From 9fdabe36665fa3a63c80610ea7e0aba64f10c875 Mon Sep 17 00:00:00 2001
From: syuilo <4439005+syuilo@users.noreply.github.com>
Date: Thu, 21 Nov 2024 09:22:15 +0900
Subject: [PATCH] fix(backend): use atomic command to improve security

Co-Authored-By: Acid Chicken <root@acid-chicken.com>
---
 packages/backend/src/core/WebAuthnService.ts | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/packages/backend/src/core/WebAuthnService.ts b/packages/backend/src/core/WebAuthnService.ts
index 75ab0a207c..ad53192f18 100644
--- a/packages/backend/src/core/WebAuthnService.ts
+++ b/packages/backend/src/core/WebAuthnService.ts
@@ -246,14 +246,12 @@ export class WebAuthnService {
 
 	@bindThis
 	public async verifyAuthentication(userId: MiUser['id'], response: AuthenticationResponseJSON): Promise<boolean> {
-		const challenge = await this.redisClient.get(`webauthn:challenge:${userId}`);
+		const challenge = await this.redisClient.getdel(`webauthn:challenge:${userId}`);
 
 		if (!challenge) {
 			throw new IdentifiableError('2d16e51c-007b-4edd-afd2-f7dd02c947f6', 'challenge not found');
 		}
 
-		await this.redisClient.del(`webauthn:challenge:${userId}`);
-
 		const key = await this.userSecurityKeysRepository.findOneBy({
 			id: response.id,
 			userId: userId,