fix(security): invite links must not log in accounts with credentials

A registration/re-invite link auto-established a session for any existing active user, so re-inviting a fully set-up user acted as a passwordless login. Invite links are for account setup only. After consuming the token, refuse to establish a session when the target account already has a password or WebAuthn credential. Credential-less accounts (e.g. freshly created by initial-admin) can still complete setup. Account recovery for set-up accounts must use a separate, authenticated flow. Refs: porchlight-a3a Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 10:51:01 +02:00 · 2026-06-04 10:51:01 +02:00 · faeecaed59
commit faeecaed59
parent e4eb539e3f
2 changed files with 36 additions and 1 deletions
--- a/src/porchlight/authn/routes.py
+++ b/src/porchlight/authn/routes.py
@ -86,6 +86,18 @@ async def register_magic_link(request: Request, token: str) -> Response:
    if existing_user is not None:
        if not existing_user.active:
            return HTMLResponse("<p>This account has been deactivated.</p>", status_code=400)
+        # An invite link is for account setup, not authentication. If the
+        # account already has credentials, refuse to establish a session —
+        # otherwise a re-invite would be a passwordless login. Account
+        # recovery must go through a separate, explicitly authenticated flow.
+        cred_repo = request.app.state.credential_repo
+        has_password = await cred_repo.get_password_by_user(existing_user.userid) is not None
+        has_webauthn = bool(await cred_repo.get_webauthn_by_user(existing_user.userid))
+        if has_password or has_webauthn:
+            return HTMLResponse(
+                "<p>This account is already set up. Please sign in instead.</p>",
+                status_code=400,
+            )
        user = existing_user
    else:
        userid = await generate_unique_userid(user_repo)
--- a/tests/test_auth_routes/test_register_magic_link.py
+++ b/tests/test_auth_routes/test_register_magic_link.py
@ -1,7 +1,9 @@
+from argon2 import PasswordHasher
 from httpx import AsyncClient

+from porchlight.authn.password import PasswordService
 from porchlight.invite.service import MagicLinkService
-from porchlight.models import User
+from porchlight.models import PasswordCredential, User


 async def test_register_invalid_token_returns_error_page(client: AsyncClient) -> None:
@ -78,3 +80,24 @@ async def test_register_existing_user_logs_in_and_redirects(client: AsyncClient)
    assert existing is not None
    assert existing.userid == "lusab-bansen"
    assert "admin" in existing.groups
+
+
+async def test_register_rejects_user_that_already_has_credentials(client: AsyncClient) -> None:
+    """An invite/re-invite link must not act as a passwordless login for an
+    account that already has credentials. Recovery is a separate flow."""
+    app = client._transport.app  # type: ignore[union-attr]
+    magic_link_service = app.state.magic_link_service
+    user_repo = app.state.user_repo
+    cred_repo = app.state.credential_repo
+
+    user = User(userid="lusab-hascreds", username="hascreds", groups=["users"])
+    await user_repo.create(user)
+    svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
+    await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("existing-pass")))
+
+    link = await magic_link_service.create(username="hascreds")
+    res = await client.get(f"/register/{link.token}", follow_redirects=False)
+
+    # No passwordless login: rejected, not redirected to setup.
+    assert res.status_code == 400
+    assert "setup=1" not in res.headers.get("location", "")