From b7923f5498cc031cd09c4c185e1e63184469cdb8 Mon Sep 17 00:00:00 2001
From: Jacob Olness <jolness1@gmail.com>
Date: Tue, 3 Feb 2026 09:12:18 -0700
Subject: [PATCH] [PM-31212] Change hardcoded 5 key WebAuthn limit for login to
 check if premium (#6894)

* removed hardcoded limit so login would look at more than first 5 keys registered

* Update src/Core/Auth/Identity/TokenProviders/WebAuthnTokenProvider.cs

Co-authored-by: Dave <3836813+enmande@users.noreply.github.com>

* Update src/Core/Auth/Identity/TokenProviders/WebAuthnTokenProvider.cs

Co-authored-by: Dave <3836813+enmande@users.noreply.github.com>

* Update src/Core/Auth/Identity/TokenProviders/WebAuthnTokenProvider.cs

Co-authored-by: Dave <3836813+enmande@users.noreply.github.com>

* Update src/Core/Auth/Identity/TokenProviders/WebAuthnTokenProvider.cs

Co-authored-by: Dave <3836813+enmande@users.noreply.github.com>

* removed orphaned for loop in favor of more robust and efficient foreach loop

---------

Co-authored-by: Dave <3836813+enmande@users.noreply.github.com>
---
 .../TokenProviders/WebAuthnTokenProvider.cs        | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/src/Core/Auth/Identity/TokenProviders/WebAuthnTokenProvider.cs b/src/Core/Auth/Identity/TokenProviders/WebAuthnTokenProvider.cs
index 60fb2c5635..a6b1a27713 100644
--- a/src/Core/Auth/Identity/TokenProviders/WebAuthnTokenProvider.cs
+++ b/src/Core/Auth/Identity/TokenProviders/WebAuthnTokenProvider.cs
@@ -147,16 +147,12 @@ public class WebAuthnTokenProvider : IUserTwoFactorTokenProvider<User>
             return keys;
         }
 
-        // Support up to 5 keys
-        for (var i = 1; i <= 5; i++)
+        // Load all WebAuthn credentials stored in metadata. The number of allowed credentials
+        // is controlled by credential registration.
+        foreach (var kvp in provider.MetaData.Where(k => k.Key.StartsWith("Key")))
         {
-            var keyName = $"Key{i}";
-            if (provider.MetaData.TryGetValue(keyName, out var value))
-            {
-                var key = new TwoFactorProvider.WebAuthnData((dynamic)value);
-
-                keys.Add(new Tuple<string, TwoFactorProvider.WebAuthnData>(keyName, key));
-            }
+            var key = new TwoFactorProvider.WebAuthnData((dynamic)kvp.Value);
+            keys.Add(new Tuple<string, TwoFactorProvider.WebAuthnData>(kvp.Key, key));
         }
 
         return keys;