From 96a62f59dbf5fcfe763d11b03294dec29eef10e5 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Mon, 30 Dec 2024 10:58:22 +0100
Subject: [PATCH] escape mfa checks for passkey auth

---
 apps/login/src/lib/verify-helper.ts | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/apps/login/src/lib/verify-helper.ts b/apps/login/src/lib/verify-helper.ts
index 85b5ca68e41..0c5480ecd72 100644
--- a/apps/login/src/lib/verify-helper.ts
+++ b/apps/login/src/lib/verify-helper.ts
@@ -104,6 +104,16 @@ export function checkMFAFactors(
       m !== AuthenticationMethodType.PASSKEY,
   );
 
+  const hasAuthenticatedWithPasskey =
+    session.factors?.webAuthN?.verifiedAt &&
+    session.factors?.webAuthN?.userVerified;
+
+  // escape further checks if user has authenticated with passkey
+  if (hasAuthenticatedWithPasskey) {
+    return;
+  }
+
+  // if user has not authenticated with passkey and has only one additional mfa factor, redirect to that
   if (availableMultiFactors?.length == 1) {
     const params = new URLSearchParams({
       loginName: session.factors?.user?.loginName as string,
@@ -131,7 +141,7 @@ export function checkMFAFactors(
     } else if (factor === AuthenticationMethodType.U2F) {
       return { redirect: `/u2f?` + params };
     }
-  } else if (availableMultiFactors?.length >= 1) {
+  } else if (availableMultiFactors?.length > 1) {
     const params = new URLSearchParams({
       loginName: session.factors?.user?.loginName as string,
     });