🔒️ server: prevent challenge replay on failed auth

[cruzdanilo]

---

Summary by CodeRabbit

• Bug Fixes

  • Prevented replay of authentication and registration challenges by consuming session data when accessed; adjusted error handling to avoid stale or double-cleanup of sessions.

• Tests

  • Expanded and reorganized authentication and registration test coverage (replay protection, success/error paths, multi/single-device); removed legacy integration tests and updated mocks accordingly.

• Chores

  • Added release changesets and updated spellcheck vocabulary.

[changeset-bot]

🦋 Changeset detected

Latest commit: dc47522

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@exactly/server	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[gemini-code-assist]

Summary of Changes

Hello @cruzdanilo, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly improves the security of the authentication process by addressing a potential vulnerability where authentication challenges could be replayed after a failed attempt. The changes ensure that once a challenge is retrieved for validation, it is immediately invalidated and removed from storage, preventing its reuse. This enhancement fortifies the system against specific types of attack vectors and is supported by comprehensive new test cases.

Highlights

• Security Enhancement: Implemented a fix to prevent authentication challenge replay attacks by ensuring challenges are deleted from Redis immediately after being retrieved for validation, regardless of authentication success or failure.
• Code Refactoring: The finally block responsible for deleting the session ID from Redis was removed, as the deletion now occurs earlier in the authentication flow.
• Improved Test Coverage: Added new test cases to specifically verify that the authentication challenge is correctly deleted when it is missing or when credentials are not found, and updated existing tests to assert redis.del calls.

Changelog

• .changeset/calm-wolves-hunt.md
  • Added a new changeset file to document the security patch.
• server/api/auth/authentication.ts
  • Deleted the authentication challenge from Redis immediately after retrieval.
  • Removed the finally block that previously handled challenge deletion.
• server/test/api/auth.test.ts
  • Imported the redis utility for testing.
  • Added new test cases to verify challenge deletion on failed authentication attempts (missing challenge, missing credential).
  • Updated existing test cases to assert that redis.del is called.
  • Modified the mock for redis.get to correctly type its return value as string | null.

Activity

• The pull request was created by cruzdanilo.
• The pull request introduces a security fix to prevent challenge replay.
• New tests were added to validate the fix.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Auth and registration handlers now use redis.getdel(sessionId) to fetch-and-delete session challenges; finally-block explicit deletions were removed. Tests and mocks updated to expose and assert getdel. Two changeset files added documenting patch bumps.

Changes

Cohort / File(s)	Summary
Changesets .changeset/calm-wolves-hunt.md, .changeset/clear-guests-end.md	Adds patch changesets for @exactly/server describing fixes to SIWE/auth error handling and replay prevention.
Auth implementation server/api/auth/authentication.ts	Replaced separate redis.get + redis.del/finally pattern with redis.getdel(sessionId) in GET and POST flows; wrapped POST success path in try/catch and removed finally-based deletion.
Registration implementation server/api/auth/registration.ts	Replaced redis.get + redis.del/finally with redis.getdel(sessionId) in GET and POST flows; moved credential creation into try/catch and removed finally cleanup.
Tests — Auth & Registration merged server/test/api/auth.test.ts	Expanded test suite and mocks to use redis.getdel (returns `null
Tests — Registration (deleted) server/test/api/registration.test.ts	Deleted legacy registration integration tests and in-file mocks; registration scenarios relocated to updated auth.test.ts.
Tooling / mocks / spell server/utils/redis (test mock), cspell.json	Test Redis mock API changed to expose getdel; getdel added to cspell word list; set typing unchanged.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Server
    participant Redis
    Client->>Server: GET/POST /auth or /registration (sessionId)
    Server->>Redis: getdel(sessionId)
    Redis-->>Server: challenge string or null (key deleted)
    alt challenge present
        Server->>Server: validate challenge / SIWE / WebAuthn
        Server->>Server: create credentials / issue session
        Server-->>Client: 200 success
    else missing or replayed
        Server-->>Client: 400/401 error
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• ✨ server: track user source attribution #674 — Modifies the same authentication and registration handlers (server/api/auth/authentication.ts, server/api/auth/registration.ts), indicating overlapping changes to session/challenge handling.

Suggested reviewers

• nfmelendez
• franm91

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: using redis.getdel to prevent challenge replay by deleting sessions on retrieval, which directly addresses the core security fix across authentication and registration flows.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch challenge

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[devin-ai-integration]

Devin Review found 1 potential issue.

View 3 additional findings in Devin Review.

[gemini-code-assist]

Code Review

The pull request correctly addresses a security vulnerability where authentication challenges were not being invalidated upon failed authentication attempts or during the SIWE signup flow. By moving the challenge deletion to the beginning of the authentication process, the code ensures that each challenge is strictly single-use, preventing replay attacks. The implementation is clean, and the added tests provide good coverage for the changes.

[sentry]

Codecov Report

❌ Patch coverage is 95.65217% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 68.69%. Comparing base (5ef32de) to head (dc47522).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
server/api/auth/authentication.ts	92.85%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #776      +/-   ##
==========================================
+ Coverage   68.59%   68.69%   +0.09%     
==========================================
  Files         207      207              
  Lines        7005     7027      +22     
  Branches     2189     2199      +10     
==========================================
+ Hits         4805     4827      +22     
- Misses       2010     2013       +3     
+ Partials      190      187       -3     

Flag	Coverage Δ
e2e	68.69% <95.65%> (+15.71%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

[coderabbitai]

Actionable comments posted: 1

[devin-ai-integration]

Devin Review found 2 new potential issues.

View 5 additional findings in Devin Review.

[coderabbitai]

Actionable comments posted: 1

[devin-ai-integration]

Devin Review found 1 new potential issue.

View 7 additional findings in Devin Review.

[coderabbitai]

Actionable comments posted: 1

[devin-ai-integration]

Devin Review found 1 new potential issue.

View 6 additional findings in Devin Review.