When MFA_PASSKEY_LOGIN_ENABLED is True, users were able to authenticate
with any WebAuthn credential regardless of the individual credential's
passwordless field setting. The passwordless checkbox on the credential
creation form had no effect on authentication behavior.
Changes:
- Modified auth.get_credentials() to accept passwordless_only parameter
that filters credentials based on their passwordless field - Modified auth.begin_authentication() and auth.complete_authentication()
to pass passwordless flag through the authentication flow - Updated flows.add_authenticator() to save the passwordless flag when
creating new credentials - Modified forms.AddWebAuthnForm to include passwordless checkbox with
help text explaining its purpose - Updated forms.AuthenticateWebAuthnForm to pass passwordless flag to
auth.complete_authentication() - Modified forms.LoginWebAuthnForm to set passwordless=True for
passwordless login flows - Updated views.AddWebAuthnView to extract and pass passwordless flag
when adding credentials - Modified views.LoginWebAuthnView to pass passwordless=True to
auth.begin_authentication() and use flows.perform_passwordless_login() - Added comprehensive unit tests to verify filtering behavior
The fix ensures that:
- Passwordless authentication (LoginWebAuthnView) only uses credentials
with passwordless=True - MFA authentication (ReauthenticateWebAuthnView) uses all WebAuthn
credentials regardless of passwordless flag - Credentials without explicit passwordless field default to False
- The global MFA_PASSKEY_LOGIN_ENABLED setting still controls feature
availability
Fixes: #4599
Signed-off-by: marc fuller gogita99@gmail.com
Submitting Pull Requests
General
- Make sure you use semantic commit messages.
Examples:"fix(google): Fixed foobar bug","feat(accounts): Added foobar feature". - All Python code must formatted using Black, and clean from pep8 and isort issues.
- JavaScript code should adhere to StandardJS.
- If your changes are significant, please update
ChangeLog.rst. - If your change is substantial, feel free to add yourself to
AUTHORS.
Provider Specifics
In case you add a new provider:
- Make sure unit tests are available.
- Ensure your provider is tested by adding an entry over at
tests/projects/common/settings.py::INSTALLED_SOCIALACCOUNT_APPS. - Provide provider specific documentation at
docs/socialaccount/providers/<provider name>.rst. - Link to your provider specific documentation at
docs/insocialaccount/providers/index.rst. - Add an entry for your provider in the quickstart, over at
docs/installation/quickstart.rst::INSTALLED_APPS.