Skip to content

Biometric puzzles + auth-methods-testing soft-pass on 404 (training surface, not a hardened gate) #228

Description

@ahmetabdullahgultekin

Biometric puzzles and the auth-methods-testing surface treat a 404 / not-deployed proxy endpoint as a soft-pass in training mode (verdict soft_pass / reason endpoint_not_deployed); unmapped variants skip server validation entirely. This is acceptable for a training surface but must never be mistaken for a hardened gate — the real gate is enroll/verify.

Evidence (origin/main): src/features/biometric-puzzles/useBiometricPuzzleServer.ts:200-222 (if (status === 404) → soft_pass in training mode; auth mode fails closed).

Action: confirm auth mode is always fail-closed (it appears to be), document the training-mode soft-pass clearly in code/UX so it is not presented as a security control. Low severity.

Source: MASTER_ISSUE_REGISTER_2026-06-03 (WEB-4), re-verified on origin/main 2026-06-13.

Metadata

Metadata

Assignees

No one assigned

    Labels

    surface/webweb-app (React dashboard + hosted login)

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions