Use the transport from the original credential

2025-08-08 07:28:26 +00:00 · 2024-06-10 14:17:23 +05:30 · 2024-06-10 14:17:23 +05:30 · ae4f1df76c
commit ae4f1df76c
parent 03d90515a4
2 changed files with 2 additions and 21 deletions
--- a/web/apps/accounts/src/services/passkey.ts
+++ b/web/apps/accounts/src/services/passkey.ts
@ -413,26 +413,10 @@ export const beginPasskeyAuthentication = async (
 export const signChallenge = async (
    publicKey: PublicKeyCredentialRequestOptions,
 ) => {
-    for (const listItem of publicKey.allowCredentials ?? []) {
-        // From MDN:
-        //
-        // > The `transports` property is hint of the methods that the client
-        // > could use to communicate with the relevant authenticator of the
-        // > public key credential to retrieve. Possible values are ["ble",
-        // > "hybrid", "internal", "nfc", "usb"].
-        //
-        // TODO-PK: Better document why + why not "hybrid"
-        //
-        // note: we are orverwriting the transports array with all possible values.
-        // This is because the browser will only prompt the user for the transport that is available.
-        // Warning: In case of invalid transport value, the webauthn will fail on Safari & iOS browsers
-        listItem.transports = ["usb", "nfc", "ble", "internal"];
-    }
-
    // Allow up to 60 seconds to wait for the retrieval
    publicKey.timeout = 60 * 1000;

-    return await navigator.credentials.get({ publicKey });
+    return navigator.credentials.get({ publicKey });
 };

 interface FinishPasskeyAuthenticationOptions {
--- a/web/docs/webauthn-passkeys.md
+++ b/web/docs/webauthn-passkeys.md
@ -71,10 +71,7 @@ The registration ceremony starts in the browser. When the user clicks the "Add
 new passkey" button, a request is sent to the server for "public key" creation
 options. Although named "public key" options, they actually define customizable
 parameters for the entire credential creation process. They're like an
-instructional sheet that defines exactly what we want. As of the creation of
-this document, the plan is to restrict user authenticators to cross-platform
-ones, like hardware keys. Platform authenticators, such as TPM, are not portable
-and are prone to loss.
+instructional sheet that defines exactly what we want.

 On the server side, the WebAuthn library generates this information based on
 data provided from a `webauthn.User` interface. As a result, we satisfy this