about summary refs log tree commit diff
path: root/app/controllers
diff options
context:
space:
mode:
authorTruong Nguyen <truongnmt.dev@gmail.com>2021-08-26 23:51:22 +0900
committerGitHub <noreply@github.com>2021-08-26 09:51:22 -0500
commit7283a5d3b94b655172744996ffa43ec80aff0e08 (patch)
tree60af89149d26d049e25dfe829ae54376a873c2b7 /app/controllers
parent94bcf453219da73015cc977835717516b9dc0a67 (diff)
Explicitly set userVerification to discoraged (#16545)
Diffstat (limited to 'app/controllers')
-rw-r--r--app/controllers/auth/sessions_controller.rb5
-rw-r--r--app/controllers/settings/two_factor_authentication/webauthn_credentials_controller.rb3
2 files changed, 6 insertions, 2 deletions
diff --git a/app/controllers/auth/sessions_controller.rb b/app/controllers/auth/sessions_controller.rb
index 7afd09e10..2c3d510cb 100644
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@@ -45,7 +45,10 @@ class Auth::SessionsController < Devise::SessionsController
     user = find_user
 
     if user&.webauthn_enabled?
-      options_for_get = WebAuthn::Credential.options_for_get(allow: user.webauthn_credentials.pluck(:external_id))
+      options_for_get = WebAuthn::Credential.options_for_get(
+        allow: user.webauthn_credentials.pluck(:external_id),
+        user_verification: 'discouraged'
+      )
 
       session[:webauthn_challenge] = options_for_get.challenge
 
diff --git a/app/controllers/settings/two_factor_authentication/webauthn_credentials_controller.rb b/app/controllers/settings/two_factor_authentication/webauthn_credentials_controller.rb
index 1c557092b..a50d30f06 100644
--- a/app/controllers/settings/two_factor_authentication/webauthn_credentials_controller.rb
+++ b/app/controllers/settings/two_factor_authentication/webauthn_credentials_controller.rb
@@ -21,7 +21,8 @@ module Settings
             display_name: current_user.account.username,
             id: current_user.webauthn_id,
           },
-          exclude: current_user.webauthn_credentials.pluck(:external_id)
+          exclude: current_user.webauthn_credentials.pluck(:external_id),
+          authenticator_selection: { user_verification: 'discouraged' }
         )
 
         session[:webauthn_challenge] = options_for_create.challenge