Ensure BackupEligible and BackupState flag consistency during login v…

…alidation
go-webauthn · May 25, 2024 · e5f2d81 · e5f2d81
1 parent 0254b23
commit e5f2d81
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/webauthn/login.go b/webauthn/login.go
@@ -288,6 +288,11 @@ func (webauthn *WebAuthn) validateLogin(user User, session SessionData, parsedRe
  return nil, protocol.ErrBadRequest.WithDetails("BackupEligible flag inconsistency detected during login validation")
  }
 
+ // Check for the invalid combination BE=0 and BS=1.
+ if !parsedResponse.Response.AuthenticatorData.Flags.HasBackupEligible() && parsedResponse.Response.AuthenticatorData.Flags.HasBackupState() {
+ return nil, protocol.ErrBadRequest.WithDetails("Invalid flag combination: BE=0 and BS=1")
+ }
+
  // Update flags from response data.
  loginCredential.Flags.UserPresent = parsedResponse.Response.AuthenticatorData.Flags.HasUserPresent()
  loginCredential.Flags.UserVerified = parsedResponse.Response.AuthenticatorData.Flags.HasUserVerified()