fix(auth): handle 2FA prompts on .unauthorized instead of .badRequest

rayanwaked · rayanwaked · commit ff4234921197 · 2025-08-14T11:02:00.000-07:00
Updated authentication flow to detect two-factor authentication
requirements from .unauthorized responses. Previously, only .badRequest
was checked for `AuthFactorTokenRequired`, which caused 2FA to fail when
servers returned 401 instead of 400. Now both cases are supported.
diff --git a/Sources/ATProtoKit/APIReference/SessionManager/SessionConfiguration.swift b/Sources/ATProtoKit/APIReference/SessionManager/SessionConfiguration.swift
@@ -269,24 +269,41 @@ extension SessionConfiguration {
                 )
             } catch let error as ATAPIError {
                 switch error {
-                    case .badRequest(error: let responseError):
-                        if responseError.error == "AuthFactorTokenRequired" {
-                            twoFactorAuthenticationAttempts += 1
-                            if twoFactorAuthenticationAttempts > maxTwoFactorAuthenticationAttempts {
-                                throw ATAPIError.badRequest(error: APIClientService.ATHTTPResponseError(
-                                    error: "TooManyTwoFactorAuthenticationAttempts",
-                                    message: "Too many invalid two-factor authentication codes. Please try again later."
-                                ))
-                            }
-
-                            // Ask the user for a new code, then continue the loop.
-                            userCode = await waitForUserCode()
-                            continue
-                        } else {
-                            throw error
+                case .badRequest(error: let responseError):
+                    if responseError.error == "AuthFactorTokenRequired" {
+                        twoFactorAuthenticationAttempts += 1
+                        if twoFactorAuthenticationAttempts > maxTwoFactorAuthenticationAttempts {
+                            throw ATAPIError.badRequest(error: APIClientService.ATHTTPResponseError(
+                                error: "TooManyTwoFactorAuthenticationAttempts",
+                                message: "Too many invalid two-factor authentication codes. Please try again later."
+                            ))
                         }
-                    default:
+                        
+                        // Ask the user for a new code, then continue the loop.
+                        userCode = await waitForUserCode()
+                        continue
+                    } else {
                         throw error
+                    }
+                case .unauthorized(error: let responseError, wwwAuthenticate: _):
+                    // Handle 2FA requirement that comes as unauthorized instead of badRequest
+                    if responseError.error == "AuthFactorTokenRequired" {
+                        twoFactorAuthenticationAttempts += 1
+                        if twoFactorAuthenticationAttempts > maxTwoFactorAuthenticationAttempts {
+                            throw ATAPIError.badRequest(error: APIClientService.ATHTTPResponseError(
+                                error: "TooManyTwoFactorAuthenticationAttempts",
+                                message: "Too many invalid two-factor authentication codes. Please try again later."
+                            ))
+                        }
+                        
+                        // Ask the user for a new code, then continue the loop.
+                        userCode = await waitForUserCode()
+                        continue
+                    } else {
+                        throw error
+                    }
+                default:
+                    throw error
                 }
             } catch {
                 throw error
