go-webauthn · james-d-elliott · May 28, 2024 · May 25, 2024 · May 25, 2024 · May 25, 2024
@@ -307,8 +307,16 @@ func (webauthn *WebAuthn) validateLogin(user User, session SessionData, parsedRe
 
  // Handle step 17.
  loginCredential.Authenticator.UpdateCounter(parsedResponse.Response.AuthenticatorData.Counter)
+ // Check if the BackupEligible flag has changed.
+ if loginCredential.Flags.BackupEligible != parsedResponse.Response.AuthenticatorData.Flags.HasBackupEligible() {
+ return nil, protocol.ErrBadRequest.WithDetails("BackupEligible flag inconsistency detected during login validation")
+ }
+
+ // Check for the invalid combination BE=0 and BS=1.
+ if !parsedResponse.Response.AuthenticatorData.Flags.HasBackupEligible() && parsedResponse.Response.AuthenticatorData.Flags.HasBackupState() {
+ return nil, protocol.ErrBadRequest.WithDetails("Invalid flag combination: BE=0 and BS=1")
+ }
 
- // TODO: The backup eligible flag shouldn't change. Should decide if we want to error if it does.
  // Update flags from response data.
  loginCredential.Flags.UserPresent = parsedResponse.Response.AuthenticatorData.Flags.HasUserPresent()
  loginCredential.Flags.UserVerified = parsedResponse.Response.AuthenticatorData.Flags.HasUserVerified()