We have a question related to login challenge code. Login challenge is passing in front channel communication and users can share the link with code challenge between each other, bookmark login page in browser or do other crazy things.
It creates sometimes weird situation that users reusing challenge codes accidentally. For example today we got a case when user logged in successfully with code_challenge but saved link, opened it again after some time, passed login flow and we got
pq: duplicate key value violates unique constraint "hydra_oauth2_authentication_request_handled_pkey" exception when backend tried to accept the challenge.
Is it any practices or workarounds what to do with situation when users authenticated successfully in app but login challenge is stale / expired? What app should do in this case?
btw when we played with code today we got a feeling that
CHALLENGE_TOKEN_LIFESPAN (ChallengeTokenLifespan in config) is not used in code. can you please point where ChallengeTokenLifespan is checked?