From a241995734cecff39f57732916a73052caf4c175 Mon Sep 17 00:00:00 2001 From: Peter Stone Date: Sat, 7 Feb 2026 18:35:43 -1000 Subject: Fix passkey registration showing broken UI when WebAuthn not configured Root cause: WEBAUTHN_RP_ID and WEBAUTHN_ORIGIN env vars not set in production, so WebAuthn is nil and all passkey endpoints return 404. The settings page was unconditionally showing the passkey registration card, leading to confusing "Failed to start registration" errors. Fix: Pass WebAuthnEnabled flag from main.go through Handler to the settings template, which now conditionally renders the passkey card only when WebAuthn is properly configured. Co-Authored-By: Claude Opus 4.6 --- internal/handlers/handlers_test.go | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) (limited to 'internal/handlers/handlers_test.go') diff --git a/internal/handlers/handlers_test.go b/internal/handlers/handlers_test.go index 0ad36b2..b338aa2 100644 --- a/internal/handlers/handlers_test.go +++ b/internal/handlers/handlers_test.go @@ -1971,6 +1971,41 @@ func TestSettingsTemplate_HasCSRFToken(t *testing.T) { "settings.html must expose .CSRFToken (e.g. via meta tag) for JavaScript passkey registration") } +// TestSettingsTemplate_HidesPasskeysWhenDisabled verifies that the settings +// template conditionally shows the passkeys section based on WebAuthnEnabled. +func TestSettingsTemplate_HidesPasskeysWhenDisabled(t *testing.T) { + assertTemplateContains(t, "../../web/templates/settings.html", + ".WebAuthnEnabled", + "settings.html must check .WebAuthnEnabled to conditionally show passkeys section") +} + +// TestHandleSettingsPage_PassesWebAuthnEnabled verifies the settings handler +// includes WebAuthnEnabled in template data. +func TestHandleSettingsPage_PassesWebAuthnEnabled(t *testing.T) { + h, cleanup := setupTestHandler(t) + defer cleanup() + + req := httptest.NewRequest("GET", "/settings", nil) + w := httptest.NewRecorder() + + h.HandleSettingsPage(w, req) + + if w.Code != http.StatusOK { + t.Fatalf("Expected status 200, got %d", w.Code) + } + + mock := h.renderer.(*MockRenderer) + if len(mock.Calls) == 0 { + t.Fatal("Expected renderer to be called") + } + + lastCall := mock.Calls[len(mock.Calls)-1] + dataStr := fmt.Sprintf("%+v", lastCall.Data) + if !strings.Contains(dataStr, "WebAuthnEnabled") { + t.Error("Settings page template data must include WebAuthnEnabled field") + } +} + // TestHandleSettingsPage_PassesCSRFToken verifies the settings handler includes // a CSRFToken in its template data so the passkey registration JS can use it. func TestHandleSettingsPage_PassesCSRFToken(t *testing.T) { -- cgit v1.2.3