Fixed login / logout with 2fa code

refs ENG-1640 We had built all the right pieces, but the session endpoints weren't verifying the service
2025-03-11 02:12:21 -05:00 · 2024-10-10 14:22:24 +01:00 · 2024-10-10 14:22:24 +01:00 · cb8d18423a
commit cb8d18423a
parent 3bf0b7d8ed
2 changed files with 5 additions and 2 deletions
--- a/ghost/core/core/server/services/auth/session/middleware.js
+++ b/ghost/core/core/server/services/auth/session/middleware.js
@ -42,7 +42,8 @@ function SessionMiddleware({sessionService}) {
    async function authenticate(req, res, next) {
        try {
            const user = await sessionService.getUserForSession(req, res);
-            if (user) {
+            const isVerified = await sessionService.isVerifiedSession(req, res);
+            if (user && isVerified) {
                // Do not nullify `req.user` as it might have been already set
                // in a previous middleware (authorize middleware).
                req.user = user;
@ -68,6 +69,7 @@ function SessionMiddleware({sessionService}) {
            const verified = await sessionService.verifyAuthCodeForUser(req, res);

            if (verified) {
+                await sessionService.verifySession(req, res);
                res.sendStatus(200);
            } else {
                res.sendStatus(401);
--- a/ghost/core/test/unit/server/services/auth/session/middleware.test.js
+++ b/ghost/core/test/unit/server/services/auth/session/middleware.test.js
@ -204,7 +204,8 @@ describe('Session Service', function () {

            const middleware = SessionMiddlware({
                sessionService: {
-                    verifyAuthCodeForUser: verifyAuthCodeForUserStub
+                    verifyAuthCodeForUser: verifyAuthCodeForUserStub,
+                    verifySession: sinon.stub().resolves(true)
                }
            });