Fix #2556 -- Remove attestation from 2FA-device registration

As we currently do not verify attestation in 2FA-device registration, we can safely remove it. This circumvents a bug in webkit when registering Touch-ID as 2FA-device on M1 Macs. See https://bugs.webkit.org/show_bug.cgi?id=224042 For more info on why we do not use attestation, see https://fidoalliance.org/fido-technotes-the-truth-about-attestation/
2022-03-25 12:25:15 +01:00
parent 645a7489df
commit 551bd3e284
1 changed files with 2 additions and 1 deletions
--- a/src/pretix/control/views/user.py
+++ b/src/pretix/control/views/user.py
@@ -399,7 +399,8 @@ class User2FADeviceConfirmWebAuthnView(RecentAuthenticationRequiredMixin, Templa
            ukey,
            self.request.user.email,
            str(self.request.user),
-            settings.SITE_URL
+            settings.SITE_URL,
+            attestation="none"
        )
        ctx['jsondata'] = json.dumps(make_credential_options.registration_dict)