Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
TiQR token fails if user has multiple tokens #1739
If a user has multiple challenge response token (e.g. TiQR and PUSH) he gets a QR-Code to scan. After entering the PIN in the TiQR app, a message like "Challenge not valid" appears.
I haven't tested this, but I believe the culprit is this check here:
This assumes that the transaction ID is unique, i.e. for any transaction ID, there is at most one challenge with this transaction ID. But is assumption isn't true (see #1355): If we have multiple challenge response tokens, we get several challenges with the same transaction ID.
As a fix, we should check each challenge with the given transaction ID.