fix(login v1): update password verification handling (#11202)

# Which Problems Are Solved Failed password attempts in login V1 potentially created new session entries. # How the Problems Are Solved Correct handling to only update existing sessions. # Additional Changes None # Additional Context - reported through support - requires backport to v4.x
2025-12-23 05:26:45 +00:00 · 2025-12-17 09:23:54 +01:00
parent 5a7136fe67
commit d79bfe6eba
1 changed files with 12 additions and 4 deletions
--- a/internal/auth/repository/eventsourcing/handler/user_session.go
+++ b/internal/auth/repository/eventsourcing/handler/user_session.go
@@ -257,13 +257,21 @@ func (u *UserSession) Reduce(event eventstore.Event) (_ *handler.Statement, err
 		return handler.NewUpsertStatement(event, columns[0:3], columns), nil
 	case user.UserV1PasswordCheckFailedType,
 		user.HumanPasswordCheckFailedType:
-		columns, err := u.sessionColumnsActivate(event,
-			handler.NewCol(view_model.UserSessionKeyPasswordVerification, time.Time{}),
-		)
+		userAgent, err := agentIDFromSession(event)
 		if err != nil {
 			return nil, err
 		}
-		return handler.NewUpsertStatement(event, columns[0:3], columns), nil
+		return handler.NewUpdateStatement(event,
+			[]handler.Column{
+				handler.NewCol(view_model.UserSessionKeyPasswordVerification, time.Time{}),
+				handler.NewCol(view_model.UserSessionKeyChangeDate, event.CreatedAt()),
+				handler.NewCol(view_model.UserSessionKeySequence, event.Sequence()),
+			},
+			[]handler.Condition{
+				handler.NewCond(view_model.UserSessionKeyUserAgentID, userAgent),
+				handler.NewCond(view_model.UserSessionKeyUserID, event.Aggregate().ID),
+				handler.NewCond(view_model.UserSessionKeyInstanceID, event.Aggregate().InstanceID),
+			}), nil
 	case user.UserV1MFAOTPCheckSucceededType,
 		user.HumanMFAOTPCheckSucceededType:
 		columns, err := u.sessionColumnsActivate(event,