From 9db92450ce39f1f20deb2aae415ba4fcae8d70a2 Mon Sep 17 00:00:00 2001
From: Vraj Mohan <vraj.mohan@gsa.gov>
Date: Fri, 8 Nov 2024 15:24:00 -0800
Subject: [PATCH] Prefer residentKey for webauthn platform authenticators, aka
 Face/Touch

See https://cm-jira.usa.gov/browse/LG-14911. It is expected that
this will allow Android devices to create synced credentials using
Google Password Manager, and for such devices to provide an AAGUID value.

changelog: User-facing Improvements, F/T Unlock passkeys, Prefer residentKey for webauthn platform authenticators
---
 .../packages/webauthn/enroll-webauthn-device.spec.ts          | 4 +++-
 app/javascript/packages/webauthn/enroll-webauthn-device.ts    | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/app/javascript/packages/webauthn/enroll-webauthn-device.spec.ts b/app/javascript/packages/webauthn/enroll-webauthn-device.spec.ts
index 449e8d65802..1fb999ac0f7 100644
--- a/app/javascript/packages/webauthn/enroll-webauthn-device.spec.ts
+++ b/app/javascript/packages/webauthn/enroll-webauthn-device.spec.ts
@@ -87,6 +87,7 @@ describe('enrollWebauthnDevice', () => {
           authenticatorSelection: {
             userVerification: 'discouraged',
             authenticatorAttachment: 'cross-platform',
+            residentKey: undefined,
           },
           excludeCredentials: [
             {
@@ -126,7 +127,7 @@ describe('enrollWebauthnDevice', () => {
     });
 
     context('platform authenticator', () => {
-      it('enrolls a device with correct authenticatorAttachment', async () => {
+      it('enrolls a device with correct authenticatorAttachment and residentKey', async () => {
         await enrollWebauthnDevice({
           platformAuthenticator: true,
           user,
@@ -139,6 +140,7 @@ describe('enrollWebauthnDevice', () => {
             hints: undefined,
             authenticatorSelection: {
               authenticatorAttachment: 'platform',
+              residentKey: 'preferred',
             },
           },
         });
diff --git a/app/javascript/packages/webauthn/enroll-webauthn-device.ts b/app/javascript/packages/webauthn/enroll-webauthn-device.ts
index f853488173e..5b094c0f93b 100644
--- a/app/javascript/packages/webauthn/enroll-webauthn-device.ts
+++ b/app/javascript/packages/webauthn/enroll-webauthn-device.ts
@@ -101,6 +101,7 @@ async function enrollWebauthnDevice({
         // contributes to abandonment or loss of access.
         userVerification: 'discouraged',
         authenticatorAttachment: platformAuthenticator ? 'platform' : 'cross-platform',
+        residentKey: platformAuthenticator ? 'preferred' : undefined,
       },
       excludeCredentials,
     } as PublicKeyCredentialCreationOptionsWithHints,