From f722e1a9b902c22fbc8e96ccbf20325b545750be Mon Sep 17 00:00:00 2001
From: "forkline-dev[bot]" <bot-dev@forkline.dev>
Date: Sat, 21 Feb 2026 10:19:13 +0000
Subject: [PATCH] fix: allow discoverable credentials login without PIN

The authenticator was incorrectly configured with always_uv=true and
client_pin=None, which blocked all credential operations when no PIN
was set. Changed to client_pin=Some(false) to indicate PIN support
without a configured PIN, and always_uv=Some(false) to allow
authentication via notification-based user presence.

This enables passkey login on sites like GitHub/GitLab that use
discoverable credentials without requiring username input.
---
 cmd/passless/src/authenticator.rs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cmd/passless/src/authenticator.rs b/cmd/passless/src/authenticator.rs
index 43b25c2..bd3be0d 100644
--- a/cmd/passless/src/authenticator.rs
+++ b/cmd/passless/src/authenticator.rs
@@ -305,13 +305,13 @@ impl<S: CredentialStorage + 'static> AuthenticatorService<S> {
             up: true,                      // User presence
             uv: Some(true),                // User verification
             plat: true,                    // Platform authenticator
-            client_pin: None,              // Client PIN support
+            client_pin: Some(false),       // PIN supported but not set
             pin_uv_auth_token: Some(true), // PIN UV auth token
             cred_mgmt: Some(true),         // Credential management enabled
             bio_enroll: None,
             large_blobs: None,
             ep: None,
-            always_uv: Some(true),
+            always_uv: Some(false), // Allow operations without UV (notification-based UP)
             make_cred_uv_not_required: Some(true),
         };