-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle is nil when allowCredentials is non-empty during discoverable login #171
Comments
I think unless I'm mistaken this is purely a naming and documentation issue. If you knew the allowed credential ID's you'd know the identity of the user, thus could use the standard ValidateLogin. ValidateDiscoverableLogin would be more aptly named "ValidateUsernamelessLogin" maybe? |
You are absolutely correct. BeginLogin == BeginDiscoverableLogin (with allowed credentials and userid). Not sure how i missed that. I think it's probably best to leave the name as is. That said, is there a particular reason to why there are two distinct set of functions for this? But, perhaps doing this is just trying to make it too "generic" or introduce more confusion. |
Those are very good points. The main reason was there was no clear way to perform a login without a user, and to validate the credential you need the hook-like function to call to load their credential(s) from the storage location, and this specific element is unique to usernameless logins. I think we'd need two funcs to cater for this: |
Version
0.8.6
Description
Using phone as a passkey / credential seems to give a response without a handle duing a discoverable login with allowedCredentials set.
Currently there are checks that invalidates the response if the handle is empty.
Reading about user handles in w3c github;
This doesn't specifically say anything about what must and musnt be provided when starting authentication ceremonies with povided allowedCredentials, however, I take it that responses with empty handle are valid if the ceremony was started with given allowedCredentials?
Reproduction
Register a phone as a discoverable credential, then try login with the credential id listed in allowedCredentials.
Expectations
No response
Documentation
w3c github about user handles
The text was updated successfully, but these errors were encountered: