Kyle Isom
db7cd73a6e
- webauthn.js: read #username value before calling mciasWebAuthnLogin so non-discoverable keys work when a username is typed (previously always passed empty string, forcing discoverable/resident-key flow only) - handleWebAuthnLoginFinish: evaluate auth:login policy after credential verification, mirroring the gate in handleLogin; returns 403 on deny so policy rules apply equally to both password and passkey authentication paths Security: policy is checked post-verification so 403 vs 401 distinguishes a policy restriction from a bad credential without leaking account existence. No service context is sent (WebAuthn login carries no service_name/tags), so per-service deny rules don't fire on passkey login; account-level deny rules do. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
8.2 KiB
8.2 KiB