Skip to content

Commit 8d6c3d4

Browse files
muetymuety
committed
chore: disable webauthn login by default
1 parent 4e494ae commit 8d6c3d4

6 files changed

Lines changed: 3584 additions & 1843 deletions

File tree

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -196,7 +196,7 @@ You can specify configuration options either via a config file (default: `config
196196
| `server.base_path` /<br> `WAKAPI_BASE_PATH` | `/` | Web base path (change when running behind a proxy under a sub-path) |
197197
| `server.public_url` /<br> `WAKAPI_PUBLIC_URL` | `http://localhost:3000` | URL at which your Wakapi instance can be found publicly |
198198
| `security.disable_local_auth` /<br> `WAKAPI_DISABLE_LOCAL_AUTH` | `false` | Disables login via local credentials (username and password) to enforce OIDC provider login |
199-
| `security.disable_webauthn` /<br> `WAKAPI_DISABLE_WEBAUTHN` | `false` | Disables login via WebAuthn (security keys, biometrics, etc.) |
199+
| `security.disable_webauthn` /<br> `WAKAPI_DISABLE_WEBAUTHN` | `true` | Disables login via WebAuthn (security keys, biometrics, etc.) |
200200
| `security.password_salt` /<br> `WAKAPI_PASSWORD_SALT` | - | Pepper to use for password hashing |
201201
| `security.insecure_cookies` /<br> `WAKAPI_INSECURE_COOKIES` | `true` | Whether or not to allow cookies over HTTP. For production, it is **highly recommended** to serve Wakapi via HTTPS and set this to `false`. |
202202
| `security.cookie_max_age` /<br> `WAKAPI_COOKIE_MAX_AGE` | `172800` | Lifetime of authentication cookies in seconds or `0` to use [Session](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Define_the_lifetime_of_a_cookie) cookies |

config.default.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -88,7 +88,7 @@ security:
8888
allow_signup: true # whether to allow new user creation at all
8989
oidc_allow_signup: true # allow registration of new users from oidc
9090
disable_local_auth: false # disable login via local credentials (username and password) to enforce OIDC provider login
91-
disable_webauthn: false # disable login via webauthn (security keys, biometrics, etc.)
91+
disable_webauthn: true # disable login via webauthn (security keys, biometrics, etc.)
9292
signup_captcha: false
9393
invite_codes: true # whether to enable invite codes for overriding disabled signups
9494
disable_frontpage: false

config/config.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -126,7 +126,7 @@ type securityConfig struct {
126126
AllowSignup bool `yaml:"allow_signup" default:"true" env:"WAKAPI_ALLOW_SIGNUP"`
127127
OidcAllowSignup bool `yaml:"oidc_allow_signup" default:"true" env:"WAKAPI_OIDC_ALLOW_SIGNUP"`
128128
DisableLocalAuth bool `yaml:"disable_local_auth" default:"false" env:"WAKAPI_DISABLE_LOCAL_AUTH"`
129-
DisableWebAuthn bool `yaml:"disable_webauthn" default:"false" env:"WAKAPI_DISABLE_WEBAUTHN"`
129+
DisableWebAuthn bool `yaml:"disable_webauthn" default:"true" env:"WAKAPI_DISABLE_WEBAUTHN"`
130130
SignupCaptcha bool `yaml:"signup_captcha" default:"false" env:"WAKAPI_SIGNUP_CAPTCHA"`
131131
InviteCodes bool `yaml:"invite_codes" default:"true" env:"WAKAPI_INVITE_CODES"`
132132
ExposeMetrics bool `yaml:"expose_metrics" default:"false" env:"WAKAPI_EXPOSE_METRICS"`

0 commit comments

Comments
 (0)