Explicitly set userVerification to discoraged (#16545)

master
Truong Nguyen 3 years ago committed by GitHub
parent 94bcf45321
commit 7283a5d3b9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 5
      app/controllers/auth/sessions_controller.rb
  2. 3
      app/controllers/settings/two_factor_authentication/webauthn_credentials_controller.rb

@ -45,7 +45,10 @@ class Auth::SessionsController < Devise::SessionsController
user = find_user
if user&.webauthn_enabled?
options_for_get = WebAuthn::Credential.options_for_get(allow: user.webauthn_credentials.pluck(:external_id))
options_for_get = WebAuthn::Credential.options_for_get(
allow: user.webauthn_credentials.pluck(:external_id),
user_verification: 'discouraged'
)
session[:webauthn_challenge] = options_for_get.challenge

@ -21,7 +21,8 @@ module Settings
display_name: current_user.account.username,
id: current_user.webauthn_id,
},
exclude: current_user.webauthn_credentials.pluck(:external_id)
exclude: current_user.webauthn_credentials.pluck(:external_id),
authenticator_selection: { user_verification: 'discouraged' }
)
session[:webauthn_challenge] = options_for_create.challenge

Loading…
Cancel
Save