Gan, Jimmy c5987b1b6b security: fix passkey admin privilege escalation (issue #1)
CRITICAL: Passkey authentication was hardcoded to always grant admin role,
completely bypassing RBAC and allowing any passkey user to gain full admin access.

Changes:
- Store username and role in passkey credential during registration
- Retrieve and use stored role during authentication (not hardcoded admin)
- Fallback to admin for legacy credentials without role field

Security Impact:
- Prevents privilege escalation via passkey authentication
- Enforces proper RBAC for passkey users
- Maintains backward compatibility with existing passkeys

Tests: 214 passing
2026-04-08 01:02:37 +08:00
2026-03-30 12:33:37 +08:00
2026-03-30 11:26:56 +08:00
S
Description
No description provided
Readme 4.2 MiB
Languages
Python 58.2%
Svelte 32.2%
JavaScript 5.6%
Shell 3.3%
Dockerfile 0.3%
Other 0.3%