Jeff Emmett
1471d1d578
Retries of /api/register/start previously generated a fresh random user.id each time, so the authenticator (iCloud Keychain, Windows Hello, 1Password, etc.) stored a brand-new passkey per attempt. Users who hit the failing registration flow ended up with three or four orphan passkeys in their password manager for every successful one. WebAuthn spec: a create() ceremony with the same (rpId, user.id) overwrites the existing passkey. Deriving user.id as SHA-256(salt + username) means repeated start calls for the same username produce the same user.id and the authenticator overwrites in place. Salt chain: USER_ID_SALT → JWT_SECRET → fallback constant. No new env var needed in prod — JWT_SECRET is already set. |
||
|---|---|---|
| .. | ||
| encryptid | ||
| lib | ||