fix(security): enforce globally-unique WebAuthn credential_id
The webauthn_credentials primary key is (user_id, credential_id), which does not stop the same credential_id from existing under two users. Usernameless authentication looks up the credential by id alone, so a duplicate could resolve to the wrong account. Add a unique index on credential_id (migration 003); duplicate registration now raises DuplicateError. Refs: porchlight-as2 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
0f04a7daf9
commit
f03d509eb4
3 changed files with 25 additions and 2 deletions
|
|
@ -13,7 +13,7 @@ async def test_run_migrations_applies_initial() -> None:
|
|||
async with aiosqlite.connect(":memory:") as db:
|
||||
await db.execute("PRAGMA foreign_keys=ON")
|
||||
count = await run_migrations(db, MIGRATIONS_DIR)
|
||||
assert count == 2
|
||||
assert count == 3
|
||||
async with db.execute("SELECT name FROM sqlite_master WHERE type='table' AND name='users'") as cursor:
|
||||
row = await cursor.fetchone()
|
||||
assert row is not None
|
||||
|
|
@ -24,7 +24,7 @@ async def test_run_migrations_skips_already_applied() -> None:
|
|||
await db.execute("PRAGMA foreign_keys=ON")
|
||||
first_count = await run_migrations(db, MIGRATIONS_DIR)
|
||||
second_count = await run_migrations(db, MIGRATIONS_DIR)
|
||||
assert first_count == 2
|
||||
assert first_count == 3
|
||||
assert second_count == 0
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue