Explicitly set userVerification to discoraged (#16545)

2021-08-26 23:51:22 +09:00 · 2021-08-26 23:51:22 +09:00 · 7283a5d3b9
commit 7283a5d3b9
parent 94bcf45321
2 changed files with 6 additions and 2 deletions
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@ -45,7 +45,10 @@ class Auth::SessionsController < Devise::SessionsController
    user = find_user

    if user&.webauthn_enabled?
-      options_for_get = WebAuthn::Credential.options_for_get(allow: user.webauthn_credentials.pluck(:external_id))
+      options_for_get = WebAuthn::Credential.options_for_get(
+        allow: user.webauthn_credentials.pluck(:external_id),
+        user_verification: 'discouraged'
+      )

      session[:webauthn_challenge] = options_for_get.challenge