corbado · incorbador · May 5, 2026 · May 5, 2026
diff --git a/packages/connect-react/src/types/flags.ts b/packages/connect-react/src/types/flags.ts
@@ -12,6 +12,15 @@ export class Flags {
   addFlags(items: Record<string, string>) {
     for (const [name, value] of Object.entries(items)) {
       this.items[name] = value;
+
+      if (
+        name === keyConditionalUI &&
+        value === 'false' &&
+        this.items[keyEventLow] &&
+        this.items[keyEventLow] === 'true'
+      ) {
+        this.items[keyEventLow] = 'false';
+      }
     }
   }
 

diff --git a/packages/web-core/src/services/WebAuthnService.ts b/packages/web-core/src/services/WebAuthnService.ts
@@ -74,16 +74,22 @@ export class WebAuthnService {
       } as never)) as PublicKeyCredential;
     }
 
+    if (WebAuthnService.isInjectedCredential(credential) || !credential.toJSON) {
+      return {
+        response: JSON.stringify(createResponseToJSON(credential)),
+        message: 'using fallback serializer (extension-injected credential)',
+      };
+    }
+
     try {
-      console.log('credential', credential);
       return {
         response: JSON.stringify(credential.toJSON()),
         message: '',
       };
     } catch (e) {
       return {
         response: JSON.stringify(createResponseToJSON(credential)),
-        message: 'toJSON() not available on PublicKeyCredential',
+        message: 'toJSON() threw on PublicKeyCredential',
       };
     }
   }
@@ -134,6 +140,13 @@ export class WebAuthnService {
       signal: abortController.signal,
     })) as PublicKeyCredential;
 
+    if (WebAuthnService.isInjectedCredential(credential) || !credential.toJSON) {
+      return {
+        response: JSON.stringify(getResponseToJSON(credential)),
+        message: 'using fallback serializer (extension-injected credential)',
+      };
+    }
+
     try {
       return {
         response: JSON.stringify(credential.toJSON()),
@@ -142,7 +155,7 @@ export class WebAuthnService {
     } catch (e) {
       return {
         response: JSON.stringify(getResponseToJSON(credential)),
-        message: 'toJSON() not available on PublicKeyCredential',
+        message: 'toJSON() threw on PublicKeyCredential',
       };
     }
   }
@@ -339,6 +352,14 @@ export class WebAuthnService {
     }
   }
 
+  static isInjectedCredential(credential: PublicKeyCredential): boolean {
+    try {
+      return credential.getClientExtensionResults !== PublicKeyCredential.prototype.getClientExtensionResults;
+    } catch (e) {
+      return true;
+    }
+  }
+
   static async raceWithTimeout<T>(p: Promise<T>, ms: number): Promise<T> {
     const timeout = new Promise<never>((_, reject) =>
       setTimeout(() => reject(new ConnectError(ConnectErrorType.RaceTimeout, `timeout of ${ms}ms reached`)), ms),