fix: narrow scope change to login_with_passkey_form_for only

RenzoMinelli · claude · RenzoMinelli · commit dd13f53c562d · 2026-03-30T10:37:02.000-03:00
Creation form helpers shouldn't scope fields under the Devise resource
since those fields (like :name) are passkey/security key attributes, not
account attributes. Only login_with_passkey_form_for needs the scope so
that f.check_box :remember_me generates account[remember_me].

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -37,7 +37,7 @@
 ### Fixed
 
 - Fix form helpers (`passkey_creation_form_for`, `login_with_passkey_button`, `security_key_creation_form_for`, `login_with_security_key_button`) to accept a `resource_name` instead of requiring the `resource` object from the view context. [#114](https://github.com/cedarcode/devise-webauthn/pull/114) [@RenzoMinelli]
-- BREAKING!: Scope form helpers to the Devise resource so that form builder fields (e.g. `f.check_box :remember_me`) are properly namespaced under the resource (e.g. `account[remember_me]`). Controllers now read `:name` from scoped params (`params.dig(resource_name, :name)`) instead of `params[:name]`. [#134](https://github.com/cedarcode/devise-webauthn/pull/134) [@RenzoMinelli]
+- Scope `login_with_passkey_form_for` to the Devise resource so that form builder fields (e.g. `f.check_box :remember_me`) are properly namespaced (e.g. `account[remember_me]`). [#134](https://github.com/cedarcode/devise-webauthn/pull/134) [@RenzoMinelli]
 
 ## [v0.3.1](https://github.com/cedarcode/devise-webauthn/compare/v0.3.0...v0.3.1/) - 2026-02-10
 
diff --git a/app/controllers/devise/passkeys_controller.rb b/app/controllers/devise/passkeys_controller.rb
@@ -47,7 +47,7 @@ def verify_and_save_passkey(passkey_from_params)
 
       resource.passkeys.create(
         external_id: passkey_from_params.id,
-        name: params.dig(resource_name, :name),
+        name: params[:name],
         public_key: passkey_from_params.public_key,
         sign_count: passkey_from_params.sign_count
       )
diff --git a/app/controllers/devise/second_factor_webauthn_credentials_controller.rb b/app/controllers/devise/second_factor_webauthn_credentials_controller.rb
@@ -56,7 +56,7 @@ def verify_and_save_security_key(security_key_from_params)
 
       resource.second_factor_webauthn_credentials.create(
         external_id: security_key_from_params.id,
-        name: params.dig(resource_name, :name),
+        name: params[:name],
         public_key: security_key_from_params.public_key,
         sign_count: security_key_from_params.sign_count
       )
diff --git a/lib/devise/webauthn/helpers/credentials_helper.rb b/lib/devise/webauthn/helpers/credentials_helper.rb
@@ -4,13 +4,11 @@ module Devise
   module Webauthn
     module CredentialsHelper
       def passkey_creation_form_for(resource_or_resource_name, **options, &block)
-        scope = Devise::Mapping.find_scope!(resource_or_resource_name)
-
         form_with(
-          **options, scope: scope, url: passkeys_path(resource_or_resource_name), method: :post
+          **options, url: passkeys_path(resource_or_resource_name), method: :post
         ) do |f|
           tag.webauthn_create(data: { options_url: passkey_registration_options_path(resource_or_resource_name) }) do
-            concat hidden_field_tag(:public_key_credential, nil, data: { webauthn_target: "response" })
+            concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
             concat capture(f, &block)
           end
         end
@@ -30,31 +28,26 @@ def login_with_passkey_form_for(resource_or_resource_name, **options, &block)
       end
 
       def security_key_creation_form_for(resource_or_resource_name, **options, &block)
-        scope = Devise::Mapping.find_scope!(resource_or_resource_name)
-
         form_with(
-          **options, scope: scope, url: second_factor_webauthn_credentials_path(resource_or_resource_name),
-                     method: :post
+          **options, url: second_factor_webauthn_credentials_path(resource_or_resource_name), method: :post
         ) do |f|
           tag.webauthn_create(
             data: { options_url: security_key_registration_options_path(resource_or_resource_name) }
           ) do
-            concat hidden_field_tag(:public_key_credential, nil, data: { webauthn_target: "response" })
+            concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
             concat capture(f, &block)
           end
         end
       end
 
       def login_with_security_key_form_for(resource_or_resource_name, **options, &block)
-        scope = Devise::Mapping.find_scope!(resource_or_resource_name)
-
         form_with(
-          **options, scope: scope, url: two_factor_authentication_path(resource_or_resource_name), method: :post
+          **options, url: two_factor_authentication_path(resource_or_resource_name), method: :post
         ) do |f|
           tag.webauthn_get(data: {
                              options_url: security_key_authentication_options_path(resource_or_resource_name)
                            }) do
-            concat hidden_field_tag(:public_key_credential, nil, data: { webauthn_target: "response" })
+            concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
             concat capture(f, &block)
           end
         end
diff --git a/spec/requests/devise/passkeys_controller_spec.rb b/spec/requests/devise/passkeys_controller_spec.rb
@@ -46,7 +46,7 @@
           assert_difference("user.passkeys.count", 1) do
             post account_passkeys_path, params: {
               public_key_credential: credential.to_json,
-              account: { name: "My Passkey" }
+              name: "My Passkey"
             }
           end
 
@@ -68,7 +68,7 @@
           assert_difference("user.passkeys.count", 0) do
             post account_passkeys_path, params: {
               public_key_credential: invalid_credential.to_json,
-              account: { name: "My Passkey" }
+              name: "My Passkey"
             }
           end
 
diff --git a/spec/requests/devise/second_factor_webauthn_credentials_controller_spec.rb b/spec/requests/devise/second_factor_webauthn_credentials_controller_spec.rb
@@ -56,7 +56,7 @@
           assert_difference("user.second_factor_webauthn_credentials.count", 1) do
             post account_second_factor_webauthn_credentials_path, params: {
               public_key_credential: credential.to_json,
-              account: { name: "My Security Key" }
+              name: "My Security Key"
             }
           end
 
@@ -78,7 +78,7 @@
           assert_difference("user.second_factor_webauthn_credentials.count", 0) do
             post account_second_factor_webauthn_credentials_path, params: {
               public_key_credential: invalid_credential.to_json,
-              account: { name: "My Security Key" }
+              name: "My Security Key"
             }
           end
 

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ def verify_and_save_passkey(passkey_from_params)`
`47`	`47`
`48`	`48`	`resource.passkeys.create(`
`49`	`49`	`external_id: passkey_from_params.id,`
`50`		`- name: params.dig(resource_name, :name),`
	`50`	`+ name: params[:name],`
`51`	`51`	`public_key: passkey_from_params.public_key,`
`52`	`52`	`sign_count: passkey_from_params.sign_count`
`53`	`53`	`)`
Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ def verify_and_save_security_key(security_key_from_params)`
`56`	`56`
`57`	`57`	`resource.second_factor_webauthn_credentials.create(`
`58`	`58`	`external_id: security_key_from_params.id,`
`59`		`- name: params.dig(resource_name, :name),`
	`59`	`+ name: params[:name],`
`60`	`60`	`public_key: security_key_from_params.public_key,`
`61`	`61`	`sign_count: security_key_from_params.sign_count`
`62`	`62`	`)`