c5987b1b6b37efc1b23a7981ca88743615d66149
CRITICAL: Passkey authentication was hardcoded to always grant admin role, completely bypassing RBAC and allowing any passkey user to gain full admin access. Changes: - Store username and role in passkey credential during registration - Retrieve and use stored role during authentication (not hardcoded admin) - Fallback to admin for legacy credentials without role field Security Impact: - Prevents privilege escalation via passkey authentication - Enforces proper RBAC for passkey users - Maintains backward compatibility with existing passkeys Tests: 214 passing
Description
Languages
Python
58.2%
Svelte
32.2%
JavaScript
5.6%
Shell
3.3%
Dockerfile
0.3%
Other
0.3%