Check already registered on prove possession

pablothedude · pablothedude · commit 3266b81091f0 · 2025-08-19T17:04:07.000+02:00
We add a check to prevent the same token having multiple
in flight registration processes for the same token.
diff --git a/src/Surfnet/Stepup/Identity/Identity.php b/src/Surfnet/Stepup/Identity/Identity.php
@@ -210,6 +210,7 @@ public function bootstrapYubikeySecondFactor(
     ): void {
         $this->assertNotForgotten();
         $this->assertUserMayAddSecondFactor($maxNumberOfTokens);
+        $this->assertTokenNotAlreadyRegistered(new SecondFactorType('yubikey'), $yubikeyPublicId);
 
         $this->apply(
             new YubikeySecondFactorBootstrappedEvent(
@@ -234,6 +235,7 @@ public function provePossessionOfYubikey(
     ): void {
         $this->assertNotForgotten();
         $this->assertUserMayAddSecondFactor($maxNumberOfTokens);
+        $this->assertTokenNotAlreadyRegistered(new SecondFactorType('yubikey'), $yubikeyPublicId);
 
         if ($emailVerificationRequired) {
             $emailVerificationNonce = TokenGenerator::generateNonce();
@@ -373,6 +375,7 @@ public function provePossessionOfGssf(
     ): void {
         $this->assertNotForgotten();
         $this->assertUserMayAddSecondFactor($maxNumberOfTokens);
+        $this->assertTokenNotAlreadyRegistered(new SecondFactorType($provider->getStepupProvider()), $secondFactorId);
 
         if ($emailVerificationRequired) {
             $emailVerificationNonce = TokenGenerator::generateNonce();
@@ -422,6 +425,7 @@ public function provePossessionOfU2fDevice(
     ): void {
         $this->assertNotForgotten();
         $this->assertUserMayAddSecondFactor($maxNumberOfTokens);
+        $this->assertTokenNotAlreadyRegistered(new SecondFactorType('u2f'), $keyHandle);
 
         if ($emailVerificationRequired) {
             $emailVerificationNonce = TokenGenerator::generateNonce();
@@ -1546,7 +1550,7 @@ private function assertTokenNotAlreadyRegistered(SecondFactorType $type, SecondF
     {
         foreach ($this->unverifiedSecondFactors as $unverified) {
             if ($unverified->typeAndIdentifierAreEqual($type, $identifier)) {
-                throw new DomainException("The second factor was already registered as a unverified second factor");
+                throw new DomainException("The second factor was already registered as an unverified second factor");
             }
         }
         foreach ($this->verifiedSecondFactors as $verified) {
