Remove default add_module
for passkey strategy
#48
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed change
Remove the default call to
Devise.add_module
for the:passkey_authenticatable
strategy.Reasoning
The default call adds
no_input: true
for the strategy which effectively bypassessign_in
, as well asafter_action
controller filters.Details
With
no_input: true
enabled for the passkey devise strategy it will be considered when checking for already-authenticated sessions inDeviseController::require_no_authentication
.When submitting valid passkey credentials to
Sessions#create
,require_no_authentication
runs before the action and tries to authenticate against all of the strategies flagged withno_input
. If it finds one, it halts, devise adds an already logged in flash message, and redirects to theafter_sign_in_path_for(resource)
, instead of going through the session create action.This bypasses any user-created
after_action
filters, and more importantly, thesign_in
method, both of which may be important for rails apps.The
no_input
option can't be changed in userland without manually altering devise constants, because the defaultDevise.add_module
here:devise-passkeys/lib/devise/passkeys.rb
Lines 48 to 51 in 9a57c20
Devise::NO_INPUT
constant and a couple of others.Since the readme currently calls out needing to call
Devise.add_module
manually during setup, I've just removed the offendingadd_module
and changed the readme recommendation to not includeno_input
.Tests
Tests pass using
warden-webauthn = 0.2.1
, but0.3.0
adds a new default value (resident_key: required
) that affects some tests.