fix: delete webauthn session after login to prevent replay attacks

2025-12-06 05:12:57 +03:00 · 2025-08-20 15:49:09 +02:00
parent f5b5b1bd85
commit fe003b927c
1 changed files with 6 additions and 4 deletions
--- a/backend/internal/service/webauthn_service.go
+++ b/backend/internal/service/webauthn_service.go
@@ -221,13 +221,15 @@ func (s *WebAuthnService) VerifyLogin(ctx context.Context, sessionID string, cre
 		tx.Rollback()
 	}()

+	// Load & delete the session row
 	var storedSession model.WebauthnSession
 	err := tx.
 		WithContext(ctx).
-		First(&storedSession, "id = ?", sessionID).
+		Clauses(clause.Returning{}).
+		Delete(&storedSession, "id = ?", sessionID).
 		Error
 	if err != nil {
-		return model.User{}, "", err
+		return model.User{}, "", fmt.Errorf("failed to load WebAuthn session: %w", err)
 	}

 	session := webauthn.SessionData{
@@ -261,13 +263,13 @@ func (s *WebAuthnService) VerifyLogin(ctx context.Context, sessionID string, cre
 		return model.User{}, "", err
 	}

-	s.auditLogService.CreateNewSignInWithEmail(ctx, ipAddress, userAgent, user.ID, tx)
-
 	err = tx.Commit().Error
 	if err != nil {
 		return model.User{}, "", err
 	}

+	s.auditLogService.CreateNewSignInWithEmail(ctx, ipAddress, userAgent, user.ID, tx)
+
 	return *user, token, nil
 }