Commit Graph

2 Commits

Author SHA1 Message Date
null d0ab375f9a refactor(auth): throw-pattern for auth.cts (login, TOTP, WebAuthn flows)
Standards-unification batch 4a. Login, TOTP challenge/setup/enable/disable,
change-password, and all five WebAuthn handlers converted: inline
standardizeError bodies -> ApiError factory throws; try/catch-500 wrappers
removed (Express 5 forwards async rejections; terminal handler logs + masks).
Audit logging on failure paths unchanged. AUTH_ERROR/FORBIDDEN codes and
field hints preserved (change-password current_password 401, TOTP code 401).

Server suite 252/252.

Co-Authored-By: Claude Fable 5 <[email protected]>
2026-07-10 17:06:08 -05:00
null 3c82c30f3c fix(auth): handle requires_webauthn in POST /login — was a 500 self-lockout
authService.login returns a requires_webauthn payload for webauthn-enabled
users, but the login route only handled requires_totp and fell through to
result.user.id (undefined) -> TypeError -> 500 on every attempt. Any user who
enabled WebAuthn via the API (reachable today) was permanently locked out.

- routes/auth.cts: return the two-step requires_webauthn payload (mirrors TOTP)
- services/authService.cts: stale-flag guard — webauthn_enabled with no usable
  credentials falls through to password login instead of hard-failing
- tests/authLoginWebauthnRoute.test.js: pins both paths + wrong-password 401

(QA-B1-01, lockout part)

Co-Authored-By: Claude Fable 5 <[email protected]>
2026-07-10 16:29:08 -05:00