set session cleanup

apps/login/app/api/session/route.ts

@@ -10,6 +10,7 @@ import {
   createSessionAndUpdateCookie,
   setSessionAndUpdateCookie,
 } from "#/utils/session";
+import { RequestChallenges } from "@zitadel/server";
 import { NextRequest, NextResponse } from "next/server";
 
 export async function POST(request: NextRequest) {
@@ -17,7 +18,7 @@ export async function POST(request: NextRequest) {
   if (body) {
     const { loginName, password } = body;
 
-    const domain: string = request.nextUrl.hostname;
+    // const domain: string = request.nextUrl.hostname;
 
     return createSessionAndUpdateCookie(
       loginName,
@@ -44,7 +45,8 @@ export async function PUT(request: NextRequest) {
   const body = await request.json();
 
   if (body) {
-    const { loginName, password, challenges, passkey, authRequestId } = body;
+    const { loginName, password, passkey, authRequestId } = body;
+    const challenges: RequestChallenges = body.challenges;
 
     const recentPromise: Promise<SessionCookie> = loginName
       ? getSessionCookieByLoginName(loginName).catch((error) => {
@@ -54,7 +56,11 @@ export async function PUT(request: NextRequest) {
           return Promise.reject(error);
         });
 
-    // const domain: string = request.nextUrl.hostname;
+    const domain: string = request.nextUrl.hostname;
+
+    if (challenges.webAuthN && !challenges.webAuthN.domain) {
+      challenges.webAuthN.domain = domain;
+    }
 
     return recentPromise
       .then((recent) => {

apps/login/lib/zitadel.ts

@@ -20,6 +20,7 @@ import {
   GetSessionResponse,
   VerifyEmailResponse,
   SetSessionResponse,
+  SetSessionRequest,
   DeleteSessionResponse,
   VerifyPasskeyRegistrationResponse,
   LoginSettings,
@@ -129,16 +130,23 @@ export async function setSession(
 ): Promise<SetSessionResponse | undefined> {
   const sessionService = session.getSession(server);
 
-  const payload = { sessionId, sessionToken, challenges };
+  const payload: SetSessionRequest = {
-  return password
+    sessionId,
-    ? sessionService.setSession(
+    sessionToken,
-        {
+    challenges,
-          ...payload,
+    checks: {},
-          checks: { password: { password }, webAuthN },
+    metadata: {},
-        },
+  };
-        {}
+
-      )
+  if (password && payload.checks) {
-    : sessionService.setSession(payload, {});
+    payload.checks.password = { password };
+  }
+
+  if (webAuthN && payload.checks) {
+    payload.checks.webAuthN = webAuthN;
+  }
+
+  return sessionService.setSession(payload, {});
 }
 
 export async function getSession(

apps/login/ui/LoginPasskey.tsx

@@ -31,6 +31,7 @@ export default function LoginPasskey({
       setLoading(true);
       updateSessionForChallenge()
         .then((response) => {
+          console.log(response);
           const pK =
             response.challenges.passkey.publicKeyCredentialRequestOptions
               .publicKey;
@@ -64,7 +65,12 @@ export default function LoginPasskey({
       },
       body: JSON.stringify({
         loginName,
-        challenges: [1], // request passkey challenge
+        challenges: {
+          webAuthN: {
+            domain: "",
+            userVerificationRequirement: 2,
+          },
+        },
         authRequestId,
       }),
     });

apps/login/utils/session.ts

@@ -62,6 +62,7 @@ export async function setSessionAndUpdateCookie(
   challenges: RequestChallenges | undefined,
   authRequestId: string | undefined
 ): Promise<SessionWithChallenges> {
+  console.log(password, passkey, challenges);
   return setSession(
     server,
     sessionId,

packages/zitadel-server/src/index.ts

@@ -45,6 +45,7 @@ export {
   GetSessionResponse,
   CreateSessionResponse,
   SetSessionResponse,
+  SetSessionRequest,
   DeleteSessionResponse,
 } from "./proto/server/zitadel/session/v2alpha/session_service";
 export {