Fix login bug.

Author: frjo

hypha/apply/users/passkey_views.py

@@ -6,7 +6,7 @@
 from django.contrib.auth.decorators import login_required
 from django.core.exceptions import PermissionDenied
 from django.http import JsonResponse
-from django.shortcuts import get_object_or_404, render
+from django.shortcuts import get_object_or_404, render, resolve_url
 from django.utils import timezone
 from django.utils.decorators import method_decorator
 from django.utils.http import url_has_allowed_host_and_scheme
@@ -250,16 +250,17 @@ def post(self, request):
         passkey.save(update_fields=["sign_count", "last_used_at"])
 
         user = passkey.user
-        login(request, user, backend="django.contrib.auth.backends.ModelBackend")
+        user.backend = settings.CUSTOM_AUTH_BACKEND
+        login(request, user)
         request.session["passkey_authenticated"] = True
 
-        next_url = data.get("next") or "/"
+        next_url = data.get("next") or resolve_url(settings.LOGIN_REDIRECT_URL)
         if not url_has_allowed_host_and_scheme(
             next_url,
             allowed_hosts={request.get_host()},
             require_https=request.is_secure(),
         ):
-            next_url = settings.LOGIN_REDIRECT_URL
+            next_url = resolve_url(settings.LOGIN_REDIRECT_URL)
         return JsonResponse({"status": "ok", "redirect_url": next_url})
 
 

hypha/static_src/javascript/passkeys.js

@@ -14,6 +14,7 @@
 window.hypha = window.hypha || {};
 
 window.hypha.passkeys = (function () {
+  let _conditionalAbortController = null;
   function getCsrfToken() {
     const el = document.querySelector("[name=csrfmiddlewaretoken]");
     if (el) return el.value;
@@ -126,6 +127,12 @@ window.hypha.passkeys = (function () {
    * Authenticate with a passkey via an explicit button click on the login page.
    */
   async function authenticate() {
+    // Abort any in-progress conditional mediation before starting explicit auth.
+    if (_conditionalAbortController) {
+      _conditionalAbortController.abort();
+      _conditionalAbortController = null;
+    }
+
     const beginUrl = document.getElementById("passkey-auth-begin-url")?.value;
     const completeUrl = document.getElementById(
       "passkey-auth-complete-url"
@@ -182,6 +189,8 @@ window.hypha.passkeys = (function () {
     )?.value;
     if (!beginUrl || !completeUrl) return;
 
+    _conditionalAbortController = new AbortController();
+
     try {
       const beginResp = await jsonPost(beginUrl, {});
       if (!beginResp.ok) return;
@@ -192,6 +201,7 @@ window.hypha.passkeys = (function () {
       const credential = await navigator.credentials.get({
         publicKey: PublicKeyCredential.parseRequestOptionsFromJSON(authOptions),
         mediation: "conditional",
+        signal: _conditionalAbortController.signal,
       });
 
       if (!credential) return;