Only require UV flag when userVerification is "required" per WebAuthn spec#263
Draft
Copilot wants to merge 4 commits into
Draft
Only require UV flag when userVerification is "required" per WebAuthn spec#263Copilot wants to merge 4 commits into
Copilot wants to merge 4 commits into
Conversation
…Authn spec The WebAuthn spec (step 16) says the UV flag should only be verified when the Relying Party explicitly requires user verification. Previously, factor "first" always required UV. Now UV is only required when userVerification is set to "required" in the expected options. Co-authored-by: Hexagon <419737+Hexagon@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix user verification in assertionResult to follow webauthn spec
Only require UV flag when userVerification is "required" per WebAuthn spec
Mar 17, 2026
There was a problem hiding this comment.
Pull request overview
Adjusts WebAuthn authenticator flag validation so the UV flag is only enforced when the RP explicitly requires user verification, aligning assertion verification with WebAuthn spec step 16.
Changes:
- Extend
factorToFlags()to acceptuserVerificationand only requireUVwhenuserVerification === "required". - Forward
expected.userVerificationfromassertionResult()/attestationResult()intofactorToFlags(). - Add/expand tests to cover assertion behavior for
factor: "first"with and withoutuserVerification: "required".
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| lib/main.js | Adds conditional UV enforcement based on expected.userVerification, and plumbs it through assertion/attestation verification paths. |
| test/main.test.js | Adds assertionResult tests to confirm UV is not required unless userVerification is explicitly "required". |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+538
to
+542
| * If "first", this requires that the authenticator performed user verification (e.g. - biometric authentication, PIN authentication, etc.). | ||
| * If "second", this requires that the authenticator performed user presence (e.g. - user pressed a button). | ||
| * If "either", then either "first" or "second" is acceptable | ||
| * @param {String} [expected.userVerification] The expected user verification requirement. Valid values are "required", "preferred", or "discouraged". | ||
| * If "required", the authenticator must have performed user verification and the UV flag is checked. |
Comment on lines
+568
to
+572
| * If "first", this requires that the authenticator performed user verification (e.g. - biometric authentication, PIN authentication, etc.). | ||
| * If "second", this requires that the authenticator performed user presence (e.g. - user pressed a button). | ||
| * If "either", then either "first" or "second" is acceptable | ||
| * @param {String} [expected.userVerification] The expected user verification requirement. Valid values are "required", "preferred", or "discouraged". | ||
| * If "required", the authenticator must have performed user verification and the UV flag is checked. |
Comment on lines
546
to
550
| async attestationResult(res, expected) { | ||
| expected.flags = factorToFlags(expected.factor, ["AT"]); | ||
| expected.flags = factorToFlags(expected.factor, ["AT"], expected.userVerification); | ||
| delete expected.factor; | ||
| delete expected.userVerification; | ||
| return await Fido2AttestationResult.create(res, expected); |
Comment on lines
581
to
585
| async assertionResult(res, expected) { | ||
| expected.flags = factorToFlags(expected.factor, []); | ||
| expected.flags = factorToFlags(expected.factor, [], expected.userVerification); | ||
| delete expected.factor; | ||
| delete expected.userVerification; | ||
| return Fido2AssertionResult.create(res, expected); |
Comment on lines
+823
to
+827
| @@ -818,14 +824,15 @@ function setOpt(obj, prop, val) { | |||
| */ | |||
|
|
|||
|
|
|||
| function factorToFlags(expectedFactor, flags) { | |||
| // var flags = ["AT"]; | |||
| function factorToFlags(expectedFactor, flags, userVerification) { | |||
Member
|
@copilot apply changes based on the comments in this thread |
…ests - Update factor JSDoc in attestationResult/assertionResult to clarify UV is only checked when userVerification is "required" - Update factorToFlags JSDoc to document the userVerification parameter - Add userVerification to TypeScript ExpectedAttestationResult and ExpectedAssertionResult interfaces - Add attestation tests for factor "first" with/without userVerification Co-authored-by: Hexagon <419737+Hexagon@users.noreply.github.com>
Co-authored-by: Hexagon <419737+Hexagon@users.noreply.github.com>
Contributor
Author
All review comments addressed in
All 866 tests passing. |
Member
|
As this has security impact to existing users, we should either keep the old behavior as default or make the new release a major version bump |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
factor: "first"unconditionally required the UV flag, but WebAuthn spec step 16 says UV should only be verified when the RP setsuserVerification: "required".Changes
factorToFlags()— accepts optionaluserVerificationparam; UV is only added forfactor: "first"whenuserVerification === "required"assertionResult()/attestationResult()— forwardexpected.userVerificationtofactorToFlags()userVerificationparameter on both methods andfactorToFlags(), and updates thefactor: "first"description to reflect the new behavioruserVerification?: UserVerificationtoExpectedAttestationResultandExpectedAssertionResultinterfaces intypes/main.d.tsUsage
Original prompt
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.