From 1f435154ad3e2a55892c8832b51a192b6439c7a9 Mon Sep 17 00:00:00 2001 From: Victor Bojica Date: Thu, 16 Oct 2025 14:59:59 +0300 Subject: [PATCH] fix: use the recipe user id from the payload and not from the session when registering a new credential --- .../recipe/webauthn/api/implementation.js | 17 ++++++++--------- lib/ts/recipe/webauthn/api/implementation.ts | 19 +++++++++---------- 2 files changed, 17 insertions(+), 19 deletions(-) diff --git a/lib/build/recipe/webauthn/api/implementation.js b/lib/build/recipe/webauthn/api/implementation.js index 4ba799504..1bd6ba525 100644 --- a/lib/build/recipe/webauthn/api/implementation.js +++ b/lib/build/recipe/webauthn/api/implementation.js @@ -1009,27 +1009,26 @@ function getAPIImplementation() { if (generatedOptions.status !== "OK") { return generatedOptions; } - const email = generatedOptions.email; - if (email !== loginMethod.email) { - return { - status: "GENERAL_ERROR", - message: "Email mismatch", - }; - } // NOTE: Following checks will likely never throw an error as the // check for type is done in a parent function but they are kept // here to be on the safe side. - if (!email) { + if (!generatedOptions.email) { throw new Error( "Should never come here since we already check that the email value is a string in validateEmailAddress" ); } + if (generatedOptions.email !== loginMethod.email) { + return { + status: "GENERAL_ERROR", + message: "Email mismatch", + }; + } // we are using the email from the register options const registerCredentialResponse = await options.recipeImplementation.registerCredential({ webauthnGeneratedOptionsId, credential, userContext, - recipeUserId: session.getRecipeUserId().getAsString(), + recipeUserId, }); if (registerCredentialResponse.status !== "OK") { return authUtils_1.AuthUtils.getErrorStatusResponseWithReason( diff --git a/lib/ts/recipe/webauthn/api/implementation.ts b/lib/ts/recipe/webauthn/api/implementation.ts index a2f88eddb..5d2405050 100644 --- a/lib/ts/recipe/webauthn/api/implementation.ts +++ b/lib/ts/recipe/webauthn/api/implementation.ts @@ -1078,29 +1078,28 @@ export default function getAPIImplementation(): APIInterface { return generatedOptions; } - const email = generatedOptions.email; - if (email !== loginMethod.email) { - return { - status: "GENERAL_ERROR", - message: "Email mismatch", - }; - } - // NOTE: Following checks will likely never throw an error as the // check for type is done in a parent function but they are kept // here to be on the safe side. - if (!email) { + if (!generatedOptions.email) { throw new Error( "Should never come here since we already check that the email value is a string in validateEmailAddress" ); } + if (generatedOptions.email !== loginMethod.email) { + return { + status: "GENERAL_ERROR", + message: "Email mismatch", + }; + } + // we are using the email from the register options const registerCredentialResponse = await options.recipeImplementation.registerCredential({ webauthnGeneratedOptionsId, credential, userContext, - recipeUserId: session.getRecipeUserId().getAsString(), + recipeUserId, }); if (registerCredentialResponse.status !== "OK") {