only read cookie

2025-08-12 11:07:32 +00:00 · 2025-05-21 11:00:18 +02:00
parent 14a8e74b69
commit 75b682a646
6 changed files with 45 additions and 40 deletions
--- a/apps/login/src/app/(login)/verify/page.tsx
+++ b/apps/login/src/app/(login)/verify/page.tsx
@@ -6,7 +6,7 @@ import { VerifyRedirectButton } from "@/components/verify-redirect-button";
 import { sendEmailCode } from "@/lib/server/verify";
 import { getServiceUrlFromHeaders } from "@/lib/service-url";
 import { loadMostRecentSession } from "@/lib/session";
-import { checkUserVerification } from "@/lib/verification-helper";
+import { checkUserVerification } from "@/lib/verify-helper";
 import {
  getBrandingSettings,
  getUserByID,
--- a/apps/login/src/lib/server/loginname.ts
+++ b/apps/login/src/lib/server/loginname.ts
@@ -9,8 +9,7 @@ import { idpTypeToIdentityProviderType, idpTypeToSlug } from "../idp";
 import { PasskeysType } from "@zitadel/proto/zitadel/settings/v2/login_settings_pb";
 import { UserState } from "@zitadel/proto/zitadel/user/v2/user_pb";
 import { getServiceUrlFromHeaders } from "../service-url";
-import { checkUserVerification } from "../verification-helper";
-import { checkEmailVerified } from "../verify-helper";
+import { checkEmailVerified, checkUserVerification } from "../verify-helper";
 import {
  getActiveIdentityProviders,
  getIDPByID,
--- a/apps/login/src/lib/server/passkeys.ts
+++ b/apps/login/src/lib/server/passkeys.ts
@@ -25,8 +25,10 @@ import {
  getSessionCookieByLoginName,
 } from "../cookies";
 import { getServiceUrlFromHeaders } from "../service-url";
-import { checkUserVerification } from "../verification-helper";
-import { checkEmailVerification } from "../verify-helper";
+import {
+  checkEmailVerification,
+  checkUserVerification,
+} from "../verify-helper";
 import { setSessionAndUpdateCookie } from "./cookie";

 type VerifyPasskeyCommand = {
--- a/apps/login/src/lib/server/password.ts
+++ b/apps/login/src/lib/server/password.ts
@@ -29,11 +29,11 @@ import { headers } from "next/headers";
 import { getNextUrl } from "../client";
 import { getSessionCookieById, getSessionCookieByLoginName } from "../cookies";
 import { getServiceUrlFromHeaders } from "../service-url";
-import { checkUserVerification } from "../verification-helper";
 import {
  checkEmailVerification,
  checkMFAFactors,
  checkPasswordChangeRequired,
+  checkUserVerification,
 } from "../verify-helper";

 type ResetPasswordCommand = {
--- a/apps/login/src/lib/verification-helper.ts
+++ b/apps/login/src/lib/verification-helper.ts
@@ -1,34 +0,0 @@
-"use server";
-
-import crypto from "crypto";
-import { cookies } from "next/headers";
-import { getOrSetFingerprintId } from "./fingerprint";
-
-export async function checkUserVerification(userId: string): Promise<boolean> {
-  // check if a verification was done earlier
-  const cookiesList = await cookies();
-  const userAgentId = await getOrSetFingerprintId();
-
-  const verificationCheck = crypto
-    .createHash("sha256")
-    .update(`${userId}:${userAgentId}`)
-    .digest("hex");
-
-  const cookieValue = await cookiesList.get("verificationCheck")?.value;
-
-  if (!cookieValue) {
-    console.warn(
-      "User verification check cookie not found. User verification check failed.",
-    );
-    return false;
-  }
-
-  if (cookieValue !== verificationCheck) {
-    console.warn(
-      `User verification check failed. Expected ${verificationCheck} but got ${cookieValue}`,
-    );
-    return false;
-  }
-
-  return true;
-}
--- a/apps/login/src/lib/verify-helper.ts
+++ b/apps/login/src/lib/verify-helper.ts
@@ -4,7 +4,10 @@ import { LoginSettings } from "@zitadel/proto/zitadel/settings/v2/login_settings
 import { PasswordExpirySettings } from "@zitadel/proto/zitadel/settings/v2/password_settings_pb";
 import { HumanUser } from "@zitadel/proto/zitadel/user/v2/user_pb";
 import { AuthenticationMethodType } from "@zitadel/proto/zitadel/user/v2/user_service_pb";
+import crypto from "crypto";
 import moment from "moment";
+import { cookies } from "next/headers";
+import { getFingerprintIdCookie } from "./fingerprint";
 import { getUserByID } from "./zitadel";

 export function checkPasswordChangeRequired(
@@ -249,3 +252,38 @@ export async function checkMFAFactors(
    return { redirect: `/mfa/set?` + params };
  }
 }
+
+export async function checkUserVerification(userId: string): Promise<boolean> {
+  // check if a verification was done earlier
+  const cookiesList = await cookies();
+
+  // only read cookie to prevent issues on page.tsx
+  const userAgentId = await getFingerprintIdCookie();
+
+  if (!userAgentId || userAgentId.value) {
+    return false;
+  }
+
+  const verificationCheck = crypto
+    .createHash("sha256")
+    .update(`${userId}:${userAgentId}`)
+    .digest("hex");
+
+  const cookieValue = await cookiesList.get("verificationCheck")?.value;
+
+  if (!cookieValue) {
+    console.warn(
+      "User verification check cookie not found. User verification check failed.",
+    );
+    return false;
+  }
+
+  if (cookieValue !== verificationCheck) {
+    console.warn(
+      `User verification check failed. Expected ${verificationCheck} but got ${cookieValue}`,
+    );
+    return false;
+  }
+
+  return true;
+}