From cb8d18423ae1e73e97fe860e1eaec52046275691 Mon Sep 17 00:00:00 2001
From: Sam Lord <sam@ghost.org>
Date: Thu, 10 Oct 2024 14:22:24 +0100
Subject: [PATCH] Fixed login / logout with 2fa code

refs ENG-1640

We had built all the right pieces, but the session endpoints weren't
verifying the service
---
 ghost/core/core/server/services/auth/session/middleware.js    | 4 +++-
 .../test/unit/server/services/auth/session/middleware.test.js | 3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/ghost/core/core/server/services/auth/session/middleware.js b/ghost/core/core/server/services/auth/session/middleware.js
index 3eb6fe9786..daf38c9edd 100644
--- a/ghost/core/core/server/services/auth/session/middleware.js
+++ b/ghost/core/core/server/services/auth/session/middleware.js
@@ -42,7 +42,8 @@ function SessionMiddleware({sessionService}) {
     async function authenticate(req, res, next) {
         try {
             const user = await sessionService.getUserForSession(req, res);
-            if (user) {
+            const isVerified = await sessionService.isVerifiedSession(req, res);
+            if (user && isVerified) {
                 // Do not nullify `req.user` as it might have been already set
                 // in a previous middleware (authorize middleware).
                 req.user = user;
@@ -68,6 +69,7 @@ function SessionMiddleware({sessionService}) {
             const verified = await sessionService.verifyAuthCodeForUser(req, res);
 
             if (verified) {
+                await sessionService.verifySession(req, res);
                 res.sendStatus(200);
             } else {
                 res.sendStatus(401);
diff --git a/ghost/core/test/unit/server/services/auth/session/middleware.test.js b/ghost/core/test/unit/server/services/auth/session/middleware.test.js
index 7c343189f0..18d6eb38e4 100644
--- a/ghost/core/test/unit/server/services/auth/session/middleware.test.js
+++ b/ghost/core/test/unit/server/services/auth/session/middleware.test.js
@@ -204,7 +204,8 @@ describe('Session Service', function () {
 
             const middleware = SessionMiddlware({
                 sessionService: {
-                    verifyAuthCodeForUser: verifyAuthCodeForUserStub
+                    verifyAuthCodeForUser: verifyAuthCodeForUserStub,
+                    verifySession: sinon.stub().resolves(true)
                 }
             });