Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: remove platform attachment requirement on registration #331

Merged
merged 7 commits into from
Nov 23, 2022
Merged

feat: remove platform attachment requirement on registration #331

merged 7 commits into from
Nov 23, 2022

Conversation

lfleischmann
Copy link
Member

@lfleischmann lfleischmann commented Oct 25, 2022
edited
Loading

Description

Remove platform attachment requirement on registration and change isUserVerifyingPlatformAuthenticatorAvailable calls to the general Webauthn availability check.

Implementation

Safari currently (v. 16.2) does not provide a UI in case of a (registration) ceremony being performed with an authenticator NOT protected by e.g. a PIN. While Chromium based browsers do offer a UI guiding through the setup of a PIN, Safari simply performs the ceremony without then setting the UV flag even if it is required. On finalization in the backend, this ultimately leads to an error of in the webauthn library which is then "swallowed" by being mapped to a generic error response ("Failed to validate attestation"). In order to provide an appropriate error message to the frontend/user, I had to return an error response distinguishable from other error cases so the webauthn handler now returns an HTTP error with a
dedicated/separate HTTP status code (i.e. NOT "Bad request") because it seemed a bit more robust than forcing the frontend to check on a matching (sub-)string in the error message in order to properly display the error.

Tests

The changes add e2e test runs to check whether WebAuthn credentials now allow for transports other than platform . However, the e2e tests do not test the above mentioned implemented error handling for user verification failures because:

  1. The e2e tests only use Chromium, the error handling is more or less a Safari workaround
  2. While authenticators used in the virtual WebAuthn environment can be configured to either not have user verification capabilities at all or to simply return a false user verification flag, the WebAuthn API/browser responds with an exception/error, so the authenticator response does not even reach the backend and the above mentioned error handling implementation does not take effect.

How to test

Run the tests or/and run the quickstart.

@FlxMgdnz FlxMgdnz mentioned this pull request Nov 5, 2022
Closed
2 tasks
@lfleischmann lfleischmann marked this pull request as ready for review November 17, 2022 11:50
FreddyDevelop
FreddyDevelop approved these changes Nov 22, 2022
View reviewed changes
Copy link
Contributor

@FreddyDevelop FreddyDevelop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@lfleischmann lfleischmann merged commit 1f6edcf into main Nov 23, 2022
@lfleischmann lfleischmann deleted the feat-remove-platform-requirement-and-availability-check-on-registration branch November 23, 2022 13:57
@FlxMgdnz FlxMgdnz mentioned this pull request Dec 1, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FlxMgdnz FlxMgdnz FlxMgdnz approved these changes

@FreddyDevelop FreddyDevelop FreddyDevelop approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lfleischmann @FlxMgdnz @FreddyDevelop