When a websocket on the FE is disconnected it gets removed from the proof > auth session association on the server (as designed).
However that proof is still requested in the agent, and the user can still action (share/decline) it in their wallet after the VCAuth QR page is gone. (Refresh in a number of ways, have left it and then pulling up an old proof, etc).
The webhook gets sent to the controller and the presentations is found, and the pres state is handled, but then it can't find the sid since the websocket association was removed.
Then when it moves to await sio.emit("status", {"status": "verified"}, to=sid) (or fail or abandon)
If sid is None the socket library BROADCASTS TO ANY CLIENT LISTENER. So any other QR code page on there will get socket notification to transition to that state.
Luckily this can't result in someone else getting logged in as the token claim building part errors out since there's nothing there from the users erroneously moving to the next step.
None of these status emits should happen if there's no sid as these should never broadcast all, so simply guarding that fixes it.
If a user abandons their login attempt (refresh, close, etc) but then later goes to their wallet and does something with the proof, the hook handler will still happen, and still update the auth session Mongo record with that status, but will not emit the socket any more.
Maybe some discussion here as to whether we'd want to update the auth session? But then, in the end we don't really care about them since they are intended to be removed by the TTL index anyway.
When a websocket on the FE is disconnected it gets removed from the proof > auth session association on the server (as designed). However that proof is still requested in the agent, and the user can still action (share/decline) it in their wallet after the VCAuth QR page is gone. (Refresh in a number of ways, have left it and then pulling up an old proof, etc).
The webhook gets sent to the controller and the presentations is found, and the pres state is handled, but then it can't find the
sidsince the websocket association was removed. Then when it moves toawait sio.emit("status", {"status": "verified"}, to=sid)(or fail or abandon) IfsidisNonethe socket library BROADCASTS TO ANY CLIENT LISTENER. So any other QR code page on there will get socket notification to transition to that state. Luckily this can't result in someone else getting logged in as the token claim building part errors out since there's nothing there from the users erroneously moving to the next step.None of these status emits should happen if there's no
sidas these should never broadcast all, so simply guarding that fixes it.If a user abandons their login attempt (refresh, close, etc) but then later goes to their wallet and does something with the proof, the hook handler will still happen, and still update the auth session Mongo record with that status, but will not emit the socket any more. Maybe some discussion here as to whether we'd want to update the auth session? But then, in the end we don't really care about them since they are intended to be removed by the TTL index anyway.