dkam/clinch
1
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases Wiki Activity

Remove auto-trigger of passkey authentication on page load
Some checks failed
CI / scan_ruby (push) Has been cancelled
Details
CI / scan_js (push) Has been cancelled
Details
CI / scan_container (push) Has been cancelled
Details
CI / lint (push) Has been cancelled
Details
CI / test (push) Has been cancelled
Details
CI / system-test (push) Has been cancelled
Details

Browse Source 
Safari's WebAuthn dialog can become undismissable when invoked without
a user gesture. Always require the user to click "Continue with Passkey"
instead of auto-triggering navigator.credentials.get().

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dan Milne
2026-03-22 00:38:48 +11:00
parent 3d98261a51
commit c7d9df48b5
1 changed files with 3 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/javascript/controllers/webauthn_controller.js
View File

@@ -49,11 +49,9 @@ export default class extends Controller {
}
});
// Auto-trigger passkey authentication if required, or if user has both
// webauthn and TOTP (to save them from the password→TOTP flow)
if (data.requires_webauthn || (data.has_webauthn && data.has_totp)) {
setTimeout(() => this.authenticate(), 100);
}
// Don't auto-trigger navigator.credentials.get() — Safari's WebAuthn
// dialog can become undismissable when invoked without a user gesture.
// Always let the user click "Continue with Passkey" instead.
} else {
console.debug("No WebAuthn credentials found for this email");
}