CHANGELOG.md

Changelog

Unreleased

v0.4.0 - 2026-04-06

Added

• Dispatch webauthn:unsupported for browsers missing parseOptionsFromJSON. #127 @santiagorodriguez96
• Scope login_with_passkey_form_for to the Devise resource so that form builder fields (e.g. f.check_box :remember_me) are properly namespaced (e.g. account[remember_me]). #134 @RenzoMinelli
• Allow passing a -c flag to the controller generator to specify which controller to override. #110 @nicolastemciuc

Changed

• Change webauthn_id generation from after_initialize to before_validation and add a data backfill to the webauthn_id migration generator for existing records. #125 @santiagorodriguez96
• Options for getting or creating passkeys and security keys are now served by dedicated Rails controllers and retrieved via JavaScript fetch requests. #73 @nicolastemciuc
• BREAKING!: Remove helpers for generating WebAuthn options. #106 @nicolastemciuc
• BREAKING!: login_with_passkey_button and login_with_security_key_button helpers have been renamed to login_with_passkey_form_for and login_with_security_key_form_for. They now take a block and no longer generate the submit button automatically. You need to explicitly add the button inside the block. #112 @RenzoMinelli

<%# Before %>
<%= login_with_passkey_button(:user, "Log in with passkeys") %>

<%# After %>
<%= login_with_passkey_form_for(:user) do |form| %>
  <%= form.submit "Log in with passkeys" %>
<% end %>

• BREAKING!: Replace form_classes: keyword argument with direct keyword arguments in all form helper methods (passkey_creation_form_for, login_with_passkey_form_for, security_key_creation_form_for, login_with_security_key_form_for). All options are delegated to form_with, allowing you to pass any HTML attributes or form options directly. #111 @RenzoMinelli

<%# Before %>
<%= passkey_creation_form_for(:user, form_classes: "my-class") do |form| %>
  ...
<% end %>

<%# After %>
<%= passkey_creation_form_for(:user, class: "my-class", id: "my-form", data: { turbo: false }) do |form| %>
  ...
<% end %>

Fixed

• Validate userHandle from authenticator response against webauthn_id. #131 @santiagorodriguez96
• Fix Remember me checkbox not honored when logging in with passkeys. #133 @santiagorodriguez96
• Fix form helpers (passkey_creation_form_for, login_with_passkey_button, security_key_creation_form_for, login_with_security_key_button) to accept a resource_name instead of requiring the resource object from the view context. #114 @RenzoMinelli

v0.3.1 - 2026-02-10

Fixed

• Fix install_generator invoking missing devise:webauthn:javascript task. #118 @joaquintomas2003

v0.3.0 - 2026-01-16

Added

• WebAuthn JavaScript is now bundled as engine assets using custom HTML elements (<webauthn-create>, <webauthn-get>) instead of generating a Stimulus controller into the host application. #84 @santiagorodriguez96
• Add endpoint to SecondFactorWebauthnCredentialsController for "upgrading" second factor webauthn credentials (i. e., security keys) to passkeys. #80 @nicolastemciuc

Changed

• Loosen devise upper constraint to allow for v5. #94 @santiagorodriguez96
• BREAKING!: Our Form helpers now use the bundled WebAuthn JS asset now instead of the Stimulus controllers, so they expect it to be included in your application. #84 @santiagorodriguez96
  • Previously generated Stimulus controller for handling WebAuthn client logic are no longer generated.
  • Stimulus is no longer needed for this engine to work.
• Make helpers for generating WebAuthn options public methods. #106 @santiagorodriguez96
• BREAKING!: Our controller for managing second factor credentials now uses a separate method for each endpoint for setting the URL to redirect to. #80 @nicolastemciuc
  • What used to be just an after_update_path for all endpoints, now it's an after_(create|update|destroy)_path for each endpoint.
  • If you had overriden the controller to change the after_update_path, be mindful that now create and destroy endpoints will call its own method.

Fixed

• Fix Remember me checkbox not honored when going through the 2FA challenge flow. #87 @santiagorodriguez96

v0.2.2 - 2025-12-11

Added

• Update controllers and views generators to generate 2FA-related controllers and views. #75 @santiagorodriguez96
• Add flash messages when removing credentials. #78 @nicolastemciuc

Changed

• Generate webauthn credentials table with not null constraints in attributes that must be present. #70 @santiagorodriguez96

v0.2.1 - 2025-12-10

Added

• Add form helpers for security key registration and 2FA authentication. #52 @santiagorodriguez96

Fixed

• Fix incorrect call to resource_name instead of using passed resource param in login_with_security_key_button helper. #65 @santiagorodriguez96
• Fix NoMethodError when calling second_factor_enabled? on resources without 2FA. #62 @nicolastemciuc
• Avoid assuming email as the authentication key of the resource in form helpers. #66 @santiagorodriguez96

v0.2.0 - 2025-12-03

Added

• Add new webauthn_two_factor_authenticatable module for enabling 2FA using WebAuthn credentials. #49 @santiagorodriguez96

v0.1.2 - 2025-12-03

Fixed

• Fixed sign in with passkey for resources with name different from "User". #47 @joaquintomas2003, @santiagorodriguez96

v0.1.1 - 2025-11-13

Changed

• Updated gemspec metadata. #43 @joaquintomas2003

v0.1.0 - 2025-11-12

Initial release

• Provides passkey authentication for apps using Devise. @joaquintomas2003, @nicolastemciuc, @RenzoMinelli, @santiagorodriguez96