fix(DEV-1366): Keep passkey challenge on failed verification for retry

NicoKaempf · NicoKaempf · commit 34226e332042 · 2026-01-26T16:14:09.000+01:00
diff --git a/src/core/modules/better-auth/core-better-auth-api.middleware.ts b/src/core/modules/better-auth/core-better-auth-api.middleware.ts
@@ -1,4 +1,4 @@
-import { Injectable, Logger, NestMiddleware, Optional } from '@nestjs/common';
+import { Injectable, NestMiddleware, Optional } from '@nestjs/common';
 import { NextFunction, Request, Response } from 'express';
 
 import { isProduction } from '../../common/helpers/logging.helper';
@@ -244,9 +244,12 @@ export class CoreBetterAuthApiMiddleware implements NestMiddleware {
         }
       }
 
-      // Clean up the used challenge mapping after verification (success or failure)
-      if (challengeIdToDelete && this.challengeService) {
+      // Clean up the used challenge mapping only after SUCCESSFUL verification
+      // On failure, keep the challenge so the user can retry with a different passkey
+      if (challengeIdToDelete && this.challengeService && response.ok) {
         await this.challengeService.deleteChallengeMapping(challengeIdToDelete);
+      } else if (challengeIdToDelete && !response.ok) {
+        this.logger.debug(`Keeping challenge mapping after failed verification (status=${response.status}) for retry`);
       }
 
       // Convert Web Standard Response to Express response using shared helper

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-import { Injectable, Logger, NestMiddleware, Optional } from '@nestjs/common';`
	`1`	`+import { Injectable, NestMiddleware, Optional } from '@nestjs/common';`
`2`	`2`	`import { NextFunction, Request, Response } from 'express';`
`3`	`3`
`4`	`4`	`import { isProduction } from '../../common/helpers/logging.helper';`
`@@ -244,9 +244,12 @@ export class CoreBetterAuthApiMiddleware implements NestMiddleware {`
`244`	`244`	`}`
`245`	`245`	`}`
`246`	`246`
`247`		`- // Clean up the used challenge mapping after verification (success or failure)`
`248`		`- if (challengeIdToDelete && this.challengeService) {`
	`247`	`+ // Clean up the used challenge mapping only after SUCCESSFUL verification`
	`248`	`+ // On failure, keep the challenge so the user can retry with a different passkey`
	`249`	`+ if (challengeIdToDelete && this.challengeService && response.ok) {`
`249`	`250`	`await this.challengeService.deleteChallengeMapping(challengeIdToDelete);`
	`251`	`+ } else if (challengeIdToDelete && !response.ok) {`
	`252`	+ this.logger.debug(`Keeping challenge mapping after failed verification (status=${response.status}) for retry`);
`250`	`253`	`}`
`251`	`254`
`252`	`255`	`// Convert Web Standard Response to Express response using shared helper`