You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Here are some key observations to aid the review process:
⏱️ Estimated effort to review: 4 🔵🔵🔵🔵⚪
🧪 PR contains tests
🔒 Security concerns
Sensitive information exposure: The new implementation includes client-side handling of WebAuthn credentials in the index.html file. While the code appears to use appropriate methods for encoding and decoding credentials, it's crucial to ensure that sensitive information such as private keys or user identifiers are not inadvertently exposed or stored insecurely on the client side. A thorough review of the credential handling process, especially in the arrayBufferToBase64URL and base64URLToArrayBuffer functions, is recommended to prevent any potential leakage of sensitive data.
The new implementation for discoverable credentials might introduce security risks if not properly validated. Ensure that the user authentication process is still secure when using discoverable credentials.
func (ctrl*Controller) PostSigninWebauthnVerifyUserHandle(
ctx context.Context,
response*protocol.ParsedCredentialAssertionData,
logger*slog.Logger,
) webauthn.DiscoverableUserHandler {
returnfunc(_, userHandle []byte) (webauthn.User, error) {
// we need to encoide it back because the client treats it as a string including the hyphensb, err:=json.Marshal(protocol.URLEncodedBase64(userHandle))
iferr!=nil {
returnnil, fmt.Errorf("failed to marshal user handle: %w", err)
}
userID, err:=uuid.Parse(string(b))
iferr!=nil {
returnnil, fmt.Errorf("failed to parse user ID: %w", err)
}
keys, apiErr:=ctrl.wf.GetUserSecurityKeys(ctx, userID, logger)
ifapiErr!=nil {
returnnil, apiErr
}
creds, apiErr:=webauthnCredentials(keys, logger)
ifapiErr!=nil {
returnnil, apiErr
}
// we don't track the flags so we just copy themfori, userCreds:=rangecreds {
ifbytes.Equal(response.RawID, userCreds.ID) {
userCreds.Flags= webauthn.CredentialFlags{
UserPresent: response.Response.AuthenticatorData.Flags.UserPresent(),
UserVerified: response.Response.AuthenticatorData.Flags.UserVerified(),
BackupEligible: response.Response.AuthenticatorData.Flags.HasBackupEligible(),
BackupState: response.Response.AuthenticatorData.Flags.HasBackupState(),
}
creds[i] =userCreds
}
}
response.Response.UserHandle= []byte(userID.String())
returnWebauthnUser{
ID: userID,
Name: "",
Email: "",
Credentials: creds,
Discoverable: true,
}, nil
}
}
The changes in the FinishLogin and FinishDiscoverableLogin functions may lead to unexpected behavior. Verify that the logic for handling different types of logins (discoverable and non-discoverable) is correct and doesn't introduce any regressions.
func (w*Webauthn) FinishLogin(
response*protocol.ParsedCredentialAssertionData,
userHandler webauthn.DiscoverableUserHandler,
logger*slog.Logger,
) (*webauthn.Credential, WebauthnUser, *APIError) {
challenge, ok:=w.Storage[response.Response.CollectedClientData.Challenge]
if!ok {
logger.Info("webauthn challenge not found")
returnnil, WebauthnUser{}, ErrInvalidRequest
}
ifchallenge.User.Discoverable {
returnw.FinishDiscoverableLogin(response, userHandler, logger)
}
// we don't track the flags so we just copy themfori, userCreds:=rangechallenge.User.Credentials {
ifbytes.Equal(response.RawID, userCreds.ID) {
userCreds.Flags= webauthn.CredentialFlags{
UserPresent: response.Response.AuthenticatorData.Flags.UserPresent(),
UserVerified: response.Response.AuthenticatorData.Flags.UserVerified(),
BackupEligible: response.Response.AuthenticatorData.Flags.HasBackupEligible(),
BackupState: response.Response.AuthenticatorData.Flags.HasBackupState(),
}
challenge.User.Credentials[i] =userCreds
}
}
// we do this in case the userHandle hasn't been urlencoded by the libraryb, err:=json.Marshal(protocol.URLEncodedBase64(response.Response.UserHandle))
iferr==nil {
potentialUUID, err:=uuid.Parse(string(b))
iferr==nil&&bytes.Equal(potentialUUID[:], challenge.User.ID[:]) {
response.Response.UserHandle=challenge.User.WebAuthnID()
}
}
cred, err:=w.wa.ValidateLogin(challenge.User, challenge.Session, response)
iferr!=nil {
logger.Info("failed to validate webauthn login", logError(err))
returnnil, WebauthnUser{}, ErrInvalidRequest
}
w.cleanCache()
returncred, challenge.User, nil
}
func (w*Webauthn) BeginDiscoverableLogin(
logger*slog.Logger,
) (*protocol.CredentialAssertion, *APIError) {
w.cleanCache()
challenge, sessionData, err:=w.wa.BeginDiscoverableLogin()
iferr!=nil {
logger.Error("failed to begin discoverable webauthn login", logError(err))
returnnil, ErrInternalServerError
}
w.Storage[challenge.Response.Challenge.String()] =WebauthnChallenge{
Session: *sessionData,
User: WebauthnUser{
ID: uuid.Nil,
Name: "",
Email: "",
Credentials: []webauthn.Credential{},
Discoverable: true,
},
Options: nil,
}
returnchallenge, nil
}
func (w*Webauthn) FinishDiscoverableLogin(
response*protocol.ParsedCredentialAssertionData,
userHandler webauthn.DiscoverableUserHandler,
logger*slog.Logger,
) (*webauthn.Credential, WebauthnUser, *APIError) {
challenge, ok:=w.Storage[response.Response.CollectedClientData.Challenge]
if!ok {
logger.Info("webauthn challenge not found")
returnnil, WebauthnUser{}, ErrInvalidRequest
}
cred, err:=w.wa.ValidateDiscoverableLogin(userHandler, challenge.Session, response)
iferr!=nil {
logger.Info("failed to validate webauthn discoverable login", logError(err))
returnnil, WebauthnUser{}, ErrInvalidRequest
}
The new client-side implementation for WebAuthn signin and signup should be reviewed for adherence to security best practices, especially in handling of credentials and error scenarios.
<!-
python3 -m http.server 3000
open http://localhost:3000/index.html
-><!DOCTYPE html><html><head><title>WebAuthn Signin</title></head><body><h1>WebAuthn Signin</h1><buttononclick="startSignin()">Start Signin</button><divid="emailForm" style="display: none; margin-top: 20px;"><p>No credentials found. Please enter your email to register:</p><inputtype="email" id="emailInput" placeholder="Enter your email"><buttononclick="startSignup()">Register</button></div><script>asyncfunctionstartSignin(){try{// First POST request to /signin/webauthnconstinitialResponse=awaitfetch('http://localhost:4000/signin/webauthn',{method: 'POST',headers: {'Content-Type': 'application/json'},body: '{}'});if(!initialResponse.ok){thrownewError('Initial request failed');}// Get the options from the responseletoptions=awaitinitialResponse.json();// Convert base64 strings to ArrayBuffer where neededif(options.challenge){options.challenge=base64URLToArrayBuffer(options.challenge);}if(options.allowCredentials){options.allowCredentials=options.allowCredentials.map(credential=>({
...credential,id: base64URLToArrayBuffer(credential.id)}));}// Call navigator.credentials.get with the optionsconstcredential=awaitnavigator.credentials.get({publicKey: options});console.log(arrayBufferToBase64URL(credential.response.userHandle))// Prepare the credential data for sending to serverconstverifyData={id: credential.id,rawId: arrayBufferToBase64URL(credential.rawId),response: {authenticatorData: arrayBufferToBase64URL(credential.response.authenticatorData),clientDataJSON: arrayBufferToBase64URL(credential.response.clientDataJSON),signature: arrayBufferToBase64URL(credential.response.signature),userHandle: credential.response.userHandle ? arrayBufferToBase64URL(credential.response.userHandle) : null},type: credential.type};// Second POST request to /signin/webauthn/verifyconstverifyResponse=awaitfetch('http://localhost:4000/signin/webauthn/verify',{method: 'POST',headers: {'Content-Type': 'application/json'},body: JSON.stringify({credential: verifyData})});if(!verifyResponse.ok){thrownewError('Verification failed');}constresult=awaitverifyResponse.json();console.log('Signin successful:',result);document.getElementById('emailForm').style.display='none';}catch(error){console.error('Error during signin:',error);// Show email form for registrationdocument.getElementById('emailForm').style.display='block';}}asyncfunctionstartSignup(){constemail=document.getElementById('emailInput').value;if(!email){alert('Please enter an email address');return;}try{// First POST request to /signup/webauthnconstinitialResponse=awaitfetch('http://localhost:4000/signup/webauthn',{method: 'POST',headers: {'Content-Type': 'application/json'},body: JSON.stringify({ email })});if(!initialResponse.ok){thrownewError('Initial signup request failed');}// Get the options from the responseletoptions=awaitinitialResponse.json();// Convert base64 strings to ArrayBuffer where neededif(options.challenge){options.challenge=base64URLToArrayBuffer(options.challenge);}if(options.user&&options.user.id){options.user.id=base64URLToArrayBuffer(options.user.id);}// Call navigator.credentials.create with the optionsconstcredential=awaitnavigator.credentials.create({publicKey: options});// Prepare the credential data for sending to serverconstverifyData={id: credential.id,rawId: arrayBufferToBase64URL(credential.rawId),response: {attestationObject: arrayBufferToBase64URL(credential.response.attestationObject),clientDataJSON: arrayBufferToBase64URL(credential.response.clientDataJSON)},type: credential.type};// Second POST request to /signup/webauthn/verifyconstverifyResponse=awaitfetch('http://localhost:4000/signup/webauthn/verify',{method: 'POST',headers: {'Content-Type': 'application/json'},body: JSON.stringify({credential: verifyData})});if(!verifyResponse.ok){thrownewError('Signup verification failed');}constresult=awaitverifyResponse.json();console.log('Signup successful:',result);document.getElementById('emailForm').style.display='none';}catch(error){console.error('Error during signup:',error);alert('Registration failed. Please try again.');}}// Helper function to convert base64URL to ArrayBufferfunctionbase64URLToArrayBuffer(base64URL){constpadding='='.repeat((4-base64URL.length%4)%4);constbase64=base64URL.replace(/-/g,'+').replace(/_/g,'/')+padding;constbinaryString=window.atob(base64);constbytes=newUint8Array(binaryString.length);for(leti=0;i<binaryString.length;i++){bytes[i]=binaryString.charCodeAt(i);}returnbytes.buffer;}// Helper function to convert ArrayBuffer to base64URLfunctionarrayBufferToBase64URL(buffer){constbytes=newUint8Array(buffer);letbinary='';for(leti=0;i<bytes.byteLength;i++){binary+=String.fromCharCode(bytes[i]);}constbase64=window.btoa(binary);returnbase64.replace(/\+/g,'-').replace(/\//g,'_').replace(/=/g,'');}</script></body></html>
if request.Body.Email == nil {
+ if !ctrl.config.WebauthnEnabled {+ return ctrl.sendError(ErrWebauthnDisabled), nil+ }
return ctrl.postSigninWebauthnDiscoverableLogin(logger)
}
Suggestion importance[1-10]: 9
Why: This suggestion enhances security by ensuring WebAuthn is enabled before proceeding with the login process, preventing unauthorized access attempts when the feature is disabled.
9
Enhance error handling and logging in WebAuthn login validation
Add proper error handling and logging for the WebAuthn login validation process. This will help in debugging and improving the security of the authentication flow.
Why: This suggestion adds crucial error logging for the WebAuthn login validation process, which is critical for security and debugging. It's a high-impact improvement for a security-sensitive area.
8
Possible issue
Add specific error handling for disabled or non-existent users during WebAuthn verification
Consider adding error handling for the case where the user is not found or disabled. This will provide more specific feedback to the client.
Why: This suggestion adds important error handling for disabled or non-existent users, which improves security and user experience by providing more specific feedback.
8
Improve error handling and logging for user handle parsing in WebAuthn login process
Handle potential errors when parsing the user handle as a UUID. Consider using a more robust error handling approach or a different method to validate the user handle.
b, err := json.Marshal(protocol.URLEncodedBase64(response.Response.UserHandle))
-if err == nil {+if err != nil {+ logger.Warn("Failed to marshal user handle", "error", err)+} else {
potentialUUID, err := uuid.Parse(string(b))
- if err == nil && bytes.Equal(potentialUUID[:], challenge.User.ID[:]) {+ if err != nil {+ logger.Warn("Failed to parse user handle as UUID", "error", err)+ } else if bytes.Equal(potentialUUID[:], challenge.User.ID[:]) {
response.Response.UserHandle = challenge.User.WebAuthnID()
}
}
Suggestion importance[1-10]: 7
Why: The suggestion improves error handling and adds logging, which enhances debugging capabilities and robustness of the code. This is important for security-related features like WebAuthn.
Add proper error handling for JSON marshaling operation to prevent potential issues with unhandled errors
Consider adding error handling for the json.Marshal operation in the FinishLogin function. If the marshaling fails, the current code continues execution without addressing the error, which could lead to unexpected behavior.
Why: The suggestion addresses a potential issue with error handling, which could lead to unexpected behavior. Proper error handling is crucial for robust and reliable code, especially in security-sensitive operations like WebAuthn.
8
Add validation to handle cases where both Email and UserHandle are nil in the request body
Consider adding error handling for the case when both Email and UserHandle are nil in the request body. This would prevent potential nil pointer dereferences and improve the robustness of the function.
Why: This suggestion improves error handling by explicitly checking for invalid input where both Email and UserHandle are nil. It prevents potential issues and improves the function's robustness.
7
Add a check for empty userHandle to prevent potential errors when parsing invalid user handles
Consider adding a check for empty userHandle before attempting to parse it as a UUID. This would prevent potential panics or errors when dealing with invalid user handles.
+if len(userHandle) == 0 {+ return nil, fmt.Errorf("empty user handle")+}
userID, err := uuid.Parse(string(b))
if err != nil {
return nil, fmt.Errorf("failed to parse user ID: %w", err)
}
Suggestion importance[1-10]: 6
Why: This suggestion adds a safety check for empty userHandle before parsing it as a UUID. It helps prevent potential panics or errors when dealing with invalid user handles, improving the function's reliability.
6
General
Check for WebAuthn support in the browser before attempting to use it to prevent errors in unsupported environments
In the startSignin function, consider adding a check for browser support of WebAuthn before attempting to use it. This can prevent potential errors in unsupported browsers and provide a better user experience.
async function startSignin() {
+ if (!window.PublicKeyCredential) {+ console.error('WebAuthn is not supported in this browser');+ alert('Your browser does not support WebAuthn. Please use a modern browser.');+ return;+ }
try {
// First POST request to /signin/webauthn
const initialResponse = await fetch('http://localhost:4000/signin/webauthn', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: '{}'
});
Suggestion importance[1-10]: 7
Why: This suggestion improves user experience by checking for WebAuthn support before attempting to use it. It prevents potential errors in unsupported browsers and provides clear feedback to users, enhancing the overall reliability of the application.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
github-actions
bot
added
Review effort [1-5]: 4
and removed
Review effort [1-5]: 3
labels
PR Type
Enhancement
Description
Implement discoverable credentials for WebAuthn
Remove userHandle from signin request
Update WebAuthn login flow
Add discoverable login support
Changes walkthrough 📝
7 files
Update generated API server codeRemove userHandle from SignInWebauthnRequestImplement discoverable login for WebAuthnAdd support for discoverable credentials verificationAdd discoverable flag to WebauthnUserImplement discoverable login functionalityRemove userHandle from SignInWebauthnRequest3 files
Update tests for discoverable WebAuthn loginAdd test for discoverable WebAuthn loginUpdate tests with discoverable flag1 files
Add WebAuthn signin and signup demo