Explicitly set userVerification to discoraged (#16545)

pull/1591/head
Truong Nguyen 2021-08-26 23:51:22 +09:00 committed by GitHub
parent 94bcf45321
commit 7283a5d3b9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 2 deletions

View File

@ -45,7 +45,10 @@ class Auth::SessionsController < Devise::SessionsController
user = find_user user = find_user
if user&.webauthn_enabled? if user&.webauthn_enabled?
options_for_get = WebAuthn::Credential.options_for_get(allow: user.webauthn_credentials.pluck(:external_id)) options_for_get = WebAuthn::Credential.options_for_get(
allow: user.webauthn_credentials.pluck(:external_id),
user_verification: 'discouraged'
)
session[:webauthn_challenge] = options_for_get.challenge session[:webauthn_challenge] = options_for_get.challenge

View File

@ -21,7 +21,8 @@ module Settings
display_name: current_user.account.username, display_name: current_user.account.username,
id: current_user.webauthn_id, id: current_user.webauthn_id,
}, },
exclude: current_user.webauthn_credentials.pluck(:external_id) exclude: current_user.webauthn_credentials.pluck(:external_id),
authenticator_selection: { user_verification: 'discouraged' }
) )
session[:webauthn_challenge] = options_for_create.challenge session[:webauthn_challenge] = options_for_create.challenge