- webauthn.js: read #username value before calling
mciasWebAuthnLogin so non-discoverable keys work when
a username is typed (previously always passed empty string,
forcing discoverable/resident-key flow only)
- handleWebAuthnLoginFinish: evaluate auth:login policy after
credential verification, mirroring the gate in handleLogin;
returns 403 on deny so policy rules apply equally to both
password and passkey authentication paths
Security: policy is checked post-verification so 403 vs 401
distinguishes a policy restriction from a bad credential without
leaking account existence. No service context is sent (WebAuthn
login carries no service_name/tags), so per-service deny rules
don't fire on passkey login; account-level deny rules do.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Kyle Isom
db7cd73a6e