LG-9483: Filter WebAuthn verification credential by attachment

app/controllers/two_factor_authentication/webauthn_verification_controller.rb

@@ -52,8 +52,7 @@ def handle_valid_webauthn
     end
 
     def handle_invalid_webauthn
-      is_platform_auth = params[:platform].to_s == 'true'
-      if is_platform_auth
+      if platform_authenticator?
         flash[:error] = t(
           'two_factor_authentication.webauthn_error.try_again',
           link: view_context.link_to(
@@ -80,7 +79,7 @@ def presenter_for_two_factor_authentication_method
         data: { credentials:, user_opted_remember_device_cookie: },
         service_provider: current_sp,
         remember_device_default: remember_device_default,
-        platform_authenticator: params[:platform].to_s == 'true',
+        platform_authenticator: platform_authenticator?,
       )
     end
 
@@ -90,14 +89,16 @@ def save_challenge_in_session
     end
 
     def credentials
-      MfaContext.new(current_user).webauthn_configurations.map do |configuration|
-        { id: configuration.credential_id, transports: configuration.transports }
-      end
+      MfaContext.new(current_user).webauthn_configurations.
+        select { |configuration| configuration.platform_authenticator? == platform_authenticator? }.
+        map do |configuration|
+          { id: configuration.credential_id, transports: configuration.transports }
+        end
     end
 
     def analytics_properties
       auth_method = if form&.webauthn_configuration&.platform_authenticator ||
-                       params[:platform].to_s == 'true'
+                       platform_authenticator?
                       TwoFactorAuthenticatable::AuthMethod::WEBAUTHN_PLATFORM
                     else
                       TwoFactorAuthenticatable::AuthMethod::WEBAUTHN
@@ -126,5 +127,9 @@ def form
     def check_sp_required_mfa
       check_sp_required_mfa_bypass(auth_method: 'webauthn')
     end
+
+    def platform_authenticator?
+      params[:platform].to_s == 'true'
+    end
   end
 end

spec/controllers/two_factor_authentication/webauthn_verification_controller_spec.rb

@@ -59,7 +59,7 @@
         end
 
         it 'assigns presenter instance variable with initialized credentials' do
-          get :show, params: { platform: true }
+          get :show
 
           presenter = assigns(:presenter)
 
@@ -71,6 +71,32 @@
             ],
           )
         end
+
+        context 'with multiple webauthn configured' do
+          let!(:webauthn_platform_configuration) do
+            create(:webauthn_configuration, :platform_authenticator, user:)
+          end
+
+          it 'filters credentials based on requested authenticator attachment' do
+            get :show
+
+            expect(assigns(:presenter).credentials).to eq(
+              [
+                id: webauthn_configuration.credential_id,
+                transports: webauthn_configuration.transports,
+              ],
+            )
+
+            get :show, params: { platform: true }
+
+            expect(assigns(:presenter).credentials).to eq(
+              [
+                id: webauthn_platform_configuration.credential_id,
+                transports: webauthn_platform_configuration.transports,
+              ],
+            )
+          end
+        end
       end
     end