fix: include user_id in JWT and validate user in passkey response

yaroslav8765 · yaroslav8765 · commit 6e0cd604fa4f · 2025-10-06T16:41:25.000+03:00
diff --git a/index.ts b/index.ts
@@ -455,7 +455,7 @@ export default class TwoFactorsAuthPlugin extends AdminForthPlugin {
             userVerification: this.options.passkeys?.settings.authenticatorSelection.userVerification || "required"
           },
         });
-        const value = this.adminforth.auth.issueJWT({ "challenge": options.challenge }, 'tempPasskeyChallenge', '10m');
+        const value = this.adminforth.auth.issueJWT({ "challenge": options.challenge, "user_id": adminUser.pk }, 'tempPasskeyChallenge', '10m');
         this.adminforth.auth.setCustomCookie({response, payload: {name: "registerPasskeyTemporaryJWT", value: value, expiry: undefined, expirySeconds: 10 * 60, httpOnly: true}});
         return { ok: true, data: options };
       }
@@ -473,6 +473,9 @@ export default class TwoFactorsAuthPlugin extends AdminForthPlugin {
         if (!decodedPasskeysCookies) {
           return { error: 'Invalid passkey token' };
         }
+        if (decodedPasskeysCookies.user_id !== adminUser.pk) {
+          return { error: 'Invalid user' };
+        }
         const settingsOrigin = this.options.passkeys?.settings.expectedOrigin;
         const expectedOrigin = body.origin;
         const expectedChallenge = decodedPasskeysCookies.challenge;
