use the reissue mechanism only with webauthn

We have a mechanism where we allow logins only with the second factor if the last login was very recent (maybe this is not a good idea anyway). But for most people the totp is more annoying to get than the password. So let's use the reissue mechanism only with webauthn.

use the reissue mechanism only with webauthn
We have a mechanism where we allow logins only with the second factor if the last login was very recent (maybe this is not a good idea anyway). But for most people the totp is more annoying to get than the password. So let's use the reissue mechanism only with webauthn.
9d76c4c0 · o@immerda.ch · d1763f0d · 9d76c4c0
Commit 9d76c4c0 authored Aug 05, 2021 by o@immerda.ch
--- a/lib/iapi/routes/auth.rb
+++ b/lib/iapi/routes/auth.rb
@@ -93,13 +93,16 @@ class IApi < Sinatra::Base
          allowed = IApiConf.acl.is_allowed_to_access?(email, saml[:plain_issuer])
        end

-        if saml && allowed
-          token_age = api_token_age(email, parsed_body['token'])
-          valid = token_age < saml[:max_reissue_time]
-
-          if !valid && token_age < saml[:max_reissue_time_2fa]
+        if saml && allowed && valid_reissue_token(email)
+          valid = valid_reissue_token(email) < saml[:max_reissue_time]
+          valid_with_tfa =
+            valid_reissue_token(email) < saml[:max_reissue_time_2fa]
+
+          # if the user has webauthn and we are within the :max_reissue_time_2fa
+          # then we only ask for a challenge and not for the full password.
+          if !valid && valid_with_tfa
            user = EmailUser.active_by_email(email)
-            if user.has_2fa?
+            if user.web_authn_credentials.present?
              if AuthManager.auth_2fa(user,
                                      totp: parsed_body['totp'],
                                      webauthn: parsed_body['webauthn'])