set cookie

2025-08-12 11:27:33 +00:00 · 2025-05-19 14:36:26 +02:00
parent a4d703362f
commit 575831f252
2 changed files with 46 additions and 2 deletions
--- a/apps/login/src/lib/server/verify.ts
+++ b/apps/login/src/lib/server/verify.ts
@@ -12,13 +12,16 @@ import {
  verifyTOTPRegistration,
  sendEmailCode as zitadelSendEmailCode,
 } from "@/lib/zitadel";
+import crypto from "crypto";
+
 import { create } from "@zitadel/client";
 import { Session } from "@zitadel/proto/zitadel/session/v2/session_pb";
 import { ChecksSchema } from "@zitadel/proto/zitadel/session/v2/session_service_pb";
 import { User } from "@zitadel/proto/zitadel/user/v2/user_pb";
-import { headers } from "next/headers";
+import { cookies, headers } from "next/headers";
 import { getNextUrl } from "../client";
 import { getSessionCookieByLoginName } from "../cookies";
+import { getFingerprintId } from "../fingerprint";
 import { getServiceUrlFromHeaders } from "../service-url";
 import { loadMostRecentSession } from "../session";
 import { checkMFAFactors } from "../verify-helper";
@@ -193,6 +196,26 @@ export async function sendVerification(command: VerifyUserByEmailCommand) {
    if (session.factors?.user?.loginName) {
      params.set("loginName", session.factors?.user?.loginName);
    }
+
+    // set hash of userId and userAgentId to prevent replay attacks, TODO: check on the /authenticator/set page
+
+    const cookiesList = await cookies();
+
+    const userAgentId = await getFingerprintId();
+
+    const verificationCheck = crypto
+      .createHash("sha256")
+      .update(`${user.userId}:${userAgentId}`)
+      .digest("hex");
+
+    await cookiesList.set({
+      name: "verificationCheck",
+      value: verificationCheck,
+      httpOnly: true,
+      path: "/",
+      maxAge: 300, // 5 minutes
+    });
+
    return { redirect: `/authenticator/set?${params}` };
  }

--- a/apps/login/src/lib/zitadel.ts
+++ b/apps/login/src/lib/zitadel.ts
@@ -45,8 +45,10 @@ import {
  VerifyPasskeyRegistrationRequest,
  VerifyU2FRegistrationRequest,
 } from "@zitadel/proto/zitadel/user/v2/user_service_pb";
+import crypto from "crypto";
 import { unstable_cacheLife as cacheLife } from "next/cache";
-import { getUserAgent } from "./fingerprint";
+import { cookies } from "next/headers";
+import { getFingerprintId, getUserAgent } from "./fingerprint";
 import { createServiceForHost } from "./service";

 const useCache = process.env.DEBUG !== "true";
@@ -1198,6 +1200,25 @@ export async function setUserPassword({
      !(authmethods.authMethodTypes.length === 0) &&
      user.state !== UserState.INITIAL
    ) {
+      // check if a verification was done earlier
+
+      const cookiesList = await cookies();
+
+      const userAgentId = await getFingerprintId();
+
+      const verificationCheck = crypto
+        .createHash("sha256")
+        .update(`${user.userId}:${userAgentId}`)
+        .digest("hex");
+
+      await cookiesList.set({
+        name: "verificationCheck",
+        value: verificationCheck,
+        httpOnly: true,
+        path: "/",
+        maxAge: 300, // 5 minutes
+      });
+
      return { error: "Provide a code to set a password" };
    }
  }