fix: change webauthn_id generation from after_initialize to before_create

santiagorodriguez96 · santiagorodriguez96 · commit 91f1893cdd36 · 2026-02-20T16:27:01.000-03:00
Now that we are backfilling the `webauthn_id` for existing users, we
can switch the `after_initialize` for a `before_create`.
diff --git a/lib/devise/models/webauthn_credential_authenticatable.rb b/lib/devise/models/webauthn_credential_authenticatable.rb
@@ -12,7 +12,7 @@ module WebauthnCredentialAuthenticatable
 
         validates :webauthn_id, uniqueness: true, allow_blank: true
 
-        after_initialize do
+        before_validation do
           self.webauthn_id ||= WebAuthn.generate_user_id
         end
       end
diff --git a/spec/devise/models/passkey_authenticatable_spec.rb b/spec/devise/models/passkey_authenticatable_spec.rb
@@ -2,14 +2,19 @@
 
 RSpec.describe Devise::Models::PasskeyAuthenticatable, type: :model do
   describe "webauthn_id initialization" do
-    it "generates a webauthn_id on initialize" do
-      user = Account.new(email: "user@example.com", password: "password", password_confirmation: "password")
+    it "generates a webauthn_id on create" do
+      user = Account.create!(email: "user@example.com", password: "password", password_confirmation: "password")
       expect(user.webauthn_id).to be_present
     end
 
-    it "keeps existing webauthn_id" do
-      user = Account.new(email: "user@example.com", password: "password", password_confirmation: "password",
-                         webauthn_id: "custom")
+    it "does not generate a webauthn_id on initialize" do
+      user = Account.new(email: "user@example.com", password: "password", password_confirmation: "password")
+      expect(user.webauthn_id).to be_nil
+    end
+
+    it "keeps webauthn_id if created with one" do
+      user = Account.create!(email: "user@example.com", password: "password", password_confirmation: "password",
+                             webauthn_id: "custom")
       expect(user.webauthn_id).to eq("custom")
     end
   end
diff --git a/spec/devise/models/webauthn_two_factor_authenticatable_spec.rb b/spec/devise/models/webauthn_two_factor_authenticatable_spec.rb
@@ -2,14 +2,19 @@
 
 RSpec.describe Devise::Models::WebauthnTwoFactorAuthenticatable, type: :model do
   describe "webauthn_id initialization" do
-    it "generates a webauthn_id on initialize" do
-      user = Account.new(email: "user@example.com", password: "password", password_confirmation: "password")
+    it "generates a webauthn_id on create" do
+      user = Account.create!(email: "user@example.com", password: "password", password_confirmation: "password")
       expect(user.webauthn_id).to be_present
     end
 
-    it "keeps existing webauthn_id" do
-      user = Account.new(email: "user@example.com", password: "password", password_confirmation: "password",
-                         webauthn_id: "custom")
+    it "does not generate a webauthn_id on initialize" do
+      user = Account.new(email: "user@example.com", password: "password", password_confirmation: "password")
+      expect(user.webauthn_id).to be_nil
+    end
+
+    it "keeps webauthn_id if created with one" do
+      user = Account.create!(email: "user@example.com", password: "password", password_confirmation: "password",
+                             webauthn_id: "custom")
       expect(user.webauthn_id).to eq("custom")
     end
   end
