From 2a8b1b0d5b6f225a56248507956150e3687e0b78 Mon Sep 17 00:00:00 2001
From: Cory Hawkvelt <cory.hawkvelt@nexgencloud.com>
Date: Thu, 9 Apr 2026 22:57:03 +0930
Subject: [PATCH] Bugfix - Enable admin to see users webauthn methods

---
 gatehouse_app/api/v1/users/admin.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/gatehouse_app/api/v1/users/admin.py b/gatehouse_app/api/v1/users/admin.py
index 4efcf00..e0cec01 100644
--- a/gatehouse_app/api/v1/users/admin.py
+++ b/gatehouse_app/api/v1/users/admin.py
@@ -512,7 +512,14 @@ def admin_get_user_mfa(user_id):
         user_id=user_id, method_type=AuthMethodType.WEBAUTHN, deleted_at=None,
     ).first()
     if webauthn_method and webauthn_method.provider_data:
-        for cred in webauthn_method.provider_data.get("credentials", []):
+        # Handle both single credential (direct in provider_data) and multiple credentials (in credentials array)
+        credentials = webauthn_method.provider_data.get("credentials", [])
+        
+        # If no credentials array, check if provider_data itself is a single credential
+        if not credentials and "credential_id" in webauthn_method.provider_data:
+            credentials = [webauthn_method.provider_data]
+        
+        for cred in credentials:
             if not cred.get("deleted_at"):
                 mfa_methods.append({
                     "id": cred.get("id") or cred.get("credential_id"),
@@ -588,6 +595,8 @@ def admin_remove_user_mfa(user_id, method_type):
             credential_id = request.args.get("credential_id")
             if credential_id:
                 credentials = (webauthn_method.provider_data or {}).get("credentials", [])
+                if not credentials and "credential_id" in (webauthn_method.provider_data or {}):
+                    credentials = [webauthn_method.provider_data]
                 found = False
                 new_credentials = []
                 for cred in credentials: