When a user attempts to log in on a fresh instance (empty database), the WebAuthn API throws a NotAllowedError because no matching credential exists. This error is caught and displayed as "Authentication was blocked by your browser," which is incorrect and confusing — the real problem is that no account has been registered.
Current behaviour ❌️
User sees: "Authentication was blocked by your browser. Make sure you are using the same authenticator you registered with and tap it promptly."
Expected behaviour 🟢
The error should indicate that no matching credential was found and suggest registering first, rather than blaming the browser.
Steps to reproduce:
- Run make down-clean && make up to start with a fresh database
- Navigate to the login page and click "Log in"
- The browser's WebAuthn prompt either fails immediately or shows no credentials
- The error message blames the browser rather than indicating no account exists
Affected files:
frontend/src/composables/useWebAuthn.js:140-142— catchesNotAllowedErrorwith a single generic message
Suggested fix:
The NotAllowedError is used by browsers for multiple scenarios (user cancelled, no matching credential, timeout).
Consider:
- Checking the backend response or credential list before attributing the error to the browser
- Providing a more generic message like "Login failed. If you haven't registered yet, please register first." with a link to the registration flow
- Differentiating between a user cancellation (prompt dismissed) and a missing credential if the browser API allows it