fix(auth): persist passkey MFA metadata under system DB context (#2210)#2211
Open
bdunncompany wants to merge 1 commit into
Open
fix(auth): persist passkey MFA metadata under system DB context (#2210)#2211bdunncompany wants to merge 1 commit into
bdunncompany wants to merge 1 commit into
Conversation
…ernOps#2210) The POST /auth/mfa/passkey/verify handler updated user_passkeys (counter, device_type, backed_up, last_used_at) with a bare db.update(). Passkey MFA runs before the user is authenticated, so there is no user RLS context and the update silently matched 0 rows under breeze_app (user_passkeys Shape 6: user_id = breeze_current_user_id() OR scope = 'system'). Result: 'Last used' stayed Never AND the WebAuthn signature counter never advanced, defeating clone detection. Wrap the update in withSystemDbAccessContext, mirroring the users.last_login_at update in the same handler (LanternOps#1375). Adds a real-DB regression test that drives the handler against breeze_app RLS and fails without the fix.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #2210.
Root cause
POST /auth/mfa/passkey/verifypersists the authenticator's advanced signature counter +last_used_atwith a baredb.update(userPasskeys). Passkey MFA runs before the user is authenticated, so there is no user RLS context.user_passkeysis a Shape-6 (user-scoped) table — its policy allows a write only whenuser_id = breeze_current_user_id()orscope = 'system'. Underbreeze_appwith neither satisfied, the update silently matches 0 rows:Last usedstaysNeverin User Profile → Passkeys.The
users.last_login_atupdate ~30 lines below in the same handler already wraps itself inwithSystemDbAccessContextfor exactly this reason (#1375); the passkey update was missed.Fix
Wrap the
user_passkeysupdate inwithSystemDbAccessContext, matching the siblingusersupdate. One statement; no schema or behavior change beyond making the write actually land.Test
Adds
passkeyMfaVerify.integration.test.ts— drives the real handler against real Postgres (breeze_app, RLS enforced) + Redis, stubbing only the WebAuthn assertion verification (same pattern asssoPartnerLogin.integration.test.ts). It seeds the pre-auth pending-MFA record, posts a successful verify, and assertslast_used_atandcounterare persisted. Verified fail-before / pass-after: against the unfixed handler it fails withexpected null not to be null(the exact bug); with the fix it passes.Local gate (OrbStack, node 22.20.0, pnpm 10.33.4)
tsc --noEmit --project apps/api/tsconfig.json(exact CI cmd) — cleaneslinton both changed files — cleansilent-write-contract+dbContextTripwirewrite-context guards — 11 pass