Skip to content

Commit f0b0241

Browse files
Spomkyclaude
Spomky
and
claude
committed
fix: harden ClientOverridePolicy defaults to prevent userVerification downgrade
Change default client override policy for user_verification to deny overrides by default and exclude 'discouraged' from allowed values. This prevents a client from downgrading userVerification to bypass biometric/PIN requirements configured server-side. - ClientOverridePolicy::canOverride() now defaults to false for unknown fields - user_verification.enabled defaults to false (was true) - user_verification.allowed_values defaults to ['required', 'preferred'] (was ['required', 'preferred', 'discouraged']) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent dd43597 commit f0b0241

File tree

2 files changed

+3
-3
lines changed

2 files changed

+3
-3
lines changed

src/symfony/src/DependencyInjection/Configuration.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -150,11 +150,11 @@ private function addClientOverridePolicyConfig(ArrayNodeDefinition $rootNode): v
150150
->addDefaultsIfNotSet()
151151
->children()
152152
->booleanNode('enabled')
153-
->defaultTrue()
153+
->defaultFalse()
154154
->info('Whether to allow client requests to override the user verification requirement')
155155
->end()
156156
->arrayNode('allowed_values')
157-
->defaultValue(['required', 'preferred', 'discouraged'])
157+
->defaultValue(['required', 'preferred'])
158158
->scalarPrototype()
159159
->end()
160160
->info('List of allowed values for user verification requirement')

src/symfony/src/Policy/ClientOverridePolicy.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ public function __construct(
2727
*/
2828
public function canOverride(string $field): bool
2929
{
30-
return $this->policies[$field]['enabled'] ?? true;
30+
return $this->policies[$field]['enabled'] ?? false;
3131
}
3232

3333
/**

0 commit comments

Comments
 (0)