refactor: adopt Devise core's 2FA interface

- Register WebauthnTwoFactorAuthenticatable module with `two_factor: true`
- Include Devise's TwoFactorAuthenticatable concern in the 2FA model
- Inherit 2FA strategy from Devise's new TwoFactor base strategy
- Remove DatabaseAuthenticatable override (Devise now handles 2FA routing)
- Rename controller to match Devise's expected naming convention
- Update routes and helpers for new endpoints
- Use Devise-provided 2FA session keys

Author: santiagorodriguez96

app/controllers/devise/security_key_authentication_options_controller.rb

@@ -20,7 +20,7 @@ def index
     private
 
     def set_resource
-      @resource = resource_class.find(session[:current_authentication_resource_id])
+      @resource = resource_class.find(session[:devise_two_factor_resource_id])
     end
   end
 end

app/controllers/devise/two_factor_authentications_controller.rb

@@ -9,12 +9,13 @@ module Models
     module WebauthnTwoFactorAuthenticatable
       extend ActiveSupport::Concern
       include WebauthnCredentialAuthenticatable
+      include Devise::Models::TwoFactorAuthenticatable
 
       included do
         has_many :second_factor_webauthn_credentials, -> { second_factor }, class_name: "WebauthnCredential"
       end
 
-      def second_factor_enabled?
+      def webauthn_two_factor_enabled?
         webauthn_credentials.any?
       end
     end

…/two_factor_authentications/new.html.erb …/devise/two_factor/new_webauthn.html.erbapp/views/devise/two_factor_authentications/new.html.erb renamed to app/views/devise/two_factor/new_webauthn.html.erb app/views/devise/two_factor_authentications/new.html.erb renamed to app/views/devise/two_factor/new_webauthn.html.erb

@@ -2,17 +2,15 @@
 
 module Devise
   module Strategies
-    class WebauthnTwoFactorAuthenticatable < Devise::Strategies::Base
+    class WebauthnTwoFactorAuthenticatable < Devise::Strategies::TwoFactor
       def valid?
         credential_param.present? &&
-          session[:current_authentication_resource_id].present? &&
+          session[:devise_two_factor_resource_id].present? &&
           session[:two_factor_authentication_challenge].present?
       end
 
-      # rubocop:disable Metrics/AbcSize
-      def authenticate!
+      def verify_two_factor!(resource)
         credential_from_params = WebAuthn::Credential.from_get(JSON.parse(credential_param))
-        resource = resource_class.find_by(id: session[:current_authentication_resource_id])
         stored_credential = resource&.webauthn_credentials&.find_by(external_id: credential_from_params.id)
 
         return fail!(:webauthn_credential_not_found) if stored_credential.blank?
@@ -21,18 +19,11 @@ def authenticate!
         end
 
         verify_credential(credential_from_params, stored_credential)
-
-        resource.remember_me = session[:current_authentication_remember_me] if resource.respond_to?(:remember_me=)
-        success!(resource)
-
-        session.delete(:current_authentication_resource_id)
-        session.delete(:current_authentication_remember_me)
       rescue WebAuthn::Error
         fail!(:webauthn_credential_verification_failed)
       ensure
         session.delete(:two_factor_authentication_challenge)
       end
-      # rubocop:enable Metrics/AbcSize
 
       private
 
@@ -54,10 +45,6 @@ def user_handle_mismatch?(credential_from_params, resource)
         credential_from_params.user_handle.present? &&
           credential_from_params.user_handle != resource.webauthn_id
       end
-
-      def resource_class
-        mapping.to
-      end
     end
   end
 end

lib/devise/models/webauthn_two_factor_authenticatable.rb

@@ -15,12 +15,12 @@ class Engine < ::Rails::Engine
           }
         )
 
-        Devise.add_module(
-          :webauthn_two_factor_authenticatable,
+        Devise.register_two_factor_method(
+          :webauthn,
           {
             model: "devise/models/webauthn_two_factor_authenticatable",
-            strategy: true,
-            route: { two_factor_authentication: [] }
+            strategy: :webauthn_two_factor_authenticatable,
+            route: { webauthn: [] }
           }
         )
       end

lib/devise/strategies/database_authenticatable.rb

@@ -40,7 +40,7 @@ def security_key_creation_form_for(resource_or_resource_name, **options, &block)
 
       def login_with_security_key_form_for(resource_or_resource_name, **options, &block)
         form_with(
-          **options, url: two_factor_authentication_path(resource_or_resource_name), method: :post
+          **options, url: two_factor_path(resource_or_resource_name), method: :post
         ) do |f|
           tag.webauthn_get(data: {
                              options_url: security_key_authentication_options_path(resource_or_resource_name)

lib/devise/strategies/webauthn_two_factor_authenticatable.rb

@@ -13,19 +13,15 @@ def devise_passkey_authentication(_mapping, controllers)
         resources :passkey_registration_options, only: :index, controller: controllers[:passkey_registration_options]
       end
 
-      def devise_two_factor_authentication(_mapping, controllers)
-        resource :two_factor_authentication,
-                 only: %i[new create],
-                 controller: controllers[:two_factor_authentications]
-
+      def devise_webauthn(_mapping, controllers)
         resources :second_factor_webauthn_credentials,
                   only: %i[new create update destroy],
                   controller: controllers[:second_factor_webauthn_credentials]
 
         resources :security_key_authentication_options, only: %i[index],
-                                                        controller: controllers[:security_key_authentication_options]
+                  controller: controllers[:security_key_authentication_options]
         resources :security_key_registration_options, only: %i[index],
-                                                      controller: controllers[:security_key_registration_options]
+                  controller: controllers[:security_key_registration_options]
       end
     end
   end