Skip to content

Release/965.0.0#8728

Merged
tanguyenvn merged 2 commits intomainfrom
release/965.0.0
May 6, 2026
Merged

Release/965.0.0#8728
tanguyenvn merged 2 commits intomainfrom
release/965.0.0

Conversation

@tanguyenvn
Copy link
Copy Markdown
Contributor

@tanguyenvn tanguyenvn commented May 6, 2026
edited by cursor Bot
Loading

Explanation

Current state

PasskeyController verifies registration and authentication with requireUserVerification: true, so the server expects the WebAuthn user verification (UV) flag on assertions. For enrollment-time get() options, generatePostRegistrationAuthenticationOptions already used userVerification: 'required', but generateAuthenticationOptions (unlock / enrolled passkey) still used userVerification: 'preferred'. With 'preferred', the client may allow authenticators to skip UV, producing assertions without UV that the server then rejects—wasted ceremonies and confusing failures.

Solution

Set userVerification: 'required' on the object returned by generateAuthenticationOptions, matching the post-registration path and server verification. Add a unit test that enrolled flows emit 'required'. Document the fix in packages/passkey-controller/CHANGELOG.md under the appropriate Unreleased or release section.

Not obvious

This is a client/server hint alignment fix, not a new API. Behavior may be stricter at navigator.credentials.get() (UV required), which matches what verification already enforced.

Scope

Changes are limited to @metamask/passkey-controller (implementation, tests, changelog). No dependency upgrades.

References

  • Related: #8696 (replace or extend with your issue/PR links)

Checklist

  • I've updated the test suite for new or updated code as appropriate
  • I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate (optional: JSDoc on generateAuthenticationOptions if you want to mention UV)
  • I've communicated my changes to consumers by updating changelogs for packages I've changed
  • I've introduced breaking changes in this PR and have prepared draft pull requests for clients and consumer packages to resolve them (N/A—patch-level behavior fix, no breaking API changes)

Note

Low Risk
Low risk release bookkeeping only (version bumps and changelog updates) with no functional code changes in this diff.

Overview
Updates release metadata by bumping the root monorepo version to 965.0.0 and @metamask/passkey-controller to 2.0.1.

Adds a passkey-controller 2.0.1 changelog entry documenting stricter WebAuthn user verification requirements and the generateAuthenticationOptions alignment to userVerification: 'required', and updates the changelog compare links accordingly.

Reviewed by Cursor Bugbot for commit 8891f9b. Bugbot is set up for automated code reviews on this repo. Configure here.

@tanguyenvn tanguyenvn requested review from a team as code owners May 6, 2026 15:10
@tanguyenvn tanguyenvn self-assigned this May 6, 2026
@tanguyenvn tanguyenvn requested a review from chaitanyapotti May 6, 2026 15:11
@tanguyenvn tanguyenvn added this pull request to the merge queue May 6, 2026
Merged via the queue into main with commit a83b774 May 6, 2026
370 checks passed
@tanguyenvn tanguyenvn deleted the release/965.0.0 branch May 6, 2026 15:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chaitanyapotti chaitanyapotti chaitanyapotti approved these changes

Assignees

@tanguyenvn tanguyenvn

Labels

area-onboarding team-onboarding

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tanguyenvn @chaitanyapotti