Fixes #5156 - User login flow is interrupted when two-factor authenti…

…cation method security keys is used.
zammad · May 1, 2024 · 336f823 · 336f823
1 parent fcd4e39
commit 336f823
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 3 deletions.
diff --git a/lib/auth/two_factor/authentication_method/security_keys.rb b/lib/auth/two_factor/authentication_method/security_keys.rb
@@ -7,7 +7,7 @@ def initiate_authentication
 
     configure_webauthn
 
-    WebAuthn::Credential.options_for_get(allow: stored_credentials.pluck(:external_id))
+    WebAuthn::Credential.options_for_get(allow: stored_credentials.pluck(:external_id), user_verification: 'discouraged')
   end
 
   def verify(payload, configuration = user_two_factor_preference_configuration)
@@ -24,12 +24,13 @@ def initiate_configuration
     configure_webauthn
 
     WebAuthn::Credential.options_for_create(
-      user:    {
+      user:                    {
         id:           WebAuthn.generate_user_id,
         display_name: user.login,
         name:         user.login,
       },
-      exclude: stored_credentials.pluck(:external_id),
+      exclude:                 stored_credentials.pluck(:external_id),
+      authenticator_selection: { user_verification: 'discouraged' },
     )
   end
 

diff --git a/spec/lib/auth/two_factor/authentication_method/security_keys_spec.rb b/spec/lib/auth/two_factor/authentication_method/security_keys_spec.rb
@@ -0,0 +1,39 @@
+# Copyright (C) 2012-2024 Zammad Foundation, https://zammad-foundation.org/
+
+require 'rails_helper'
+require 'rotp'
+
+RSpec.describe Auth::TwoFactor::AuthenticationMethod::SecurityKeys do
+  subject(:instance) { described_class.new(user) }
+
+  let(:user) { create(:user) }
+
+  shared_examples 'responding to provided instance method' do |method|
+    it "responds to '.#{method}'" do
+      expect(instance).to respond_to(method)
+    end
+  end
+
+  it_behaves_like 'responding to provided instance method', :verify
+  it_behaves_like 'responding to provided instance method', :initiate_configuration
+
+  describe '#initiate_configuration' do
+    it 'does not require user verification (#5156)' do
+      expect(instance.initiate_configuration.authenticator_selection).to include(user_verification: 'discouraged')
+    end
+  end
+
+  describe '#initiate_authentication' do
+    let(:two_factor_pref) { create(:user_two_factor_preference, :security_keys, user: user) }
+
+    before do
+      two_factor_pref
+      allow(WebAuthn::Credential).to receive(:options_for_get).with(any_args)
+      instance.initiate_authentication
+    end
+
+    it 'does not require user verification (#5156)' do
+      expect(WebAuthn::Credential).to have_received(:options_for_get).with(include(user_verification: 'discouraged'))
+    end
+  end
+end