rename verify webauth endpoint to complete

it doesn't really do any verification - that's the webauthn code in the browser and the admin app that does that. Instead, this completes the login flow, by marking the user as logged in in the database. Added a docstring that explains this process a bit more, and also added a new route: /<id>/complete/webauthn. We'll move the admin code over to use this new url in time
2026-02-04 02:11:11 -05:00 · 2021-06-02 11:13:53 +01:00
parent 70ff00f2c3
commit 542b151875
2 changed files with 25 additions and 11 deletions
--- a/app/user/rest.py
+++ b/app/user/rest.py
@@ -227,11 +227,19 @@ def verify_user_code(user_id):
    return jsonify({}), 204


+# TODO: Remove the "verify" endpoint once admin no longer points at it
+@user_blueprint.route('/<uuid:user_id>/complete/webauthn-login', methods=['POST'])
@user_blueprint.route('/<uuid:user_id>/verify/webauthn-login', methods=['POST'])
-def verify_webauthn_login_for_user(user_id):
+def complete_login_after_webauthn_authentication_attempt(user_id):
    """
-    webauthn logins are already verified on the admin app but we still need to
-    check the max login count and set up a session id etc here.
+    complete login after a webauthn authentication. There's nothing webauthn specific in this code
+    but the sms/email flows do this as part of `verify_user_code` above and this is the equivalent spot in the
+    webauthn flow.
+
+    If the authentication was successful, we've already confirmed the user holds the right security key,
+    but we still need to check the max login count and set up a current_session_id and last_logged_in_at here.
+
+    If the authentication was unsuccessful then we just bump the failed_login_count in the db.
    """
    data = request.get_json()
    validate(data, post_verify_webauthn_schema)