Asdf2Adsfad

**Name of the Vulnerable Software and Affected Versions** New API versions 0.10.0 and later **Description** A flaw exists in the universal secure verification flow, allowing an authenticated user with a registered passkey to bypass the WebAuthn assertion requirement. This issue affects actions protected by `SecureVerificationRequired()`. Specifically, the `POST /api/verify` endpoint, when receiving a request with `{"method":"passkey"}`, only verifies the existence of a registered passkey, failing to validate a completed WebAuthn assertion. This can lead to unauthorized access to sensitive information, such as channel secrets via the `POST /api/channel/:id/key` endpoint. Successful exploitation requires an existing authenticated session and a registered passkey. **Recommendations** For versions 0.10.0 and later, do not rely on passkey as the step-up method for privileged secure-verification actions. Require TOTP/2FA for privileged secure-verification actions where possible. Temporarily restrict access to affected secure-verification-protected endpoints.