Merge pull request #1025 from supertokens/fix/webauthn-credential-register-missing-field

fix: Add required recipeUserId field in registerCredential API

Author: porcellus

CHANGELOG.md

@@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 -   Updated FDI support to 4.2
 -   Added `recipeUserId` in the WebAuthn list credentials response
+-   Added `recipeUserId` as required field for registering new WebAuthn credentials endpoint
 -   Fix WebAuthn credential listing and removal to work even when the WebAuthn user is not the primary user and when there are multiple WebAuthn users linked
 -   Prevent removal of WebAuthn credentials unless all session claims are satisfied
 -   Change how sessions are fetched before listing, removing and adding WebAuthn credentials

lib/build/recipe/webauthn/api/implementation.js

@@ -1025,6 +1025,7 @@ export default function getAPIImplementation(): APIInterface {
         },
 
         registerCredentialPOST: async function ({
+            recipeUserId,
             webauthnGeneratedOptionsId,
             credential,
             tenantId,
@@ -1050,6 +1051,24 @@ export default function getAPIImplementation(): APIInterface {
                 );
             }
 
+            const user = await getUser(session.getUserId(), userContext);
+            if (!user) {
+                return {
+                    status: "GENERAL_ERROR",
+                    message: "User not found",
+                };
+            }
+
+            const loginMethod = user.loginMethods.find(
+                (lm) => lm.recipeId === "webauthn" && lm.recipeUserId.getAsString() === recipeUserId
+            );
+            if (!loginMethod) {
+                return {
+                    status: "GENERAL_ERROR",
+                    message: "User not found",
+                };
+            }
+
             const generatedOptions = await options.recipeImplementation.getGeneratedOptions({
                 webauthnGeneratedOptionsId,
                 tenantId,
@@ -1060,6 +1079,12 @@ export default function getAPIImplementation(): APIInterface {
             }
 
             const email = generatedOptions.email;
+            if (email !== loginMethod.email) {
+                return {
+                    status: "GENERAL_ERROR",
+                    message: "Email mismatch",
+                };
+            }
 
             // NOTE: Following checks will likely never throw an error as the
             // check for type is done in a parent function but they are kept

lib/build/recipe/webauthn/api/registerCredential.js

@@ -18,6 +18,7 @@ import { validateWebauthnGeneratedOptionsIdOrThrowError, validateCredentialOrThr
 import { APIInterface, APIOptions } from "..";
 import { UserContext } from "../../../types";
 import Session from "../../session";
+import STError from "../../../error";
 
 export default async function registerCredentialAPI(
     apiImplementation: APIInterface,
@@ -42,7 +43,16 @@ export default async function registerCredentialAPI(
     );
     const credential = validateCredentialOrThrowError(requestBody.credential);
 
+    const recipeUserId = requestBody.recipeUserId;
+    if (recipeUserId === undefined) {
+        throw new STError({
+            type: STError.BAD_INPUT_ERROR,
+            message: "Please provide the recipeUserId",
+        });
+    }
+
     const result = await apiImplementation.registerCredentialPOST({
+        recipeUserId,
         credential,
         webauthnGeneratedOptionsId,
         tenantId,

lib/build/recipe/webauthn/types.d.ts

@@ -630,6 +630,7 @@ export type APIInterface = {
               session: SessionContainerInterface;
               options: APIOptions;
               userContext: UserContext;
+              recipeUserId: string;
           }) => Promise<
               | {
                     status: "OK";