diff --git a/web/static/webauthn.js b/web/static/webauthn.js index 87ad173..0796a15 100644 --- a/web/static/webauthn.js +++ b/web/static/webauthn.js @@ -25,10 +25,17 @@ return bytes.buffer; } - // Get the CSRF token from the cookie for mutating requests. + // Get the CSRF token from the body's hx-headers attribute (HMAC header value). + // The cookie holds the nonce; the header holds the HMAC — they are different. function getCSRFToken() { - var match = document.cookie.match(/(?:^|;\s*)mcias_csrf=([^;]+)/); - return match ? match[1] : ''; + try { + var hdr = document.body.getAttribute('hx-headers'); + if (hdr) { + var parsed = JSON.parse(hdr); + if (parsed['X-CSRF-Token']) return parsed['X-CSRF-Token']; + } + } catch (e) { /* fall through */ } + return ''; } function showError(id, msg) { diff --git a/web/templates/fragments/webauthn_enroll.html b/web/templates/fragments/webauthn_enroll.html index 6f30b95..419ac07 100644 --- a/web/templates/fragments/webauthn_enroll.html +++ b/web/templates/fragments/webauthn_enroll.html @@ -4,7 +4,7 @@
- +
diff --git a/web/templates/profile.html b/web/templates/profile.html index 7110845..42f562f 100644 --- a/web/templates/profile.html +++ b/web/templates/profile.html @@ -10,12 +10,12 @@
{{if .WebAuthnEnabled}}
-

Passkeys

+

Passkeys & Security Keys

- Passkeys let you sign in without a password using your device's biometrics or a security key. + Register a passkey (Touch ID, Windows Hello) or a hardware security key (YubiKey, FIDO2) for passwordless sign-in or two-factor authentication.

{{template "webauthn_credentials" .}} -

Add a Passkey

+

Add a Passkey or Security Key

{{template "webauthn_enroll" .}}