fix: scope form helpers to the Devise resource

The form helpers (login_with_passkey_form_for, etc.) used form_with
without a scope, so form builder fields like f.check_box :remember_me
generated name="remember_me" instead of name="account[remember_me]".
Since the passkey strategy reads params[scope][:remember_me], the value
was never found.

Resolve the scope via Devise::Mapping.find_scope! and pass it to
form_with. Switch the internal public_key_credential hidden field to
hidden_field_tag so it stays at the top-level params where strategies
and controllers expect it. Update controllers to read :name from the
now-scoped params.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: RenzoMinelli

app/controllers/devise/passkeys_controller.rb

@@ -47,7 +47,7 @@ def verify_and_save_passkey(passkey_from_params)
 
       resource.passkeys.create(
         external_id: passkey_from_params.id,
-        name: params[:name],
+        name: params.dig(resource_name, :name),
         public_key: passkey_from_params.public_key,
         sign_count: passkey_from_params.sign_count
       )

app/controllers/devise/second_factor_webauthn_credentials_controller.rb

@@ -56,7 +56,7 @@ def verify_and_save_security_key(security_key_from_params)
 
       resource.second_factor_webauthn_credentials.create(
         external_id: security_key_from_params.id,
-        name: params[:name],
+        name: params.dig(resource_name, :name),
         public_key: security_key_from_params.public_key,
         sign_count: security_key_from_params.sign_count
       )

lib/devise/webauthn/helpers/credentials_helper.rb

@@ -4,48 +4,56 @@ module Devise
   module Webauthn
     module CredentialsHelper
       def passkey_creation_form_for(resource_or_resource_name, **options, &block)
+        scope = Devise::Mapping.find_scope!(resource_or_resource_name)
+
         form_with(
-          **options, url: passkeys_path(resource_or_resource_name), method: :post
+          **options, scope: scope, url: passkeys_path(resource_or_resource_name), method: :post
         ) do |f|
           tag.webauthn_create(data: { options_url: passkey_registration_options_path(resource_or_resource_name) }) do
-            concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
+            concat hidden_field_tag(:public_key_credential, nil, data: { webauthn_target: "response" })
             concat capture(f, &block)
           end
         end
       end
 
       def login_with_passkey_form_for(resource_or_resource_name, **options, &block)
+        scope = Devise::Mapping.find_scope!(resource_or_resource_name)
+
         form_with(
-          **options, url: session_path(resource_or_resource_name), method: :post
+          **options, scope: scope, url: session_path(resource_or_resource_name), method: :post
         ) do |f|
           tag.webauthn_get(data: { options_url: passkey_authentication_options_path(resource_or_resource_name) }) do
-            concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
+            concat hidden_field_tag(:public_key_credential, nil, data: { webauthn_target: "response" })
             concat capture(f, &block)
           end
         end
       end
 
       def security_key_creation_form_for(resource_or_resource_name, **options, &block)
+        scope = Devise::Mapping.find_scope!(resource_or_resource_name)
+
         form_with(
-          **options, url: second_factor_webauthn_credentials_path(resource_or_resource_name), method: :post
+          **options, scope: scope, url: second_factor_webauthn_credentials_path(resource_or_resource_name), method: :post
         ) do |f|
           tag.webauthn_create(
             data: { options_url: security_key_registration_options_path(resource_or_resource_name) }
           ) do
-            concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
+            concat hidden_field_tag(:public_key_credential, nil, data: { webauthn_target: "response" })
             concat capture(f, &block)
           end
         end
       end
 
       def login_with_security_key_form_for(resource_or_resource_name, **options, &block)
+        scope = Devise::Mapping.find_scope!(resource_or_resource_name)
+
         form_with(
-          **options, url: two_factor_authentication_path(resource_or_resource_name), method: :post
+          **options, scope: scope, url: two_factor_authentication_path(resource_or_resource_name), method: :post
         ) do |f|
           tag.webauthn_get(data: {
                              options_url: security_key_authentication_options_path(resource_or_resource_name)
                            }) do
-            concat f.hidden_field(:public_key_credential, data: { webauthn_target: "response" })
+            concat hidden_field_tag(:public_key_credential, nil, data: { webauthn_target: "response" })
             concat capture(f, &block)
           end
         end

spec/helpers/devise/webauthn/credentials_helper_spec.rb

@@ -101,8 +101,8 @@ def have_hidden_credential_field
       page = parse(html)
 
       expect(page).to have_css("input.btn-primary[type='submit']")
-      expect(page).to have_css("input[type='checkbox'][name='remember_me']")
-      expect(page).to have_css("label[for='remember_me']", text: "Remember me")
+      expect(page).to have_css("input[type='checkbox'][name='account[remember_me]']")
+      expect(page).to have_css("label[for='account_remember_me']", text: "Remember me")
     end
   end
 

spec/internal/app/views/devise/sessions/new.html.erb

@@ -25,8 +25,8 @@
 
 <%= login_with_passkey_form_for(resource_name, id: "passkey-login") do |form| %>
   <div class="field">
-    <%= check_box_tag "account[remember_me]", id: "passkey_remember_me" %>
-    <%= label_tag "passkey_remember_me", "Remember me" %>
+    <%= form.check_box :remember_me %>
+    <%= form.label :remember_me %>
   </div>
 
   <%= form.submit "Log in with passkeys" %>

spec/requests/devise/passkeys_controller_spec.rb

@@ -46,7 +46,7 @@
           assert_difference("user.passkeys.count", 1) do
             post account_passkeys_path, params: {
               public_key_credential: credential.to_json,
-              name: "My Passkey"
+              account: { name: "My Passkey" }
             }
           end
 
@@ -68,7 +68,7 @@
           assert_difference("user.passkeys.count", 0) do
             post account_passkeys_path, params: {
               public_key_credential: invalid_credential.to_json,
-              name: "My Passkey"
+              account: { name: "My Passkey" }
             }
           end
 

spec/requests/devise/second_factor_webauthn_credentials_controller_spec.rb

@@ -56,7 +56,7 @@
           assert_difference("user.second_factor_webauthn_credentials.count", 1) do
             post account_second_factor_webauthn_credentials_path, params: {
               public_key_credential: credential.to_json,
-              name: "My Security Key"
+              account: { name: "My Security Key" }
             }
           end
 
@@ -78,7 +78,7 @@
           assert_difference("user.second_factor_webauthn_credentials.count", 0) do
             post account_second_factor_webauthn_credentials_path, params: {
               public_key_credential: invalid_credential.to_json,
-              name: "My Security Key"
+              account: { name: "My Security Key" }
             }
           end