Merge pull request #15009 from opf/fix-safari-2fa-bug

Fix WebAuthn bug on mobile Safari

modules/two_factor_authentication/app/controllers/two_factor_authentication/base_controller.rb

@@ -196,10 +196,15 @@ def verify_webauthn_credential
     end
 
     def webauthn_relying_party
-      @webauthn_relying_party ||= WebAuthn::RelyingParty.new(
-        origin: "#{Setting.protocol}://#{Setting.host_name}",
-        name: Setting.app_title
-      )
+      @webauthn_relying_party ||= begin
+        origin = "#{Setting.protocol}://#{Setting.host_name}"
+
+        WebAuthn::RelyingParty.new(
+          origin:,
+          id: URI(origin).host,
+          name: Setting.app_title
+        )
+      end
     end
 
     def logout_other_sessions

modules/two_factor_authentication/app/models/two_factor_authentication/device/webauthn.rb

@@ -21,12 +21,14 @@ def self.device_type
     def options_for_create(relying_party)
       @options_for_create ||= relying_party.options_for_registration(
         user: { id: user.webauthn_id, name: user.name },
-        exclude: TwoFactorAuthentication::Device::Webauthn.where(user:).pluck(:webauthn_external_id)
+        exclude: TwoFactorAuthentication::Device::Webauthn.where(user:).pluck(:webauthn_external_id),
+        authenticator_selection: { user_verification: 'discouraged' }
       )
     end
 
     def options_for_get(relying_party)
       @options_for_get ||= relying_party.options_for_authentication(
+        user_verification: 'discouraged', # we do not require user verification
         allow: webauthn_external_id # TODO: Maybe also allow all other tokens? Let's see
       )
     end