lundberg/porchlight
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(security): invite links must not log in accounts with credentials

Browse source 
A registration/re-invite link auto-established a session for any existing
active user, so re-inviting a fully set-up user acted as a passwordless
login. Invite links are for account setup only.

After consuming the token, refuse to establish a session when the target
account already has a password or WebAuthn credential. Credential-less
accounts (e.g. freshly created by initial-admin) can still complete setup.
Account recovery for set-up accounts must use a separate, authenticated flow.

Refs: porchlight-a3a

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Johan Lundberg 2026-06-04 10:51:01 +02:00
parent e4eb539e3f
commit faeecaed59
No known key found for this signature in database
GPG key ID: A6C152738D03C7D1
2 changed files with 36 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

25
tests/test_auth_routes/test_register_magic_link.py
View file

@ -1,7 +1,9 @@
from argon2 import PasswordHasher
from httpx import AsyncClient
from porchlight.authn.password import PasswordService
from porchlight.invite.service import MagicLinkService
from porchlight.models import User
from porchlight.models import PasswordCredential, User
async def test_register_invalid_token_returns_error_page(client: AsyncClient) -> None:
@ -78,3 +80,24 @@ async def test_register_existing_user_logs_in_and_redirects(client: AsyncClient)
assert existing is not None
assert existing.userid == "lusab-bansen"
assert "admin" in existing.groups
async def test_register_rejects_user_that_already_has_credentials(client: AsyncClient) -> None:
"""An invite/re-invite link must not act as a passwordless login for an
account that already has credentials. Recovery is a separate flow."""
app = client._transport.app # type: ignore[union-attr]
magic_link_service = app.state.magic_link_service
user_repo = app.state.user_repo
cred_repo = app.state.credential_repo
user = User(userid="lusab-hascreds", username="hascreds", groups=["users"])
await user_repo.create(user)
svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("existing-pass")))
link = await magic_link_service.create(username="hascreds")
res = await client.get(f"/register/{link.token}", follow_redirects=False)
# No passwordless login: rejected, not redirected to setup.
assert res.status_code == 400
assert "setup=1" not in res.headers.get("location", "")