Explicitly set userVerification to discoraged (#16545)

7283a5d3 · Truong Nguyen · GitHub · 94bcf453 · 7283a5d3 · 7283a5d3
Unverified Commit 7283a5d3 authored 3 years ago by Truong Nguyen Committed by GitHub 3 years ago
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@@ -45,7 +45,10 @@ class Auth::SessionsController < Devise::SessionsController
    user = find_user

    if user&.webauthn_enabled?
-      options_for_get = WebAuthn::Credential.options_for_get(allow: user.webauthn_credentials.pluck(:external_id))
+      options_for_get = WebAuthn::Credential.options_for_get(
+        allow: user.webauthn_credentials.pluck(:external_id),
+        user_verification: 'discouraged'
+      )

      session[:webauthn_challenge] = options_for_get.challenge


--- a/app/controllers/settings/two_factor_authentication/webauthn_credentials_controller.rb
+++ b/app/controllers/settings/two_factor_authentication/webauthn_credentials_controller.rb
@@ -21,7 +21,8 @@ module Settings
            display_name: current_user.account.username,
            id: current_user.webauthn_id,
          },
-          exclude: current_user.webauthn_credentials.pluck(:external_id)
+          exclude: current_user.webauthn_credentials.pluck(:external_id),
+          authenticator_selection: { user_verification: 'discouraged' }
        )

        session[:webauthn_challenge] = options_for_create.challenge