Safari prompts to Passwordless twice

[UbiquitousBear]

Describe the bug
Passwordless authentication prompts twice in Safari on MacOS

To Reproduce

1. User has multiple applicable passkeys.
2. Attempt authentication using the passwordless flow
3. User is presented with the system dialog to select an applicable passkey.
4. After selecting one (if both the same, use the already selected one at the top); press continue
5. User is presented with the above dialog again. Without changing the passkey (selecting one at the top), press continue
6. User is authenticated.

Expected behavior
The user is prompted for the passkey / webauthn once and either fails or passes.

Screenshots
N/A

Logs
Logs do not show the failed attempt, however HTTP inspection shows two API calls to api/v3/flows/executor/passwordless-authentication/:

{
    "flow_info": {
        "title": "Authentication",
        "background": "/media/public/transparent",
        "cancel_url": "/flows/-/cancel/",
        "layout": "stacked"
    },
    "component": "ak-stage-authenticator-validate",
    "response_errors": {
        "non_field_errors": [
            {
                "string": "Empty response",
                "code": "invalid"
            }
        ]
    },
    "pending_user": "",
    "pending_user_avatar": "/static/dist/assets/images/user_default.png",
    "device_challenges": [
        {
            "device_class": "webauthn",
            "device_uid": "-1",
            "challenge": {
                "challenge": "xxx",
                "timeout": 60000,
                "rpId": "xxx",
                "allowCredentials": [],
                "userVerification": "preferred"
            },
            "last_used": null
        }
    ],
    "configuration_stages": []
}

With the second (as I kill by cancelling the system passkey popup):

{
    "flow_info": {
        "title": "Authentication",
        "background": "/media/public/transparent",
        "cancel_url": "/flows/-/cancel/",
        "layout": "stacked"
    },
    "component": "ak-stage-authenticator-validate",
    "response_errors": {
        "webauthn": [
            {
                "string": "Invalid device",
                "code": "invalid"
            }
        ]
    },
    "pending_user": "",
    "pending_user_avatar": "/static/dist/assets/images/user_default.png",
    "device_challenges": [
        {
            "device_class": "webauthn",
            "device_uid": "-1",
            "challenge": {
                "challenge": "xxx",
                "timeout": 60000,
                "rpId": "xxx",
                "allowCredentials": [],
                "userVerification": "preferred"
            },
            "last_used": null
        }
    ],
    "configuration_stages": []
}

I note that in the first HTTP POST, the payload is:

{"component":"ak-stage-authenticator-validate","selected_challenge":{"device_class":"webauthn","device_uid":"-1","challenge":{"challenge":"xxx","timeout":60000,"rpId":"xxx","allowCredentials":[],"userVerification":"preferred"},"last_used":null}}

and in the second:

{"component":"ak-stage-authenticator-validate","webauthn":{"id":"xxx","rawId":"xxx","type":"public-key","assertionClientExtensions":"{}","response":{"clientDataJSON":"xxx","signature":"xxx,"authenticatorData":"xxx","userHandle":null}}}

Version and Deployment (please complete the following information):

• authentik version: 2024.10.4
• Deployment: helm