From c7d9df48b577fc69c2bccb06a729b7d76e0aa8c7 Mon Sep 17 00:00:00 2001
From: Dan Milne <d@nmilne.com>
Date: Sun, 22 Mar 2026 00:38:48 +1100
Subject: [PATCH] Remove auto-trigger of passkey authentication on page load

Safari's WebAuthn dialog can become undismissable when invoked without
a user gesture. Always require the user to click "Continue with Passkey"
instead of auto-triggering navigator.credentials.get().

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 app/javascript/controllers/webauthn_controller.js | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/app/javascript/controllers/webauthn_controller.js b/app/javascript/controllers/webauthn_controller.js
index 26fd7a0..f212f26 100644
--- a/app/javascript/controllers/webauthn_controller.js
+++ b/app/javascript/controllers/webauthn_controller.js
@@ -49,11 +49,9 @@ export default class extends Controller {
           }
         });
 
-        // Auto-trigger passkey authentication if required, or if user has both
-        // webauthn and TOTP (to save them from the password→TOTP flow)
-        if (data.requires_webauthn || (data.has_webauthn && data.has_totp)) {
-          setTimeout(() => this.authenticate(), 100);
-        }
+        // Don't auto-trigger navigator.credentials.get() — Safari's WebAuthn
+        // dialog can become undismissable when invoked without a user gesture.
+        // Always let the user click "Continue with Passkey" instead.
       } else {
         console.debug("No WebAuthn credentials found for this email");
       }