From 5efd7264cc00b45d663daa74ffc0fdeddaa2a759 Mon Sep 17 00:00:00 2001
From: Jason Davis <8051493+happydude@users.noreply.github.com>
Date: Mon, 6 Apr 2026 09:27:52 -0700
Subject: [PATCH] Remove UV to UP downgrade check

---
 src/Controller/AuthProcess.php | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/src/Controller/AuthProcess.php b/src/Controller/AuthProcess.php
index 6ebad24..835828d 100644
--- a/src/Controller/AuthProcess.php
+++ b/src/Controller/AuthProcess.php
@@ -163,19 +163,6 @@ public function main(Request $request): Response
             $debugEnabled,
         );
 
-        /** Custom check: if the token was initially registered with UV, but now
-         * authenticates only UP, we don't allow this downgrade.
-         *
-         * This is not typically allowed by authenticator implementations anyway
-         * (they typically require a full reset of the key to remove UV
-         * protections) but to be safe: find out and tell user to re-enroll with
-         * the lower security level. (level upgrades are of course OK.)
-         */
-        if ($oneToken[5] > $authObject->getPresenceLevel()) {
-            // phpcs:ignore Generic.Files.LineLength.TooLong
-            throw new Exception("Token was initially registered with higher identification guarantees than now authenticated with (was: " . $oneToken[5] . " now " . $authObject->getPresenceLevel() . "!");
-        }
-
         // no matter what: if we are passwordless it MUST be presence-verified
         if (
             $state['FIDO2PasswordlessAuthMode'] === true &&