Remodel reset token handling due to browsers sometimes refusing to set the cookie when opening the link (from another site).

Fixing cascade.
2025-08-30 15:54:17 -06:00 · 2025-08-30 14:07:32 -06:00
11 changed files with 313 additions and 97 deletions
--- a/frontend/src/App.vue
+++ b/frontend/src/App.vue
@ -20,12 +20,22 @@ import ResetView from '@/components/ResetView.vue'
 const store = useAuthStore()

 onMounted(async () => {
-  // Was an error message passed in the URL?
+  // Was an error message passed in the URL hash?
  const message = location.hash.substring(1)
  if (message) {
    store.showMessage(decodeURIComponent(message), 'error')
    history.replaceState(null, '', location.pathname)
  }
+  // Capture reset token from query parameter and then remove it
+  const params = new URLSearchParams(location.search)
+  const reset = params.get('reset')
+  if (reset) {
+    store.resetToken = reset
+    // Remove query param to avoid lingering in history / clipboard
+  const targetPath = '/auth/'
+  const currentPath = location.pathname.endsWith('/') ? location.pathname : location.pathname + '/'
+  history.replaceState(null, '', currentPath.startsWith('/auth') ? '/auth/' : targetPath)
+  }
  try {
    await store.loadUserInfo()
  } catch (error) {
--- a/frontend/src/admin/AdminApp.vue
+++ b/frontend/src/admin/AdminApp.vue
@ -70,6 +70,48 @@ function availableOrgsForPermission(pid) {
  return orgs.value.filter(o => !o.permissions.includes(pid))
 }

+async function renamePermissionDisplay(p) {
+  const newName = prompt('New display name', p.display_name)
+  if (!newName || newName === p.display_name) return
+  try {
+    const body = { id: p.id, display_name: newName }
+    const res = await fetch(`/auth/admin/permission?permission_id=${encodeURIComponent(p.id)}`, {
+      method: 'PUT',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(body)
+    })
+    const data = await res.json()
+    if (data.detail) throw new Error(data.detail)
+  await refreshPermissionsContext()
+  } catch (e) {
+    alert(e.message || 'Failed to rename display name')
+  }
+}
+
+async function renamePermissionId(p) {
+  const newId = prompt('New permission id', p.id)
+  if (!newId || newId === p.id) return
+  try {
+    const body = { old_id: p.id, new_id: newId, display_name: p.display_name }
+    const res = await fetch('/auth/admin/permission/rename', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(body)
+    })
+    let data
+    try { data = await res.json() } catch(_) { data = {} }
+    if (!res.ok || data.detail) throw new Error(data.detail || data.error || `Failed (${res.status})`)
+    await refreshPermissionsContext()
+  } catch (e) {
+    alert((e && e.message) ? e.message : 'Failed to rename permission id')
+  }
+}
+
+async function refreshPermissionsContext() {
+  // Reload both lists so All Permissions table shows new associations promptly.
+  await Promise.all([loadPermissions(), loadOrgs()])
+}
+
 async function attachPermissionToOrg(pid, orgUuid) {
  if (!orgUuid) return
  try {
@ -184,6 +226,10 @@ async function updateOrg(org) {
 }

 async function deleteOrg(org) {
+  if (!info.value?.is_global_admin) {
+    alert('Only global admins may delete organizations.')
+    return
+  }
  if (!confirm(`Delete organization ${org.display_name}?`)) return
  const res = await fetch(`/auth/admin/orgs/${org.uuid}`, { method: 'DELETE' })
  const data = await res.json()
@ -586,8 +632,8 @@ async function toggleRolePermission(role, permId, checked) {
            <div class="perm-grid-head center">Actions</div>
            <template v-for="p in [...permissions].sort((a,b)=> a.id.localeCompare(b.id))" :key="p.id">
              <div class="perm-cell perm-name" :title="p.id">
-                <span class="perm-title">{{ p.display_name }}</span>
-                <span class="perm-id muted">({{ p.id }})</span>
+                <div class="perm-title-line">{{ p.display_name }}</div>
+                <div class="perm-id-line muted">{{ p.id }}</div>
              </div>
              <div class="perm-cell perm-orgs" :title="permissionSummary[p.id]?.orgs?.map(o=>o.display_name).join(', ') || ''">
                <template v-if="permissionSummary[p.id]">
@ -626,7 +672,8 @@ async function toggleRolePermission(role, permId, checked) {
              </div>
              <div class="perm-cell perm-users center">{{ permissionSummary[p.id]?.userCount || 0 }}</div>
              <div class="perm-cell perm-actions center">
-                <button @click="updatePermission(p)" class="icon-btn" aria-label="Rename permission" title="Rename permission">✏️</button>
+                <button @click="renamePermissionDisplay(p)" class="icon-btn" aria-label="Change display name" title="Change display name">✏️</button>
+                <button @click="renamePermissionId(p)" class="icon-btn" aria-label="Change id" title="Change id">🆔</button>
                <button @click="deletePermission(p)" class="icon-btn delete-icon" aria-label="Delete permission" title="Delete permission">❌</button>
              </div>
            </template>
@ -727,8 +774,9 @@ button, .perm-actions button, .org-actions button, .role-actions button { width:
 .permission-grid .perm-grid-head { font-size: .6rem; text-transform: uppercase; letter-spacing: .05em; font-weight: 600; padding: .35rem .4rem; background: #f3f3f3; border: 1px solid #e1e1e1; }
 .permission-grid .perm-cell { background: #fff; border: 1px solid #eee; padding: .35rem .4rem; font-size: .7rem; display: flex; align-items: center; gap: .4rem; }
 .permission-grid .perm-name { flex-direction: row; flex-wrap: wrap; }
-.permission-grid .perm-title { font-weight: 600; }
-.permission-grid .perm-id { font-size: .55rem; }
+.permission-grid .perm-name { flex-direction: column; align-items: flex-start; gap:2px; }
+.permission-grid .perm-title-line { font-weight:600; line-height:1.1; }
+.permission-grid .perm-id-line { font-size:.55rem; line-height:1.1; word-break:break-all; }
 .permission-grid .center { justify-content: center; }
 .permission-grid .perm-actions { gap: .25rem; }
 .permission-grid .perm-actions .icon-btn { font-size: .9rem; }
--- a/frontend/src/components/ResetView.vue
+++ b/frontend/src/components/ResetView.vue
@ -27,12 +27,14 @@ async function register() {
  authStore.showMessage('Starting registration...', 'info')

  try {
-    const result = await passkey.register()
-    console.log("Result", result)
-    await authStore.setSessionCookie(result.session_token)
-
-    authStore.showMessage('Passkey registered successfully!', 'success', 2000)
-    authStore.loadUserInfo().then(authStore.selectView)
+  const result = await passkey.register(authStore.resetToken)
+  console.log("Result", result)
+  await authStore.setSessionCookie(result.session_token)
+  // resetToken cleared by setSessionCookie; ensure again
+  authStore.resetToken = null
+  authStore.showMessage('Passkey registered successfully!', 'success', 2000)
+  await authStore.loadUserInfo()
+  authStore.selectView()
  } catch (error) {
    authStore.showMessage(`Registration failed: ${error.message}`, 'error')
  } finally {
--- a/frontend/src/stores/auth.js
+++ b/frontend/src/stores/auth.js
@ -6,6 +6,7 @@ export const useAuthStore = defineStore('auth', {
    // Auth State
    userInfo: null, // Contains the full user info response: {user, credentials, aaguid_info, session_type, authenticated}
    isLoading: false,
+  resetToken: null, // transient reset token (never stored in cookie)

    // UI State
    currentView: 'login', // 'login', 'profile', 'device-link', 'reset'
@ -37,6 +38,9 @@ export const useAuthStore = defineStore('auth', {
      if (result.detail) {
        throw new Error(result.detail)
      }
+  // On successful session establishment, discard any reset token to avoid
+  // sending stale Authorization headers on subsequent API calls.
+  this.resetToken = null
      return result
    },
    async register() {
@ -69,9 +73,25 @@ export const useAuthStore = defineStore('auth', {
      else this.currentView = 'reset'
    },
    async loadUserInfo() {
-      const response = await fetch('/auth/user-info', {method: 'POST'})
-      const result = await response.json()
-      if (result.detail) throw new Error(`Server: ${result.detail}`)
+      const headers = {}
+      // Reset tokens are only passed via query param now, not Authorization header
+      const url = this.resetToken ? `/auth/user-info?reset=${encodeURIComponent(this.resetToken)}` : '/auth/user-info'
+      const response = await fetch(url, { method: 'POST', headers })
+      let result = null
+      try {
+        result = await response.json()
+      } catch (_) {
+        // ignore JSON parse errors (unlikely)
+      }
+      if (response.status === 401 && result?.detail) {
+        this.showMessage(result.detail, 'error', 5000)
+        throw new Error(result.detail)
+      }
+      if (result?.detail) {
+        // Other error style
+        this.showMessage(result.detail, 'error', 5000)
+        throw new Error(result.detail)
+      }
      this.userInfo = result
      console.log('User info loaded:', result)
    },
--- a/frontend/src/utils/passkey.js
+++ b/frontend/src/utils/passkey.js
@ -1,8 +1,9 @@
 import { startRegistration, startAuthentication } from '@simplewebauthn/browser'
 import aWebSocket from '@/utils/awaitable-websocket'

-export async function register() {
-  const ws = await aWebSocket("/auth/ws/register")
+export async function register(resetToken = null) {
+  const url = resetToken ? `/auth/ws/register?reset=${encodeURIComponent(resetToken)}` : "/auth/ws/register"
+  const ws = await aWebSocket(url)
  try {
    const optionsJSON = await ws.receive_json()
    const registrationResponse = await startRegistration({ optionsJSON })
--- a/frontend/vite.config.js
+++ b/frontend/vite.config.js
@ -27,7 +27,9 @@ export default defineConfig(({ command, mode }) => ({
        // and static assets so that HMR works. Bypass tells http-proxy to skip
        // proxying when we return a (possibly rewritten) local path.
        bypass(req) {
-          const url = req.url || ''
+          const rawUrl = req.url || ''
+          // Strip query/hash to match path-only for SPA entrypoints with query params (e.g. ?reset=token)
+          const url = rawUrl.split('?')[0].split('#')[0]
          // Bypass only root SPA entrypoints + static assets so Vite serves them for HMR.
          // Admin API endpoints (e.g., /auth/admin/orgs) must still hit backend.
          if (url === '/auth/' || url === '/auth') return '/'
--- a/passkey/db/init.py
+++ b/passkey/db/init.py
@ -242,6 +242,18 @@ class DatabaseInterface(ABC):
    async def delete_permission(self, permission_id: str) -> None:
        """Delete permission by ID."""

+    @abstractmethod
+    async def rename_permission(
+        self, old_id: str, new_id: str, display_name: str
+    ) -> None:
+        """Rename a permission's ID (and display name) updating all references.
+
+        This must update:
+            - permissions.id (primary key)
+            - org_permissions.permission_id
+            - role_permissions.permission_id
+        """
+
    @abstractmethod
    async def add_permission_to_organization(
        self, org_id: str, permission_id: str
--- a/passkey/db/sql.py
+++ b/passkey/db/sql.py
@ -16,6 +16,7 @@ from sqlalchemy import (
    LargeBinary,
    String,
    delete,
+    event,
    select,
    update,
 )
@ -226,6 +227,18 @@ class DB(DatabaseInterface):
    def __init__(self, db_path: str = DB_PATH):
        """Initialize with database path."""
        self.engine = create_async_engine(db_path, echo=False)
+        # Ensure SQLite foreign key enforcement is ON for every new connection
+        if db_path.startswith("sqlite"):
+
+            @event.listens_for(self.engine.sync_engine, "connect")
+            def _fk_on(dbapi_connection, connection_record):  # type: ignore
+                try:
+                    cursor = dbapi_connection.cursor()
+                    cursor.execute("PRAGMA foreign_keys=ON;")
+                    cursor.close()
+                except Exception:
+                    pass
+
        self.async_session_factory = async_sessionmaker(
            self.engine, expire_on_commit=False
        )
@ -750,6 +763,63 @@ class DB(DatabaseInterface):
            )
            await session.execute(stmt)

+    async def rename_permission(
+        self, old_id: str, new_id: str, display_name: str
+    ) -> None:
+        """Rename a permission's primary key and update referencing tables.
+
+        Approach: insert new row (if id changes), update FKs, delete old row.
+        Wrapped in a transaction; will raise on conflict.
+        """
+        if old_id == new_id:
+            # Just update display name
+            async with self.session() as session:
+                stmt = (
+                    update(PermissionModel)
+                    .where(PermissionModel.id == old_id)
+                    .values(display_name=display_name)
+                )
+                await session.execute(stmt)
+            return
+        async with self.session() as session:
+            # Ensure old exists
+            existing_old = await session.execute(
+                select(PermissionModel).where(PermissionModel.id == old_id)
+            )
+            if not existing_old.scalar_one_or_none():
+                raise ValueError("Original permission not found")
+
+            # Check new not taken
+            existing_new = await session.execute(
+                select(PermissionModel).where(PermissionModel.id == new_id)
+            )
+            if existing_new.scalar_one_or_none():
+                raise ValueError("New permission id already exists")
+
+            # Create new permission row first
+            session.add(PermissionModel(id=new_id, display_name=display_name))
+            await session.flush()
+
+            # Update org_permissions
+            await session.execute(
+                update(OrgPermission)
+                .where(OrgPermission.permission_id == old_id)
+                .values(permission_id=new_id)
+            )
+            await session.flush()
+            # Update role_permissions
+            await session.execute(
+                update(RolePermission)
+                .where(RolePermission.permission_id == old_id)
+                .values(permission_id=new_id)
+            )
+            await session.flush()
+            # Delete old permission row
+            await session.execute(
+                delete(PermissionModel).where(PermissionModel.id == old_id)
+            )
+            await session.flush()
+
    async def delete_permission(self, permission_id: str) -> None:
        async with self.session() as session:
            stmt = delete(PermissionModel).where(PermissionModel.id == permission_id)
--- a/passkey/fastapi/api.py
+++ b/passkey/fastapi/api.py
@ -52,40 +52,42 @@ def register_api_routes(app: FastAPI):
        }

    @app.post("/auth/user-info")
-    async def api_user_info(response: Response, auth=Cookie(None)):
+    async def api_user_info(reset: str | None = None, auth=Cookie(None)):
        """Get user information.

        - For authenticated sessions: return full context (org/role/permissions/credentials)
        - For reset tokens: return only basic user information to drive reset flow
        """
+        authenticated = False
        try:
-            reset = auth and passphrase.is_well_formed(auth)
-            s = await (get_reset if reset else get_session)(auth)
-        except ValueError:
-            raise HTTPException(
-                status_code=401,
-                detail="Authentication Required",
-                headers={"WWW-Authenticate": "Bearer"},
-            )
+            if reset:
+                if not passphrase.is_well_formed(reset):
+                    raise ValueError("Invalid reset token")
+                s = await get_reset(reset)
+            else:
+                if auth is None:
+                    raise ValueError("Authentication Required")
+                s = await get_session(auth)
+                authenticated = True
+        except ValueError as e:
+            raise HTTPException(401, str(e))
+
+        u = await db.instance.get_user_by_uuid(s.user_uuid)

        # Minimal response for reset tokens
-        if reset:
-            u = await db.instance.get_user_by_uuid(s.user_uuid)
+        if not authenticated:
            return {
                "authenticated": False,
                "session_type": s.info.get("type"),
                "user": {
                    "user_uuid": str(u.uuid),
                    "user_name": u.display_name,
-                    "created_at": u.created_at.isoformat() if u.created_at else None,
-                    "last_seen": u.last_seen.isoformat() if u.last_seen else None,
-                    "visits": u.visits,
                },
            }

        # Full context for authenticated sessions
+        assert authenticated and auth is not None
        ctx = await db.instance.get_session_context(session_key(auth))
-        u = await db.instance.get_user_by_uuid(s.user_uuid)
        credential_ids = await db.instance.get_credentials_by_user_uuid(s.user_uuid)

        credentials: list[dict] = []
@ -217,33 +219,42 @@ def register_api_routes(app: FastAPI):
    async def admin_update_org(
        org_uuid: UUID, payload: dict = Body(...), auth=Cookie(None)
    ):
-        ctx, is_global_admin, is_org_admin = await _get_ctx_and_admin_flags(auth)
-        if not (is_global_admin or (is_org_admin and ctx.org.uuid == org_uuid)):
-            raise ValueError("Insufficient permissions")
-        from ..db import Org as OrgDC
+        # Only global admins can modify org definitions (simpler rule)
+        _, is_global_admin, _ = await _get_ctx_and_admin_flags(auth)
+        if not is_global_admin:
+            raise ValueError("Global admin required")
+        from ..db import Org as OrgDC  # local import to avoid cycles

        current = await db.instance.get_organization(str(org_uuid))
        display_name = payload.get("display_name") or current.display_name
-        permissions = (
-            payload.get("permissions")
-            if "permissions" in payload
-            else current.permissions
-        ) or []
+        permissions = payload.get("permissions") or current.permissions or []
        org = OrgDC(uuid=org_uuid, display_name=display_name, permissions=permissions)
        await db.instance.update_organization(org)
        return {"status": "ok"}

    @app.delete("/auth/admin/orgs/{org_uuid}")
    async def admin_delete_org(org_uuid: UUID, auth=Cookie(None)):
-        _, is_global_admin, _ = await _get_ctx_and_admin_flags(auth)
+        ctx, is_global_admin, _ = await _get_ctx_and_admin_flags(auth)
        if not is_global_admin:
+            # Org admins cannot delete at all (avoid self-lockout)
            raise ValueError("Global admin required")
+        # Prevent deleting the organization that the acting global admin currently belongs to
+        # if that deletion would remove their effective access (e.g., last org granting auth/admin)
+        try:
+            acting_org_uuid = ctx.org.uuid if ctx.org else None
+        except Exception:
+            acting_org_uuid = None
+        if acting_org_uuid and acting_org_uuid == org_uuid:
+            # Never allow deletion of the caller's own organization to avoid immediate account deletion.
+            raise ValueError("Cannot delete the organization you belong to")
        await db.instance.delete_organization(org_uuid)
        return {"status": "ok"}

    # Manage an org's grantable permissions (query param for permission_id)
    @app.post("/auth/admin/orgs/{org_uuid}/permission")
-    async def admin_add_org_permission(org_uuid: UUID, permission_id: str, auth=Cookie(None)):
+    async def admin_add_org_permission(
+        org_uuid: UUID, permission_id: str, auth=Cookie(None)
+    ):
        ctx, is_global_admin, is_org_admin = await _get_ctx_and_admin_flags(auth)
        if not (is_global_admin or (is_org_admin and ctx.org.uuid == org_uuid)):
            raise ValueError("Insufficient permissions")
@ -251,11 +262,15 @@ def register_api_routes(app: FastAPI):
        return {"status": "ok"}

    @app.delete("/auth/admin/orgs/{org_uuid}/permission")
-    async def admin_remove_org_permission(org_uuid: UUID, permission_id: str, auth=Cookie(None)):
+    async def admin_remove_org_permission(
+        org_uuid: UUID, permission_id: str, auth=Cookie(None)
+    ):
        ctx, is_global_admin, is_org_admin = await _get_ctx_and_admin_flags(auth)
        if not (is_global_admin or (is_org_admin and ctx.org.uuid == org_uuid)):
            raise ValueError("Insufficient permissions")
-        await db.instance.remove_permission_from_organization(str(org_uuid), permission_id)
+        await db.instance.remove_permission_from_organization(
+            str(org_uuid), permission_id
+        )
        return {"status": "ok"}

    # -------------------- Admin API: Roles --------------------
@ -336,6 +351,7 @@ def register_api_routes(app: FastAPI):
            raise ValueError("display_name and role are required")
        # Validate role exists in org
        from ..db import User as UserDC  # local import to avoid cycles
+
        roles = await db.instance.get_roles_by_organization(str(org_uuid))
        role_obj = next((r for r in roles if r.display_name == role_name), None)
        if not role_obj:
@ -348,7 +364,6 @@ def register_api_routes(app: FastAPI):
            role_uuid=role_obj.uuid,
            visits=0,
            created_at=None,
-            last_seen=None,
        )
        await db.instance.create_user(user)
        return {"uuid": str(user_uuid)}
@ -448,11 +463,14 @@ def register_api_routes(app: FastAPI):
                    "aaguid": aaguid_str,
                    "created_at": c.created_at.isoformat(),
                    "last_used": c.last_used.isoformat() if c.last_used else None,
-                    "last_verified": c.last_verified.isoformat() if c.last_verified else None,
+                    "last_verified": c.last_verified.isoformat()
+                    if c.last_verified
+                    else None,
                    "sign_count": c.sign_count,
                }
            )
        from .. import aaguid as aaguid_mod
+
        aaguid_info = aaguid_mod.filter(aaguids)
        return {
            "display_name": user.display_name,
@ -492,14 +510,44 @@ def register_api_routes(app: FastAPI):
        return {"status": "ok"}

    @app.put("/auth/admin/permission")
-    async def admin_update_permission(permission_id: str, display_name: str, auth=Cookie(None)):
+    async def admin_update_permission(
+        permission_id: str, display_name: str, auth=Cookie(None)
+    ):
        _, is_global_admin, _ = await _get_ctx_and_admin_flags(auth)
        if not is_global_admin:
            raise ValueError("Global admin required")
        from ..db import Permission as PermDC
+
        if not display_name:
            raise ValueError("display_name is required")
-        await db.instance.update_permission(PermDC(id=permission_id, display_name=display_name))
+        await db.instance.update_permission(
+            PermDC(id=permission_id, display_name=display_name)
+        )
+        return {"status": "ok"}
+
+    @app.post("/auth/admin/permission/rename")
+    async def admin_rename_permission(payload: dict = Body(...), auth=Cookie(None)):
+        """Rename a permission's id (and optionally display name) updating all references.
+
+        Body: { "old_id": str, "new_id": str, "display_name": str|null }
+        """
+        _, is_global_admin, _ = await _get_ctx_and_admin_flags(auth)
+        if not is_global_admin:
+            raise ValueError("Global admin required")
+        old_id = payload.get("old_id")
+        new_id = payload.get("new_id")
+        display_name = payload.get("display_name")
+        if not old_id or not new_id:
+            raise ValueError("old_id and new_id required")
+        if display_name is None:
+            # Fetch old to retain display name
+            perm = await db.instance.get_permission(old_id)
+            display_name = perm.display_name
+        # rename_permission added to interface; use getattr for forward compatibility
+        rename_fn = getattr(db.instance, "rename_permission", None)
+        if not rename_fn:
+            raise ValueError("Permission renaming not supported by this backend")
+        await rename_fn(old_id, new_id, display_name)
        return {"status": "ok"}

    @app.delete("/auth/admin/permission")
@ -525,10 +573,8 @@ def register_api_routes(app: FastAPI):

    @app.post("/auth/set-session")
    async def api_set_session(response: Response, auth=Depends(bearer_auth)):
-        """Set session cookie from Authorization header. Fetched after login by WebSocket."""
+        """Set session cookie from Authorization Bearer session token (never via query)."""
        user = await get_session(auth.credentials)
-        if not user:
-            raise ValueError("Invalid Authorization header.")
        session.set_session_cookie(response, auth.credentials)

        return {
--- a/passkey/fastapi/reset.py
+++ b/passkey/fastapi/reset.py
@ -1,4 +1,4 @@
-import logging
+from pathlib import Path

 from fastapi import Cookie, HTTPException, Request, Response
 from fastapi.responses import RedirectResponse
@ -9,6 +9,9 @@ from ..globals import passkey as global_passkey
 from ..util import passphrase, tokens
 from . import session

+# Local copy to avoid circular import with mainapp
+STATIC_DIR = Path(__file__).parent.parent / "frontend-build"
+

 def register_reset_routes(app):
    """Register all device addition/reset routes on the FastAPI app."""
@ -28,9 +31,10 @@ def register_reset_routes(app):
            info=session.infodict(request, "device addition"),
        )

-        # Generate the device addition link with pretty URL
-        path = request.url.path.removesuffix("create-link") + token
-        url = f"{request.headers['origin']}{path}"
+        # Generate the device addition link with pretty URL using configured origin
+        origin = global_passkey.instance.origin.rstrip("/")
+        path = request.url.path.removesuffix("create-link") + token  # /auth/<token>
+        url = f"{origin}{path}"

        return {
            "message": "Registration link generated successfully",
@ -39,30 +43,17 @@ def register_reset_routes(app):
        }

    @app.get("/auth/{reset_token}")
-    async def reset_authentication(
-        request: Request,
-        reset_token: str,
-    ):
-        """Verifies the token and redirects to auth app for credential registration."""
+    async def reset_authentication(request: Request, reset_token: str):
+        """Validate reset token and redirect with it as query parameter (no cookies).
+
+        After validation we 303 redirect to /auth/?reset=<token>. The frontend will:
+        - Read the token from location.search
+        - Use it via Authorization header or websocket query param
+        - history.replaceState to remove it from the address bar/history
+        """
        if not passphrase.is_well_formed(reset_token):
            raise HTTPException(status_code=404)
        origin = global_passkey.instance.origin
-        try:
-            # Get session token to validate it exists and get user_id
-            key = tokens.reset_key(reset_token)
-            sess = await db.instance.get_session(key)
-            if not sess:
-                raise ValueError("Invalid or expired registration token")
-
-            response = RedirectResponse(url=f"{origin}/auth/", status_code=303)
-            session.set_session_cookie(response, reset_token)
-            return response
-
-        except Exception as e:
-            # On any error, redirect to auth app
-            if isinstance(e, ValueError):
-                msg = str(e)
-            else:
-                logging.exception("Internal Server Error in reset_authentication")
-                msg = "Internal Server Error"
-            return RedirectResponse(url=f"{origin}/auth/#{msg}", status_code=303)
+        # Do not verify existence/expiry here; frontend + user-info endpoint will handle invalid tokens.
+        redirect_url = f"{origin}/auth/?reset={reset_token}"
+        return RedirectResponse(url=redirect_url, status_code=303)
--- a/passkey/fastapi/ws.py
+++ b/passkey/fastapi/ws.py
@ -54,12 +54,26 @@ async def register_chat(

@app.websocket("/register")
@websocket_error_handler
-async def websocket_register_add(ws: WebSocket, auth=Cookie(None)):
-    """Register a new credential for an existing user."""
+async def websocket_register_add(
+    ws: WebSocket, reset: str | None = None, auth=Cookie(None)
+):
+    """Register a new credential for an existing user.
+
+    Supports either:
+    - Normal session via auth cookie
+    - Reset token supplied as ?reset=... (auth cookie ignored)
+    """
    origin = ws.headers["origin"]
-    # Try to get either a regular session or a reset session
-    reset = passphrase.is_well_formed(auth)
-    s = await (get_reset if reset else get_session)(auth)
+    is_reset = False
+    if reset is not None:
+        if not passphrase.is_well_formed(reset):
+            raise ValueError("Invalid reset token")
+        is_reset = True
+        s = await get_reset(reset)
+    else:
+        if not auth:
+            raise ValueError("Authentication Required")
+        s = await get_session(auth)
    user_uuid = s.user_uuid

    # Get user information to get the user_name
@ -69,23 +83,23 @@ async def websocket_register_add(ws: WebSocket, auth=Cookie(None)):

    # WebAuthn registration
    credential = await register_chat(ws, user_uuid, user_name, challenge_ids, origin)
-    if reset:
-        # Replace reset session with a new session
-        await db.instance.delete_session(s.key)
-        token = await create_session(
-            user_uuid, credential.uuid, infodict(ws, "authenticated")
-        )
-    else:
-        token = auth
-    assert isinstance(token, str) and len(token) == 16
-    # Store the new credential in the database
+    # IMPORTANT: Insert the credential before creating a session that references it
+    # to satisfy the sessions.credential_uuid foreign key (now enforced).
    await db.instance.create_credential(credential)

+    if is_reset:
+        # Invalidate the one-time reset session only after credential persisted
+        await db.instance.delete_session(s.key)
+        auth = await create_session(
+            user_uuid, credential.uuid, infodict(ws, "authenticated")
+        )
+
+    assert isinstance(auth, str) and len(auth) == 16
    await ws.send_json(
        {
            "user_uuid": str(user.uuid),
            "credential_uuid": str(credential.uuid),
-            "session_token": token,
+            "session_token": auth,
            "message": "New credential added successfully",
        }
    )
Author	SHA1	Message	Date
Leo Vasanko	3e5c0065d5	Remodel reset token handling due to browsers sometimes refusing to set the cookie when opening the link (from another site).	2025-08-30 15:54:17 -06:00
Leo Vasanko	4f094a7016	Fixing cascade.	2025-08-30 14:07:32 -06:00