feat!: rename login helpers to form_for pattern and require explicit button

BREAKING CHANGE: `login_with_passkey_button` and `login_with_security_key_button`
helpers have been renamed to `login_with_passkey_form_for` and
`login_with_security_key_form_for`. They now take a block and no longer
generate the submit button automatically.

Before:
  <%= login_with_passkey_button("Log in", session_path: path) %>

After:
  <%= login_with_passkey_form_for(session_path: path) do |form| %>
    <%= form.submit "Log in" %>
  <% end %>

This gives developers full control over button styling and form content.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: RenzoMinelli

CHANGELOG.md

@@ -5,6 +5,16 @@
 ### Changed
 
 - Options for getting or creating passkeys and security keys are now served by dedicated Rails controllers and retrieved via JavaScript fetch requests. [#73](https://github.com/cedarcode/devise-webauthn/pull/73) [@nicolastemciuc]
+- BREAKING: `login_with_passkey_button` and `login_with_security_key_button` helpers have been renamed to `login_with_passkey_form_for` and `login_with_security_key_form_for`. They now take a block and no longer generate the submit button automatically. You need to explicitly add the button inside the block:
+  ```erb
+  <%# Before %>
+  <%%= login_with_passkey_button("Log in with passkeys", session_path: user_session_path) %>
+
+  <%# After %>
+  <%%= login_with_passkey_form_for(session_path: user_session_path) do |form| %>
+    <%%= form.submit "Log in with passkeys" %>
+  <%% end %>
+  ```
 
 ## [v0.3.0](https://github.com/cedarcode/devise-webauthn/compare/v0.2.2...v0.3.0/) - 2026-01-16
 

README.md

@@ -147,9 +147,18 @@ $ bin/rails generate devise:webauthn:views -v passkeys
 ### Helper methods
 Devise::Webauthn provides helpers that can be used in your views. For example, for a resource named `user`, you can use the following helpers:
 
-To add a button for logging in with passkeys:
+To add a form for logging in with passkeys:
 ```erb
-<%= login_with_passkey_button("Log in with passkeys", session_path: user_session_path) %>
+<%= login_with_passkey_form_for(session_path: user_session_path) do |form| %>
+  <%= form.submit "Log in with passkeys" %>
+<% end %>
+```
+
+To add a form for logging in with security keys (2FA):
+```erb
+<%= login_with_security_key_form_for(resource: @resource) do |form| %>
+  <%= form.submit "Use security key" %>
+<% end %>
 ```
 
 To add a passkeys creation form:

app/views/devise/sessions/new.html.erb

@@ -23,6 +23,8 @@
   </div>
 <% end %>
 
-<%= login_with_passkey_button("Log in with passkeys", session_path: session_path(resource_name)) %>
+<%= login_with_passkey_form_for(session_path: session_path(resource_name)) do |form| %>
+  <%= form.submit "Log in with passkeys" %>
+<% end %>
 
 <%= render "devise/shared/links" %>

app/views/devise/two_factor_authentications/new.html.erb

@@ -1 +1,3 @@
-<%= login_with_security_key_button('Use security key', resource: @resource) %>
+<%= login_with_security_key_form_for(resource: @resource) do |form| %>
+  <%= form.submit 'Use security key' %>
+<% end %>

lib/devise/webauthn/helpers/credentials_helper.rb

@@ -17,16 +17,15 @@ def passkey_creation_form_for(resource, form_classes: nil, &block)
         end
       end
 
-      def login_with_passkey_button(text = nil, session_path:, button_classes: nil, form_classes: nil, &block)
+      def login_with_passkey_form_for(session_path:, form_classes: nil, &block)
         form_with(
           url: session_path,
           method: :post,
           class: form_classes
         ) do |f|
           tag.webauthn_get(data: { options_url: passkey_authentication_options_path(resource) }) do
             concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
-
-            concat f.button(text, type: "submit", class: button_classes, &block)
+            concat capture(f, &block)
           end
         end
       end
@@ -46,15 +45,15 @@ def security_key_creation_form_for(resource, form_classes: nil, &block)
         end
       end
 
-      def login_with_security_key_button(text = nil, resource:, button_classes: nil, form_classes: nil, &block)
+      def login_with_security_key_form_for(resource:, form_classes: nil, &block)
         form_with(
           url: two_factor_authentication_path(resource),
           method: :post,
           class: form_classes
         ) do |f|
           tag.webauthn_get(data: { options_url: security_key_authentication_options_path(resource) }) do
             concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
-            concat f.button(text, type: "submit", class: button_classes, &block)
+            concat capture(f, &block)
           end
         end
       end

spec/helpers/devise/webauthn/credentials_helper_spec.rb

@@ -0,0 +1,137 @@
+# frozen_string_literal: true
+
+# rubocop:disable RSpec/MultipleExpectations
+RSpec.describe Devise::Webauthn::CredentialsHelper, type: :helper do
+  let(:user) do
+    Account.create!(
+      email: "testuser@example.com",
+      password: "$3cretp@ssword123"
+    )
+  end
+
+  before do
+    allow(helper).to receive_messages(resource: user, session: {})
+  end
+
+  def parsed(html)
+    Capybara.string(html)
+  end
+
+  def have_hidden_credential_field
+    have_css(
+      "input[type='hidden'][name='public_key_credential'][data-webauthn-target='response']",
+      visible: :hidden
+    )
+  end
+
+  describe "#passkey_creation_form_for" do
+    it "renders a form with webauthn_create element" do
+      html = helper.passkey_creation_form_for(user) do |form|
+        form.submit "Create Passkey"
+      end
+
+      page = parsed(html)
+      expect(page).to have_css("form")
+      expect(page).to have_css("webauthn-create[data-options-url='/accounts/passkey_registration_options']")
+      expect(page).to have_hidden_credential_field
+      expect(page).to have_button("Create Passkey")
+    end
+
+    it "accepts form_classes option" do
+      html = helper.passkey_creation_form_for(user, form_classes: "custom-form") do |form|
+        form.submit "Create"
+      end
+
+      expect(parsed(html)).to have_css("form.custom-form")
+    end
+  end
+
+  describe "#login_with_passkey_form_for" do
+    it "renders a form with webauthn_get element" do
+      html = helper.login_with_passkey_form_for(session_path: "/accounts/sign_in") do |form|
+        form.submit "Log in with passkeys"
+      end
+
+      page = parsed(html)
+      expect(page).to have_css("form[action='/accounts/sign_in']")
+      expect(page).to have_css("webauthn-get[data-options-url='/accounts/passkey_authentication_options']")
+      expect(page).to have_hidden_credential_field
+      expect(page).to have_button("Log in with passkeys")
+    end
+
+    it "accepts form_classes option" do
+      html = helper.login_with_passkey_form_for(session_path: "/sign_in", form_classes: "passkey-form") do |form|
+        form.submit "Login"
+      end
+
+      expect(parsed(html)).to have_css("form.passkey-form")
+    end
+
+    it "allows custom content in the block" do
+      html = helper.login_with_passkey_form_for(session_path: "/sign_in") do |form|
+        helper.content_tag(:div, class: "button-wrapper") do
+          form.submit "Sign in", class: "btn-primary"
+        end
+      end
+
+      page = parsed(html)
+      expect(page).to have_css("div.button-wrapper")
+      expect(page).to have_css("input.btn-primary[type='submit']")
+    end
+  end
+
+  describe "#security_key_creation_form_for" do
+    it "renders a form with webauthn_create element" do
+      html = helper.security_key_creation_form_for(user) do |form|
+        form.submit "Add Security Key"
+      end
+
+      page = parsed(html)
+      expect(page).to have_css("form")
+      expect(page).to have_css("webauthn-create[data-options-url='/accounts/security_key_registration_options']")
+      expect(page).to have_hidden_credential_field
+      expect(page).to have_button("Add Security Key")
+    end
+
+    it "accepts form_classes option" do
+      html = helper.security_key_creation_form_for(user, form_classes: "security-key-form") do |form|
+        form.submit "Add"
+      end
+
+      expect(parsed(html)).to have_css("form.security-key-form")
+    end
+  end
+
+  describe "#login_with_security_key_form_for" do
+    it "renders a form with webauthn_get element" do
+      html = helper.login_with_security_key_form_for(resource: user) do |form|
+        form.submit "Use security key"
+      end
+
+      page = parsed(html)
+      expect(page).to have_css("form")
+      expect(page).to have_css("webauthn-get[data-options-url='/accounts/security_key_authentication_options']")
+      expect(page).to have_hidden_credential_field
+      expect(page).to have_button("Use security key")
+    end
+
+    it "accepts form_classes option" do
+      html = helper.login_with_security_key_form_for(resource: user, form_classes: "two-factor-form") do |form|
+        form.submit "Verify"
+      end
+
+      expect(parsed(html)).to have_css("form.two-factor-form")
+    end
+
+    it "allows custom content in the block" do
+      html = helper.login_with_security_key_form_for(resource: user) do |form|
+        helper.safe_join([helper.content_tag(:p, "Authenticate with your security key"), form.submit("Authenticate")])
+      end
+
+      page = parsed(html)
+      expect(page).to have_css("p", text: "Authenticate with your security key")
+      expect(page).to have_button("Authenticate")
+    end
+  end
+end
+# rubocop:enable RSpec/MultipleExpectations