Merge pull request #15045 from opf/release/13.4

Merge 2FA fix from the 13.4 Release branch into dev
opf · Mar 19, 2024 · b055d83 · b055d83
2 parents 31970ee + f66825d
commit b055d83
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 9 deletions.
diff --git a/...tor_authentication/app/controllers/two_factor_authentication/authentication_controller.rb b/...tor_authentication/app/controllers/two_factor_authentication/authentication_controller.rb
@@ -84,24 +84,26 @@ def successful_2fa_transmission(service, transmit)
     ##
     # Create a token service for the current user
     # with an optional override to use a non-default channel
-    def otp_service(user, use_channel: nil, use_device: nil)
+    def otp_service(user, use_channel: nil, use_device: remembered_device(user))
       session[:two_factor_authentication_device_id] = use_device.try(:id)
       ::TwoFactorAuthentication::TokenService.new user:, use_channel:, use_device:
     end
 
     ##
     # Get the used device for verification
     def otp_service_for_verification(user)
-      use_device =
-        if session[:two_factor_authentication_device_id]
-          user.otp_devices.find(session[:two_factor_authentication_device_id])
-        end
-      otp_service(user, use_device:)
+      otp_service(user, use_device: remembered_device(user))
     rescue ActiveRecord::RecordNotFound
       render_404
       false
     end
 
+    def remembered_device(user)
+      if session[:two_factor_authentication_device_id]
+        user.otp_devices.find(session[:two_factor_authentication_device_id])
+      end
+    end
+
     ##
     # Detect overridden channel or device from params when trying to resend
     def service_from_resend_params

diff --git a/modules/two_factor_authentication/app/models/two_factor_authentication/device/webauthn.rb b/modules/two_factor_authentication/app/models/two_factor_authentication/device/webauthn.rb
@@ -21,14 +21,12 @@ def self.device_type
     def options_for_create(relying_party)
       @options_for_create ||= relying_party.options_for_registration(
         user: { id: user.webauthn_id, name: user.name },
-        exclude: TwoFactorAuthentication::Device::Webauthn.where(user:).pluck(:webauthn_external_id),
-        authenticator_selection: { user_verification: "discouraged" }
+        exclude: TwoFactorAuthentication::Device::Webauthn.where(user:).pluck(:webauthn_external_id)
       )
     end
 
     def options_for_get(relying_party)
       @options_for_get ||= relying_party.options_for_authentication(
-        user_verification: "discouraged", # we do not require user verification
         allow: [webauthn_external_id] # TODO: Maybe also allow all other tokens? Let's see
       )
     end