fix: require reauthentication for auth request approval

src/handlers/auth-requests.ts

@@ -14,6 +14,19 @@ function normalizeText(value: unknown, maxLength: number): string {
   return String(value ?? '').trim().slice(0, maxLength);
 }
 
+function isSerializedEncString(value: unknown): value is string {
+  const text = String(value || '').trim();
+  if (!text) return false;
+  const parts = text.split('.');
+  if (parts.length !== 2) return false;
+  const type = Number(parts[0]);
+  const bodyParts = parts[1].split('|');
+  if (type === 2) return bodyParts.length === 3 && bodyParts.every(Boolean);
+  if (type === 3 || type === 4) return bodyParts.length === 1 && !!bodyParts[0];
+  if (type === 5 || type === 6) return bodyParts.length === 2 && bodyParts.every(Boolean);
+  return false;
+}
+
 function getClientIp(request: Request): string | null {
   return (
     request.headers.get('CF-Connecting-IP') ||
@@ -251,6 +264,9 @@ export async function handleUpdateAuthRequest(request: Request, env: Env, userId
   if (approved && !key) {
     return errorResponse('Encrypted key is required to approve the request.', 400);
   }
+  if (approved && !isSerializedEncString(key)) {
+    return errorResponse('Encrypted key is not a valid encrypted string.', 400);
+  }
 
   const updated = await storage.updateAuthRequestResponse(id, userId, {
     approved,

src/handlers/identity.ts

@@ -337,6 +337,7 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
     }
 
     let validatedAuthRequestId: string | null = null;
+    let authRequestLoginKey: string | null = null;
     let valid = false;
     const normalizedAuthRequestId = String(authRequestId || '').trim();
     if (normalizedAuthRequestId) {
@@ -349,10 +350,12 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
         authRequest.responseDate &&
         !authRequest.authenticationDate &&
         !isAuthRequestExpired(authRequest) &&
+        !!authRequest.key &&
         constantTimeEquals(authRequest.accessCode, passwordHash)
       );
       if (valid) {
         validatedAuthRequestId = authRequest!.id;
+        authRequestLoginKey = authRequest!.key;
       }
     } else {
       valid = await auth.verifyPassword(passwordHash, user.masterPasswordHash, user.email);
@@ -493,7 +496,7 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
       token_type: 'Bearer',
       ...(shouldUseWebSession(request) ? { web_session: true } : { refresh_token: refreshToken }),
       ...(trustedTwoFactorTokenToReturn ? { TwoFactorToken: trustedTwoFactorTokenToReturn } : {}),
-      Key: user.key,
+      Key: authRequestLoginKey || user.key,
       PrivateKey: user.privateKey,
       AccountKeys: accountKeys,
       accountKeys: accountKeys,