gravitational · Joerger · Dec 24, 2024 · Dec 24, 2024 · zmb3 · Dec 24, 2024
diff --git a/web/packages/teleport/src/Account/ChangePasswordWizard/ChangePasswordWizard.tsx b/web/packages/teleport/src/Account/ChangePasswordWizard/ChangePasswordWizard.tsx
@@ -65,7 +65,7 @@ export function ChangePasswordWizard({
   const reauthState = useReAuthenticate({
     challengeScope: MfaChallengeScope.CHANGE_PASSWORD,
     onMfaResponse: async mfaResponse =>
-      setWebauthnResponse(mfaResponse.webauthn_response),
+      setWebauthnResponse(mfaResponse?.webauthn_response),
   });
 
   const [reauthMethod, setReauthMethod] = useState<ReauthenticationMethod>();

diff --git a/web/packages/teleport/src/lib/term/tty.ts b/web/packages/teleport/src/lib/term/tty.ts
@@ -81,16 +81,16 @@ class Tty extends EventEmitterMfaSender {
     this.socket.send(bytearray.buffer);
   }
 
-  sendChallengeResponse(data: MfaChallengeResponse) {
+  sendChallengeResponse(resp: MfaChallengeResponse) {
     // we want to have the backend listen on a single message type
     // for any responses. so our data will look like data.webauthn, data.sso, etc
     // but to be backward compatible, we need to still spread the existing webauthn only fields
     // as "top level" fields so old proxies can still respond to webauthn challenges.
     // in 19, we can just pass "data" without this extra step
     // TODO (avatus): DELETE IN 19.0.0
     const backwardCompatibleData = {
-      ...data.webauthn_response,
-      ...data,
+      ...resp?.webauthn_response,
+      ...resp,
     };
     const encoded = this._proto.encodeChallengeResponse(
       JSON.stringify(backwardCompatibleData)

diff --git a/web/packages/teleport/src/services/auth/auth.ts b/web/packages/teleport/src/services/auth/auth.ts
@@ -240,7 +240,7 @@ const auth = {
       .then(res => {
         const request = {
           action: 'accept',
-          webauthnAssertionResponse: res.webauthn_response,
+          webauthnAssertionResponse: res?.webauthn_response,
         };
 
         return api.put(cfg.getHeadlessSsoPath(transactionId), request);
@@ -282,6 +282,8 @@ const auth = {
     mfaType?: DeviceType,
     totpCode?: string
   ): Promise<MfaChallengeResponse> {
-  ): Promise<MfaChallengeResponse> {
+  ): Promise<MfaChallengeResponse|undefined> {
-  ): Promise<MfaChallengeResponse> {
+  ): Promise<MfaChallengeResponse|undefined> {
+    if (!challenge) return;
+
     // TODO(Joerger): If mfaType is not provided by a parent component, use some global context
     // to display a component, similar to the one used in useMfa. For now we just default to
     // whichever method we can succeed with first.
@@ -439,7 +441,7 @@ const auth = {
     return auth
       .getMfaChallenge({ scope, allowReuse, isMfaRequiredRequest }, abortSignal)
       .then(challenge => auth.getMfaChallengeResponse(challenge, 'webauthn'))
-      .then(res => res.webauthn_response);
+      .then(res => res?.webauthn_response);
   },
 
   getMfaChallengeResponseForAdminAction(allowReuse?: boolean) {

diff --git a/web/packages/teleport/src/services/mfa/makeMfa.ts b/web/packages/teleport/src/services/mfa/makeMfa.ts
@@ -69,7 +69,7 @@ export function parseMfaChallengeJson(
     !challenge.webauthn_challenge &&
     !challenge.totp_challenge
   ) {
-    return null;
+    return;
   }
 
   // WebAuthn challenge contains Base64URL(byte) fields that needs to