fix(webauthn): validate discoverable login with handle = nil #164
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I ran into an issue while trying to use the credentials over the phone where the signed response does not contain a user handle.
Digging into this, I found https://w3c.github.io/webauthn/#user-handle
and
I suppose this means that the user handle can be absent in case the ceremony is started with specific allowed credentials?
Seems like there has been some relvant discussions here and here
The implementation should then, at least
Or perhaps save the intended user handle in session with the help of another LoginOption and in ValidateDiscoverableLogin just use the handle from the session (if present), as the whole issue seems to be about indexing?
In any case, to me, it looks like it's valid with a UserHandle == nil response.
To add, apparently, I could not use the phone to do login with no AllowedCredentials specified from some reason which i don't fully understand yet (Yubikey works fine though).
Edit:
The credentials for the RP just wasn't listed by default having AllowedCredentials = nil. There was another button
more options -> this device
that listed the usable credentials.