Fix #110 - Reset WebAuthn user options after last device revocation

app/Http/Controllers/Auth/WebAuthnManageController.php

@@ -2,6 +2,7 @@
 
 namespace App\Http\Controllers\Auth;
 
+use App\Facades\Settings;
 use App\Http\Controllers\Controller;
 use Illuminate\Http\Request;
 use App\Http\Requests\WebauthnRenameRequest;
@@ -72,6 +73,13 @@ public function delete(Request $request, $credential)
         $user = $request->user();
         $user->removeCredential($credential);
 
+        // Webauthn user options should be reset to prevent impossible login
+        // See #110
+        if (blank($user->allCredentialDescriptors())) {
+            Settings::delete('useWebauthnAsDefault');
+            Settings::delete('useWebauthnOnly');
+        }
+
         return response()->json(null, 204);
     }
 }

resources/js/views/settings/WebAuthn.vue

@@ -75,7 +75,7 @@
         },
 
         async mounted() {
-            
+
             const { data } = await this.form.get('/api/v1/settings')
 
             this.form.fillWithKeyValueObject(data)
@@ -180,6 +180,14 @@
                     await this.axios.delete('/webauthn/credentials/' + credentialId).then(response => {
                         // Remove the revoked credential from the collection
                         this.credentials = this.credentials.filter(a => a.id !== credentialId)
+
+                        if (this.credentials.length == 0) {
+                            this.form.useWebauthnOnly = false
+                            this.form.useWebauthnAsDefault = false
+                            this.$root.appSettings['useWebauthnOnly'] = false
+                            this.$root.appSettings['useWebauthnAsDefault'] = false
+                        }
+
                         this.$notify({ type: 'is-success', text: this.$t('auth.webauthn.device_revoked') })
                     });
                 }