fix(security): enforce globally-unique WebAuthn credential_id
The webauthn_credentials primary key is (user_id, credential_id), which does not stop the same credential_id from existing under two users. Usernameless authentication looks up the credential by id alone, so a duplicate could resolve to the wrong account. Add a unique index on credential_id (migration 003); duplicate registration now raises DuplicateError. Refs: porchlight-as2 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
0f04a7daf9
commit
f03d509eb4
3 changed files with 25 additions and 2 deletions
|
|
@ -0,0 +1,5 @@
|
|||
-- A WebAuthn credential_id must be globally unique: lookups by credential_id
|
||||
-- alone (during usernameless authentication) must never resolve to the wrong
|
||||
-- user. The table PK is (user_id, credential_id), which does not prevent the
|
||||
-- same credential_id under two users, so add an explicit unique index.
|
||||
CREATE UNIQUE INDEX ix_webauthn_credential_id ON webauthn_credentials (credential_id);
|
||||
Loading…
Add table
Add a link
Reference in a new issue