
     const requestBody = await options.req.getJSONBody();
     const webauthnGeneratedOptionsId = validateWebauthnGeneratedOptionsIdOrThrowError(
         requestBody.webauthnGeneratedOptionsId
     );
     const credential = validateCredentialOrThrowError(requestBody.credential);
 
-    const session = await AuthUtils.loadSessionInAuthAPIIfNeeded(options.req, options.res, undefined, userContext);
-    if (session === undefined) {
-        throw new STError({
-            type: STError.BAD_INPUT_ERROR,
-            message: "A valid session is required to register a credential",
-        });
-    }
-
     const result = await apiImplementation.registerCredentialPOST({
         credential,
         webauthnGeneratedOptionsId,

lib/build/recipe/webauthn/api/removeCredential.js

@@ -17,7 +17,7 @@ import { send200Response } from "../../../utils";
 import { APIInterface, APIOptions } from "..";
 import STError from "../error";
 import { UserContext } from "../../../types";
-import { AuthUtils } from "../../../authUtils";
+import Session from "../../session";
 
 export default async function removeCredentialAPI(
     apiImplementation: APIInterface,
@@ -29,6 +29,13 @@ export default async function removeCredentialAPI(
         return false;
     }
 
+    const session = await Session.getSession(
+        options.req,
+        options.res,
+        { overrideGlobalClaimValidators: () => [], sessionRequired: true },
+        userContext
+    );
+
     const requestBody = await options.req.getJSONBody();
     const webauthnCredentialId = requestBody.webauthnCredentialId;
     if (webauthnCredentialId === undefined) {
@@ -38,14 +45,6 @@ export default async function removeCredentialAPI(
         });
     }
 
-    const session = await AuthUtils.loadSessionInAuthAPIIfNeeded(options.req, options.res, undefined, userContext);
-    if (session === undefined) {
-        throw new STError({
-            type: STError.BAD_INPUT_ERROR,
-            message: "A valid session is required to remove a credential",
-        });
-    }
-
     const result = await apiImplementation.removeCredentialPOST({
         webauthnCredentialId,
         options,