fix: Fix passkey mfa sign in flow

Author: bcbogdan

lib/ts/recipe/webauthn/components/features/mfa/index.tsx

@@ -73,6 +73,7 @@ export const useFeatureReducer = (): [WebAuthnMFAState, React.Dispatch<WebAuthnM
             error: undefined,
             deviceSupported: false,
             canRegisterPasskey: false,
+            hasRegisteredPassKey: false,
             loaded: false,
             showBackButton: true,
             email: undefined,
@@ -242,7 +243,8 @@ export const MFAFeature: React.FC<
         <ComponentOverrideContext.Provider value={recipeComponentOverrides}>
             <FeatureWrapper
                 useShadowDom={SuperTokens.getInstanceOrThrow().useShadowDom}
-                defaultStore={defaultTranslationsWebauthn}>
+                defaultStore={defaultTranslationsWebauthn}
+            >
                 <MFAFeatureInner {...props} />
             </FeatureWrapper>
         </ComponentOverrideContext.Provider>
@@ -348,12 +350,6 @@ function useOnLoad(
                 }
             }
 
-            const alreadySetup = mfaInfo.factors.alreadySetup.includes(FactorIds.WEBAUTHN);
-            if (alreadySetup) {
-                dispatch({ type: "setError", accessDenied: true, error: "SOMETHING_WENT_WRONG_ERROR_RELOAD" });
-                return;
-            }
-
             // If the next array only has a single option, it means the we were redirected here
             // automatically during the sign in process. In that case, anywhere the back button
             // could go would redirect back here, making it useless.
@@ -365,21 +361,23 @@ function useOnLoad(
             const mfaInfoEmails = mfaInfo.emails[FactorIds.WEBAUTHN];
             const email = mfaInfoEmails ? mfaInfoEmails[0] : undefined;
 
-            const canRegisterPasskey = !mfaInfo.factors.alreadySetup.includes(FactorIds.WEBAUTHN);
+            const canRegisterPasskey = mfaInfo.factors.allowedToSetup.includes(FactorIds.WEBAUTHN);
+            const hasRegisteredPassKey = mfaInfo.factors.alreadySetup.includes(FactorIds.WEBAUTHN);
             const browserSupportsWebauthnResponse = await props.recipe.webJSRecipe.doesBrowserSupportWebAuthn({
                 userContext: userContext,
             });
-            const browserSupportsWebauthn =
+            const deviceSupported =
                 browserSupportsWebauthnResponse.status === "OK" &&
                 browserSupportsWebauthnResponse?.browserSupportsWebauthn;
 
             dispatch({
                 type: "load",
                 canRegisterPasskey,
+                hasRegisteredPassKey,
                 error,
                 showBackButton,
                 email,
-                deviceSupported: browserSupportsWebauthn,
+                deviceSupported,
             });
         },
         [dispatch, recipeImplementation, props.recipe, userContext]

lib/ts/recipe/webauthn/components/themes/mfa/index.tsx

@@ -38,21 +38,15 @@ export default MFAThemeWrapper;
 
 export function MFATheme(props: WebAuthnMFAProps): JSX.Element {
     const { onBackButtonClicked, onSignIn } = props;
-    const [activeScreen, setActiveScreen] = React.useState<MFAScreens>(MFAScreens.SignIn);
+    const [activeScreen, setActiveScreen] = React.useState<MFAScreens>(() => {
+        if (!props.featureState.hasRegisteredPassKey) {
+            return props.featureState.email ? MFAScreens.SignUpConfirmation : MFAScreens.SignUp;
+        }
+        return MFAScreens.SignIn;
+    });
     const [signUpEmail, setSignUpEmail] = React.useState<string>("");
     const t = useTranslation();
 
-    const onRegisterPasskeyClick = React.useCallback(() => {
-        if (!props.featureState.canRegisterPasskey) {
-            return;
-        }
-        if (props.featureState.email) {
-            setActiveScreen(MFAScreens.SignUpConfirmation);
-        } else {
-            setActiveScreen(MFAScreens.SignUp);
-        }
-    }, [props.featureState.email, props.featureState.canRegisterPasskey]);
-
     const onSignUpContinue = React.useCallback(
         (email: string) => {
             if (!props.featureState.canRegisterPasskey) {
@@ -64,6 +58,17 @@ export function MFATheme(props: WebAuthnMFAProps): JSX.Element {
         [props.featureState.canRegisterPasskey]
     );
 
+    const onRegisterPasskeyClick = React.useCallback(() => {
+        if (!props.featureState.canRegisterPasskey) {
+            return;
+        }
+        if (props.featureState.email) {
+            setActiveScreen(MFAScreens.SignUpConfirmation);
+        } else {
+            setActiveScreen(MFAScreens.SignUp);
+        }
+    }, [props.featureState.email, props.featureState.canRegisterPasskey]);
+
     const clearError = React.useCallback(() => {
         props.dispatch({ type: "setError", error: undefined });
     }, [props]);
@@ -75,25 +80,32 @@ export function MFATheme(props: WebAuthnMFAProps): JSX.Element {
         [props]
     );
 
-    const onClickSignUpBackButton = React.useCallback(() => {
-        if (!props.featureState.canRegisterPasskey) {
+    const onClickSignUpConfirmationBackButton = React.useCallback(() => {
+        if (!props.featureState.email) {
+            setActiveScreen(MFAScreens.SignUp);
             return;
         }
-        setActiveScreen(MFAScreens.SignIn);
-    }, [props.featureState.canRegisterPasskey]);
 
-    const onClickSignUpConfirmationBackButton = React.useCallback(() => {
-        if (props.featureState.email) {
-            setActiveScreen(MFAScreens.SignIn);
-        } else {
-            setActiveScreen(MFAScreens.SignUp);
+        if (!props.featureState.hasRegisteredPassKey) {
+            onBackButtonClicked();
+            return;
         }
+
+        setActiveScreen(MFAScreens.SignIn);
     }, [props.featureState.email]);
 
     const onFetchError = React.useCallback(() => {
         onError("SOMETHING_WENT_WRONG_ERROR");
     }, [onError]);
 
+    const onClickSignUpBackButton = React.useCallback(() => {
+        if (!props.featureState.hasRegisteredPassKey) {
+            onBackButtonClicked();
+            return;
+        }
+        setActiveScreen(MFAScreens.SignIn);
+    }, [props.featureState.hasRegisteredPassKey, onBackButtonClicked()]);
+
     if (!props.featureState.loaded) {
         return <WebauthnMFALoadingScreen />;
     }
@@ -116,8 +128,8 @@ export function MFATheme(props: WebAuthnMFAProps): JSX.Element {
                         canRegisterPasskey={props.featureState.canRegisterPasskey}
                         onSignIn={onSignIn}
                         error={props.featureState.error}
-                        onRegisterPasskeyClick={onRegisterPasskeyClick}
                         deviceSupported={props.featureState.deviceSupported}
+                        onRegisterPasskeyClick={onRegisterPasskeyClick}
                     />
                 ) : activeScreen === MFAScreens.SignUp ? (
                     <WebauthnMFASignUp

lib/ts/recipe/webauthn/components/themes/mfa/signIn.tsx

@@ -12,10 +12,10 @@ import { PasskeyNotSupportedError } from "../error/passkeyNotSupportedError";
 export type MFASignInProps = {
     onBackButtonClicked?: () => void;
     onSignIn: () => Promise<void>;
-    onRegisterPasskeyClick: () => void;
-    canRegisterPasskey: boolean;
     error: string | undefined;
     deviceSupported: boolean;
+    canRegisterPasskey: boolean;
+    onRegisterPasskeyClick: () => void;
 };
 
 export const WebauthnMFASignIn = withOverride(
@@ -64,7 +64,7 @@ export const WebauthnMFASignIn = withOverride(
                         </div>
                         <div data-supertokens="headerSubtitle secondaryText">
                             <span data-supertokens="link" onClick={props.onRegisterPasskeyClick}>
-                                {t("WEBAUTHN_MFA_REGISTER_PASSKEY_LINK")}
+                                {t("WEBAUTHN_MFA_REGISTER_PASSKEY_TITLE")}
                             </span>
                             {t("WEBAUTHN_MFA_REGISTER_PASSKEY_SUBTITLE")}
                         </div>

lib/ts/recipe/webauthn/components/themes/mfa/signUp.tsx

@@ -37,7 +37,7 @@ export const WebauthnMFASignUp = withOverride(
             <Fragment>
                 <div data-supertokens="headerTitle withBackButton webauthn-mfa">
                     <BackButton onClick={props.onBackButtonClicked} />
-                    {t("WEBAUTHN_MFA_REGISTER_PASSKEY_LINK")}
+                    {t("WEBAUTHN_MFA_REGISTER_PASSKEY_TITLE")}
                     <span data-supertokens="backButtonPlaceholder backButtonCommon">
                         {/* empty span for spacing the back button */}
                     </span>

lib/ts/recipe/webauthn/components/themes/mfa/signUpConfirmation.tsx

@@ -31,7 +31,7 @@ export const WebauthnMFASignUpConfirmation = withOverride(
             <Fragment>
                 <div data-supertokens="headerTitle withBackButton webauthn-mfa">
                     <BackButton onClick={props.onBackButtonClicked} />
-                    {t("WEBAUTHN_MFA_REGISTER_PASSKEY_LINK")}
+                    {t("WEBAUTHN_MFA_REGISTER_PASSKEY_TITLE")}
                     <span data-supertokens="backButtonPlaceholder backButtonCommon">
                         {/* empty span for spacing the back button */}
                     </span>

lib/ts/recipe/webauthn/components/themes/translations.ts

@@ -58,6 +58,6 @@ export const defaultTranslationsWebauthn = {
             "To finish signing in, click the button and follow the browser instructions.",
         WEBAUTHN_MFA_DIVIDER: "or",
         WEBAUTHN_MFA_REGISTER_PASSKEY_SUBTITLE: "Set up a new authentication method to use for future logins.",
-        WEBAUTHN_MFA_REGISTER_PASSKEY_LINK: "Register a passkey",
+        WEBAUTHN_MFA_REGISTER_PASSKEY_TITLE: "Register a passkey",
     },
 };

lib/ts/recipe/webauthn/types.ts

@@ -275,6 +275,7 @@ export type WebAuthnMFAAction =
           email: string | undefined;
           showBackButton: boolean;
           canRegisterPasskey: boolean;
+          hasRegisteredPassKey: boolean;
       };
 
 type WebAuthnMFAInitialState = {
@@ -284,6 +285,7 @@ type WebAuthnMFAInitialState = {
     deviceSupported: boolean;
     showBackButton: boolean;
     canRegisterPasskey: false;
+    hasRegisteredPassKey: false;
     email: undefined;
 };
 
@@ -294,6 +296,7 @@ type WebAuthnMFALoadedState = {
     deviceSupported: boolean;
     showBackButton: boolean;
     canRegisterPasskey: boolean;
+    hasRegisteredPassKey: boolean;
     email: string | undefined;
 };
 

test/end-to-end/mfa.factorscreen.webauthn.test.js

@@ -31,10 +31,14 @@ import {
     setupBrowser,
     getGeneralError,
     backendHook,
+    setInputValues,
+    submitForm,
 } from "../helpers";
 import { MFA_INFO_API, SOMETHING_WENT_WRONG_ERROR, TEST_CLIENT_BASE_URL } from "../constants";
+import { getTestPhoneNumber } from "../exampleTestHelpers";
 import {
     tryEmailPasswordSignUp,
+    tryPasswordlessSignInUp,
     waitForDashboard,
     tryEmailPasswordSignIn,
     chooseFactor,
@@ -441,5 +445,65 @@ describe("SuperTokens SignIn w/ MFA", function () {
                 });
             });
         });
+
+        it("should show the sign up confirmation screen if the user does not have a registered passkey", async () => {
+            await setupST({
+                ...appConfig,
+                mfaInfo: {
+                    requirements: [factorId],
+                    alreadySetup: [],
+                    allowedToSetup: [factorId],
+                },
+            });
+
+            await tryEmailPasswordSignIn(page, email);
+            await page.goto(`${TEST_CLIENT_BASE_URL}/auth/mfa/${factorId}`);
+            await page.waitForNavigation({ waitUntil: "networkidle0" });
+
+            await waitForSTElement(page, "[data-supertokens~=passkeyConfirmationContainer]");
+
+            const backButton = await waitForSTElement(page, "[data-supertokens~=backButton]");
+            backButton.click();
+            await waitForSTElement(page, "[data-supertokens~=factorChooserList]");
+        });
+
+        // it("should show the sign up screen if the user doesn not have a registered passkey and no linked email", async () => {
+        //     await setupST({
+        //         ...appConfig,
+        //         mfaInfo: {
+        //             requirements: [factorId],
+        //             alreadySetup: [],
+        //             allowedToSetup: [factorId],
+        //         },
+        //     });
+        //
+        //     const phoneNumber = getTestPhoneNumber();
+        //     await tryPasswordlessSignInUp(page, phoneNumber, undefined, true);
+        //
+        //     await page.goto(`${TEST_CLIENT_BASE_URL}/auth/mfa/${factorId}`);
+        //     await page.waitForNavigation({ waitUntil: "networkidle0" });
+        //
+        //     await waitForSTElement(page, "[data-supertokens~=signUpFormInnerContainer]");
+        // });
+
+        it("should show the sign in screen alongside the passkey registration button if the user is allowed to setup more passkeys", async () => {
+            await setupST({
+                ...appConfig,
+                mfaInfo: {
+                    requirements: [factorId],
+                    alreadySetup: [factorId],
+                    allowedToSetup: [factorId],
+                },
+            });
+
+            await tryEmailPasswordSignIn(page, email);
+
+            await page.goto(`${TEST_CLIENT_BASE_URL}/auth/mfa/${factorId}`);
+            await page.waitForNavigation({ waitUntil: "networkidle0" });
+
+            await waitForSTElement(page, "[data-supertokens~=button]");
+            await waitForSTElement(page, "[data-supertokens~=passkeyMfaSignInDivider]");
+            await waitForSTElement(page, "[data-supertokens~=link]");
+        });
     });
 });