Closed zgtm closed 2 months ago
This isn't a bug. The feature you changed only affects the calls to start_securitykey_registration.
We need to have uv=required on passkeys because without it there is a UV bypass on all chrome and safari instances with laptops. Passkeys are expected to be self-contained MFA, so this is correct behaviour.
Ah, okay I get it!
Thanks for your reply! :)
I'm not totally sure if my expectation is right, but I expect the setting
danger_set_user_presence_only_security_keys
to setuserVerification
fromrequired
topreferred
ordiscouraged
.I did this
I enabled the feature
"danger-user-presence-only-security-keys"
and created aWebauthn
object using theWebauthnBuilder
and settingdanger_set_user_presence_only_security_keys(true)
.The resulting
Webauthn
hasuser_presence_only_security_keys: true
as expected.Then I called eg.
I expected the following
The resulting objects to have set
userVerification
fromrequired
topreferred
ordiscouraged
.What actually happened
The
CreationChallengeResponse
object (ccr
) hadThe
PasskeyRegistration
object (skr
) hadVersion (and git commit)
Version 0.5.0 from crates.io
Operating System / Version
Kubuntu 24.04
Any other comments