don't require the user to sign in with a password as a side effect of using a...

don't require the user to sign in with a password as a side effect of using a primary email address. closes #1049

don't require the user to sign in with a password as a side effect of using a...
don't require the user to sign in with a password as a side effect of using a primary email address. closes #1049
68ec8cc1 · Lloyd Hilaiel · 266608ac · 68ec8cc1
Commit 68ec8cc1 authored 13 years ago by Lloyd Hilaiel
--- a/lib/wsapi.js
+++ b/lib/wsapi.js
@@ -69,8 +69,15 @@ function authenticateSession(session, uid, level) {
  if (['assertion', 'password'].indexOf(level) === -1)
    throw "invalid authentication level: " + level;

-  session.userid = uid;
-  session.auth_level = level;
+  // if the user is *already* authenticated as this uid with an equal or better
+  // level of auth, let's not lower them.  Issue #1049
+  if (session.userid === uid && session.auth_level === 'password' &&
+      session.auth_level !== level) {
+    logger.info("not resetting cookies to 'assertion' authenticate a user who is already password authenticated"); 
+  } else {
+    session.userid = uid;
+    session.auth_level = level;
+  }
 }

 function checkPassword(pass) {