You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
as per spec, UP and UV checks do not make reference to the original registration level, so this custom check is overdoing it.
Since it also creates issues with some authenticators (Google Passkey manager at least), better to remove the check.
Copy file name to clipboardExpand all lines: src/Controller/AuthProcess.php
-13Lines changed: 0 additions & 13 deletions
Original file line number
Diff line number
Diff line change
@@ -163,19 +163,6 @@ public function main(Request $request): Response
163
163
$debugEnabled,
164
164
);
165
165
166
-
/** Custom check: if the token was initially registered with UV, but now
167
-
* authenticates only UP, we don't allow this downgrade.
168
-
*
169
-
* This is not typically allowed by authenticator implementations anyway
170
-
* (they typically require a full reset of the key to remove UV
171
-
* protections) but to be safe: find out and tell user to re-enroll with
172
-
* the lower security level. (level upgrades are of course OK.)
173
-
*/
174
-
if ($oneToken[5] > $authObject->getPresenceLevel()) {
175
-
// phpcs:ignore Generic.Files.LineLength.TooLong
176
-
thrownewException("Token was initially registered with higher identification guarantees than now authenticated with (was: " . $oneToken[5] . " now " . $authObject->getPresenceLevel() . "!");
177
-
}
178
-
179
166
// no matter what: if we are passwordless it MUST be presence-verified
0 commit comments