Remove setting residentKey to discouraged for FIDO

2 files changed, 10 insertions, 7 deletions

diff --git a/packages/server/src/registration/generateRegistrationOptions.test.ts b/packages/server/src/registration/generateRegistrationOptions.test.ts
index ba725b6..7b64434 100644
--- a/packages/server/src/registration/generateRegistrationOptions.test.ts
+++ b/packages/server/src/registration/generateRegistrationOptions.test.ts
@@ -49,7 +49,6 @@ test('should generate credential request options suitable for sending via JSON',
     excludeCredentials: [],
     authenticatorSelection: {
       requireResidentKey: false,
-      residentKey: 'discouraged',
       userVerification: 'preferred',
     },
   });
@@ -121,7 +120,6 @@ test('should set authenticatorSelection if specified', () => {
   expect(options.authenticatorSelection).toEqual({
     authenticatorAttachment: 'cross-platform',
     requireResidentKey: false,
-    residentKey: 'discouraged',
     userVerification: 'preferred',
   });
 });
@@ -196,10 +194,10 @@ test('should discourage resident key if residentKey option is absent but require
   });
 
   expect(options.authenticatorSelection?.requireResidentKey).toEqual(false);
-  expect(options.authenticatorSelection?.residentKey).toEqual('discouraged');
+  expect(options.authenticatorSelection?.residentKey).toBeUndefined();
 });
 
-test('should discourage resident key if both residentKey and requireResidentKey options are absent', () => {
+test('should not set resident key if both residentKey and requireResidentKey options are absent', () => {
   const options = generateRegistrationOptions({
     rpID: 'not.real',
     rpName: 'SimpleWebAuthn',
@@ -208,7 +206,7 @@ test('should discourage resident key if both residentKey and requireResidentKey
   });
 
   expect(options.authenticatorSelection?.requireResidentKey).toEqual(false);
-  expect(options.authenticatorSelection?.residentKey).toEqual('discouraged');
+  expect(options.authenticatorSelection?.residentKey).toBeUndefined();
 });
 
 test('should set requireResidentKey to true if residentKey if set to required', () => {
diff --git a/packages/server/src/registration/generateRegistrationOptions.ts b/packages/server/src/registration/generateRegistrationOptions.ts
index a0ec8d9..0f281f2 100644
--- a/packages/server/src/registration/generateRegistrationOptions.ts
+++ b/packages/server/src/registration/generateRegistrationOptions.ts
@@ -120,7 +120,8 @@ export function generateRegistrationOptions(
   }));
 
   /**
-   *
+   * Capture some of the nuances of how `residentKey` and `requireResidentKey` how either is set
+   * depending on when either is defined in the options
    */
   if (authenticatorSelection.residentKey === undefined) {
     /**
@@ -132,7 +133,11 @@ export function generateRegistrationOptions(
     if (authenticatorSelection.requireResidentKey) {
       authenticatorSelection.residentKey = 'required';
     } else {
-      authenticatorSelection.residentKey = 'discouraged';
+      /**
+       * FIDO Conformance v1.7.2 fails the first test if we do this, even though this is
+       * technically compatible with the WebAuthn L2 spec...
+       */
+      // authenticatorSelection.residentKey = 'discouraged';
     }
   } else {
     /**