fix: MFA challenge UI improvements

devondragon · devondragon · commit 6583b4287b81 · 2026-03-22T12:21:11.000-06:00
- Simplify test assertion to expect 404 when MFA is disabled in playwright-test profile
- Remove unnecessary CSRF header from GET request to /user/mfa/status
- Add noscript fallback message on webauthn challenge page
diff --git a/playwright/tests/mfa/mfa-challenge.spec.ts b/playwright/tests/mfa/mfa-challenge.spec.ts
@@ -68,9 +68,8 @@ test.describe('MFA', () => {
         maxRedirects: 0,
       });
 
-      // Should not return 200 for unauthenticated request
-      // Expect redirect to login (302/303) or error (401/403) or 404 (MFA disabled)
-      expect([302, 303, 401, 403, 404]).toContain(response.status());
+      // MFA is disabled in playwright-test profile, so endpoint returns 404
+      expect(response.status()).toBe(404);
     });
   });
 });
diff --git a/src/main/resources/static/js/user/webauthn-manage.js b/src/main/resources/static/js/user/webauthn-manage.js
@@ -271,9 +271,7 @@ async function updateMfaStatusUI() {
     if (!container || !badgesEl) return;
 
     try {
-        const response = await fetch('/user/mfa/status', {
-            headers: { [csrfHeader]: csrfToken }
-        });
+        const response = await fetch('/user/mfa/status');
 
         if (response.status === 404) {
             // MFA feature disabled — silently hide
diff --git a/src/main/resources/templates/user/mfa/webauthn-challenge.html b/src/main/resources/templates/user/mfa/webauthn-challenge.html
@@ -42,6 +42,14 @@ <h5><i class="bi bi-shield-lock me-2"></i>Additional Verification Required</h5>
 			</div>
 		</section>
 
+		<noscript>
+			<div class="container my-5">
+				<div class="alert alert-warning text-center">
+					JavaScript is required for passkey verification. Please enable JavaScript in your browser.
+				</div>
+			</div>
+		</noscript>
+
 		<script type="module" th:src="@{/js/user/mfa-webauthn-challenge.js}"></script>
 	</div>
 </body>
