Skip to content

Commit

Permalink
Merge pull request #40 from Authress/error-on-invalid-authenticatio-r…
Browse files Browse the repository at this point in the history
…equest

Prevent silent error with changing the connectionId while user is sti…
  • Loading branch information
wparad authored Mar 28, 2024
2 parents f1bca54 + 2052203 commit 0e83748
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 0 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
# Change log
This is the changelog for [Authress Login](readme.md).

## 2.4 ##
* Prevent silent returns from `authenticate` when a different connectionId is used to have the user log in.

## 2.3 ##
* Add MFA device methods.
* Improve http error handling when there is an issue authenticating.
Expand Down
13 changes: 13 additions & 0 deletions src/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -585,6 +585,19 @@ class LoginClient {
}

if (!force && !multiAccount && await this.userSessionExists()) {
const existingJwtTokenString = await this.ensureToken();
const jwtPayload = jwtManager.decode(existingJwtTokenString);
if (connectionId && jwtPayload && jwtPayload.azp && connectionId !== jwtPayload.azp) {
this.logger && this.logger.log && this.logger.log({ title: 'Authentication blocked because the user is already logged in, and the requested authentication parameters do not match the original session.', requestedAuthenticationOptions: options, currentAuthenticationSessionData: jwtPayload });
const e = Error(`Authentication requested for user that is already logged in, but the connectionId specified does not match their existing session.
Recommended Options:
(1) If the goal is to force them to log in with this new connection and ignore their existing session, use the "force" flag.
(2) If the goal is link their current identity with a new from the new connection, use the linkIdentity() method.
(3) If the goal is skip log in if they are already logged in or force log in with the connectionId, first check if userSessionExists() and then only if "false", call authenticate().`);
e.code = 'AuthenticationConstraintContention';
throw e;
}

return true;
}

Expand Down

0 comments on commit 0e83748

Please sign in to comment.