From 52e92cc0db159f6e576401c4959a1240a7d945f8 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Mon, 4 Jul 2022 17:17:31 +0200
Subject: [PATCH] fix sql query for tfa registration

---
 data/web/json_api.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/data/web/json_api.php b/data/web/json_api.php
index 0ebc95bc..22b747bc 100644
--- a/data/web/json_api.php
+++ b/data/web/json_api.php
@@ -430,8 +430,11 @@ if (isset($_GET['query'])) {
         case "webauthn-tfa-registration":
           if (isset($_SESSION["mailcow_cc_role"])) {
               // Exclude existing CredentialIds, if any
-              $stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username");
-              $stmt->execute(array(':username' => $_SESSION['mailcow_cc_username']));
+              $stmt = $pdo->prepare("SELECT `keyHandle` FROM `tfa` WHERE username = :username AND authmech = :authmech");
+              $stmt->execute(array(
+                ':username' => $_SESSION['mailcow_cc_username'],
+                ':authmech' => 'webauthn'
+              ));
               $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
               while($row = array_shift($rows)) {
                 $excludeCredentialIds[] = base64_decode($row['keyHandle']);