Check whether ticket has expired on selectAccountByTicket

src/routes/auth/login.ts

@@ -5,7 +5,7 @@ import { asyncWrapper, selectAccount } from '@shared/helpers'
 import { newJwtExpiry, createHasuraJwt } from '@shared/jwt'
 import { setRefreshToken } from '@shared/cookies'
 import { loginAnonymouslySchema, loginSchema, magicLinkLoginSchema } from '@shared/validation'
-import { insertAccount } from '@shared/queries'
+import { insertAccount, updateTicketExpiration } from '@shared/queries'
 import { request } from '@shared/request'
 import { AccountData, UserData, Session } from '@shared/types'
 import { emailClient } from '@shared/email'
@@ -18,7 +18,8 @@ interface HasuraData {
   }
 }
 
-async function loginAccount({ body, headers }: Request, res: Response): Promise<unknown> {
+async function loginAccount({ body, headers, query }: Request, res: Response): Promise<unknown> {
+  query;
   // default to true
   const useCookie = typeof body.cookie !== 'undefined' ? body.cookie : true
 
@@ -131,6 +132,13 @@ async function loginAccount({ body, headers }: Request, res: Response): Promise<
   }
 
   if (mfa_enabled) {
+    await request(updateTicketExpiration, {
+      email,
+      ticket_expires_at: new Date(
+        +Date.now() + 60 * 60 * 1000
+      )
+    })
+
     return res.send({ mfa: true, ticket })
   }
 

src/routes/auth/register.ts

@@ -30,9 +30,7 @@ async function registerAccount(req: Request, res: Response): Promise<unknown> {
   let password_hash: string | null = null;
 
   const ticket = uuidv4()
-  const now = new Date()
-  const ticket_expires_at = new Date()
-  ticket_expires_at.setTime(now.getTime() + 60 * 60 * 1000) // active for 60 minutes
+  const ticket_expires_at = new Date(+new Date() + 60 * 60 * 1000).toISOString() // active for 60 minutes
 
   if (typeof password !== 'undefined') {
     try {

src/shared/helpers.ts

@@ -43,7 +43,10 @@ export const selectAccountByEmail = async (email: string): Promise<AccountData>
 }
 
 export const selectAccountByTicket = async (ticket: string): Promise<AccountData> => {
-  const hasuraData = await request<QueryAccountData>(selectAccountByTicketQuery, { ticket })
+  const hasuraData = await request<QueryAccountData>(selectAccountByTicketQuery, {
+    ticket,
+    now: new Date()
+  })
   if (!hasuraData.auth_accounts[0]) throw new Error('Account does not exist.')
   return hasuraData.auth_accounts[0]
 }

src/shared/queries.ts

@@ -102,8 +102,8 @@ export const selectAccountByEmail = gql`
 `
 
 export const selectAccountByTicket = gql`
-  query($ticket: uuid!) {
-    auth_accounts(where: { ticket: { _eq: $ticket } }) {
+  query($ticket: uuid!, $now: timestamptz!) {
+    auth_accounts(where: { _and: [{ ticket: { _eq: $ticket } }, { ticket_expires_at: { _gt: $now } }] }) {
       ...accountFragment
     }
   }
@@ -200,6 +200,20 @@ export const activateAccount = gql`
   }
 `
 
+export const updateTicketExpiration = gql`
+  mutation($email: citext!, $ticket_expires_at: timestamptz!) {
+    update_auth_accounts(
+      where: { email: { _eq: $email } }
+      _set: { ticket_expires_at: $ticket_expires_at }
+    ) {
+      affected_rows
+      returning {
+        id
+      }
+    }
+  }
+`
+
 export const updateOtpSecret = gql`
   mutation($user_id: uuid!, $otp_secret: String!) {
     update_auth_accounts(