Merge pull request #133 from cedarcode/sr--remember-me-for-passkey-login

Fix remember me checkbox not honored when logging in with passkeys

Author: santiagorodriguez96

lib/devise/strategies/passkey_authenticatable.rb

@@ -19,6 +19,7 @@ def authenticate! # rubocop:disable Metrics/AbcSize
 
         verify_passkeys(passkey_from_params, stored_passkey)
 
+        remember_me(resource)
         success!(resource)
       rescue WebAuthn::Error
         fail!(:passkey_verification_failed)
@@ -43,6 +44,18 @@ def verify_passkeys(passkey_from_params, stored_passkey)
         stored_passkey.update!(sign_count: passkey_from_params.sign_count)
       end
 
+      def remember_me(resource)
+        resource.remember_me = remember_me? if resource.respond_to?(:remember_me=)
+      end
+
+      def remember_me?
+        params_auth_hash.is_a?(Hash) && Devise::TRUE_VALUES.include?(params_auth_hash[:remember_me])
+      end
+
+      def params_auth_hash
+        params[scope]
+      end
+
       def resource_class
         mapping.to
       end

spec/internal/app/views/devise/sessions/new.html.erb

@@ -0,0 +1,35 @@
+<h2>Log in</h2>
+
+<%= form_for(resource, as: resource_name, url: session_path(resource_name), html: { id: "password-login" }) do |f| %>
+  <div class="field">
+    <%= f.label :email %><br />
+    <%= f.email_field :email, autofocus: true, autocomplete: "email" %>
+  </div>
+
+  <div class="field">
+    <%= f.label :password %><br />
+    <%= f.password_field :password, autocomplete: "current-password" %>
+  </div>
+
+  <% if devise_mapping.rememberable? %>
+    <div class="field">
+      <%= f.check_box :remember_me %>
+      <%= f.label :remember_me %>
+    </div>
+  <% end %>
+
+  <div class="actions">
+    <%= f.submit "Log in" %>
+  </div>
+<% end %>
+
+<%= login_with_passkey_form_for(resource_name, id: "passkey-login") do |form| %>
+  <div class="field">
+    <%= check_box_tag "account[remember_me]", id: "passkey_remember_me" %>
+    <%= label_tag "passkey_remember_me", "Remember me" %>
+  </div>
+
+  <%= form.submit "Log in with passkeys" %>
+<% end %>
+
+<%= render "devise/shared/links" %>

spec/system/sign_in_with_webauthn_spec.rb

@@ -20,12 +20,26 @@
       add_passkey_to_authenticator(authenticator, user)
     end
 
-    it "allows to create a passkey and then sign in with it" do
+    it "allows to sign in with it and does not set the remember cookie when remember me is not checked" do
       visit new_account_session_path
       click_button "Log in with passkeys"
 
       expect(page).to have_current_path(root_path)
       expect(page).to have_content("Signed in successfully.")
+      expect(remember_cookie).to be_nil
+    end
+
+    it "allows to sign in with it and sets the remember cookie when remember me is checked" do
+      visit new_account_session_path
+
+      within "#passkey-login" do
+        check "Remember me"
+        click_button "Log in with passkeys"
+      end
+
+      expect(page).to have_current_path(root_path)
+      expect(page).to have_content("Signed in successfully.")
+      expect(remember_cookie).to be_present
     end
 
     it "can use them as second factor authentication" do
@@ -100,11 +114,13 @@
       it "sets remember cookie when remember me is checked" do
         visit new_account_session_path
 
-        fill_in "Email", with: user.email
-        fill_in "Password", with: "$3cretp@ssword123"
-        check "Remember me"
+        within "#password-login" do
+          fill_in "Email", with: user.email
+          fill_in "Password", with: "$3cretp@ssword123"
+          check "Remember me"
 
-        click_button "Log in"
+          click_button "Log in"
+        end
 
         expect(page).to have_current_path(new_account_two_factor_authentication_path)
         expect(page).to have_content("Two-factor authentication is required to sign in.")