Skip to content

fix: WebAuthn credential listing/removal not working for non-primary WebAuthn users and multiple linked WebAuthn users #1024

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jul 30, 2025
Merged

fix: WebAuthn credential listing/removal not working for non-primary WebAuthn users and multiple linked WebAuthn users #1024

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
6067b8d
fix: improve WebAuthn credential listing for multiple users
niftyvictor Jul 30, 2025
e563703
Merge branch '23.0' into fix/fix-credential-listing-multiple-users
niftyvictor Jul 30, 2025
1092f82
fix: add recipeUserId check and correcttly remove a credential when w…
niftyvictor Jul 30, 2025
90f2b84
chore: changelog update
niftyvictor Jul 30, 2025
7d36832
Merge remote-tracking branch 'origin/23.0' into fix/fix-credential-li…
porcellus Jul 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

- Updated FDI support to 4.2
- Added `recipeUserId` in the WebAuthn list credentials response
- Fix WebAuthn credential listing and removal to work even when the WebAuthn user is not the primary user and when there are multiple WebAuthn users linked
- Prevent removal of WebAuthn credentials unless all session claims are satisfied
- Change how sessions are fetched before listing, removing and adding WebAuthn credentials

Expand Down Expand Up @@ -987,7 +988,7 @@ Session.init({
input.userId,
input.recipeUserId,
input.tenantId,
input.userContext,
input.userContext
)),
};

Expand Down Expand Up @@ -1015,7 +1016,7 @@ Session.init({
input.recipeUserId,
input.tenantId,
input.accessTokenPayload,
input.userContext,
input.userContext
)),
};

Expand Down
54 changes: 48 additions & 6 deletions lib/build/recipe/webauthn/api/implementation.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

53 changes: 47 additions & 6 deletions lib/ts/recipe/webauthn/api/implementation.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -986,14 +986,36 @@ export default function getAPIImplementation(): APIInterface {
},

listCredentialsGET: async function ({ options, userContext, session }) {
const credentials = await options.recipeImplementation.listCredentials({
recipeUserId: session.getRecipeUserId().getAsString(),
userContext,
});
const existingUser = await getUser(session.getUserId(), userContext);
if (!existingUser) {
return {
status: "GENERAL_ERROR",
message: "User not found",
};
}

const recipeUserIds = existingUser.loginMethods
.filter((lm) => lm.recipeId === "webauthn")
?.map((lm) => lm.recipeUserId);

const credentials: {
webauthnCredentialId: string;
relyingPartyId: string;
createdAt: number;
recipeUserId: string;
}[] = [];
for (const recipeUserId of recipeUserIds) {
const listCredentialsResponse = await options.recipeImplementation.listCredentials({
recipeUserId: recipeUserId.getAsString(),
userContext,
});

credentials.push(...listCredentialsResponse.credentials);
}

return {
status: "OK",
credentials: credentials.credentials.map((credential) => ({
credentials: credentials.map((credential) => ({
recipeUserId: credential.recipeUserId,
webauthnCredentialId: credential.webauthnCredentialId,
relyingPartyId: credential.relyingPartyId,
Expand Down Expand Up @@ -1076,9 +1098,28 @@ export default function getAPIImplementation(): APIInterface {
]);
}

const user = await getUser(session.getUserId(), userContext);
if (!user) {
return {
status: "GENERAL_ERROR",
message: "User not found",
};
}

const recipeUserId = user.loginMethods.find(
(lm) => lm.recipeId === "webauthn" && lm.webauthn?.credentialIds.includes(webauthnCredentialId)
)?.recipeUserId;

if (!recipeUserId) {
return {
status: "GENERAL_ERROR",
message: "User not found",
};
}

const removeCredentialResponse = await options.recipeImplementation.removeCredential({
webauthnCredentialId,
recipeUserId: session.getRecipeUserId().getAsString(),
recipeUserId: recipeUserId.getAsString(),
userContext,
});
if (removeCredentialResponse.status !== "OK") {
Expand Down
Loading