One of my more complex client sites is in the situation where the "Verify Authenticator" button in the user profile works fine, but the actual auth to login fails with the Auth failed message. This is a membership site that uses Paid Memberships Pro currently under development at a temporary subdomain. When I try on a test site with a more vanilla install of Paid Memberships Pro this works fine. Switching settings to use the normal domain in webauthn settings doesn't work, so I assume that needs to be the temporary domain for now, but then again I get this error either way. The site does also have a custom-built SMS login method plugin I wrote, but webauthn fails regardless if that plugin is active or not so I can't imagine it is at fault. I notice that when auth is failing there are no log entries in the webauthn log, but a verification logs are:
[2024-02-03 17:20:13][0f2bf5] PHP Version => 8.1.27, WordPress Version => 6.4.3, WP-WebAuthn Version => 1.3.1
[2024-02-03 17:20:13][0f2bf5] Current config: first_choice => "false", website_name => "REDACTED", website_domain => "new.REDACTED.net", remember_me => "false", email_login => "false", user_verification => "false", allow_authenticator_type => "none", usernameless_login => "false", password_reset => "off", after_user_registration => "none"
[2024-02-03 17:20:13][0f2bf5] Logger initialized
[2024-02-03 17:27:38][75d797] ajax_auth: Start
[2024-02-03 17:27:38][75d797] ajax_auth: type => "test", user => "alex", usernameless => "false"
[2024-02-03 17:27:38][75d797] ajax_auth: allowedCredentials => [{"type":"public-key","id":REDACTED}]
[2024-02-03 17:27:38][75d797] ajax_auth: user_verification => "false"
[2024-02-03 17:27:38][75d797] ajax_auth: Challenge sent
[2024-02-03 17:27:41][4bf11f] ajax_auth_response: Client response received
[2024-02-03 17:27:41][4bf11f] ajax_auth_response: type => "test", user => "alex"
[2024-02-03 17:27:41][4bf11f] ajax_auth_response: data => {"id":REDACTED,"type":"public-key","rawId":REDACTED"response":{"authenticatorData":REDACTED,"clientDataJSON":REDACTED,"signature":REDACTED,"userHandle":REDACTED}}
[2024-02-03 17:27:41][4bf11f] ajax_auth_response: Challenge verified
When the login fails the only thing in the javasvcript console appears to be the entire HTML of the login page being printed as a warning followed by:
(anonymous) @ login.js?ver=1.3.1:307
xmlHttpReq.onreadystatechange @ login.js?ver=1.3.1:18
XMLHttpRequest.send (async)
get @ login.js?ver=1.3.1:15
check @ login.js?ver=1.3.1:300
Ordinary username or email and password login works fine, as does my SMS login, and on both this and the more vanila site I have Two Factor running and working fine.