Comments (7)
Firstyear
commented on August 11, 2024
Inside the crate we can just use challenge.0 though can't we?
from webauthn-rs.
hgzimmerman
commented on August 11, 2024
Yes, internally nothing has changed, but Challenge is a type that is exposed publicly, and for whatever reason a user might want to make use of the inner data in the Challenge in a different context (ex: serializing). Currently, the change I've made is a regression, as before the inner byte vector was just pub.
from webauthn-rs.
Firstyear
commented on August 11, 2024
I think that people shouldn't be tampering with the challenges that we generate though, so I'm happy that this is "hidden". There are actually some issues under discussion in the webauthn group about this, and people "mis-using" the challenge field to sign arbitrary data, but it actually weakens the system.
from webauthn-rs.
Firstyear
commented on August 11, 2024
from webauthn-rs.
hgzimmerman
commented on August 11, 2024
Interesting. I think that is reasonable.
I would think that having a public new(bytes: Vec<u8>) function would be problematic if we wish to prevent users from placing arbitrary data in the challenge. Perhaps that should be made pub(crate) instead?
from webauthn-rs.
Firstyear
commented on August 11, 2024
Yes, I think so :)
from webauthn-rs.
hgzimmerman
commented on August 11, 2024
Thanks!
from webauthn-rs.
Related Issues (20)
- Enforcing Timeouts in webauthn-rs HOT 1
- Epic: 5.0 release
- Application stops without any error message in build phase when running in docker container HOT 12
- Start the flow without creating unique_user_id? HOT 1
- Actix tutorial fails to finish registration in Safari HOT 3
- Google Titan Security Key USB-C/NFC fails some compatibility tests HOT 9
- Add EdDSA capabilities HOT 13
- Verifying CredentialID has not been previously registered and updating credential HOT 38
- Conditional compilation of webauthn_rs_core::attestation::verify_attestation_ca_chain HOT 5
- No getTransports when attesting a security key HOT 3
- [Discussion] What order should COSEAlgorithms be in secure_algs and all_possible_algs?
- Fixup clippy 1.75 lints (get_first)
- `name` and `displayName` validation of empty strings leads to `InvalidUsername HOT 6
- CredProps::rk should be public HOT 1
- `libssl.so.1.1` no such file or directory HOT 1
- Pure Rust cryptography backend HOT 5
- Build breaks on MSRV due to transitive dependency on bumpalo which exceeds our MSRV
- Missing enum variant of `AuthenticatorTransport` causes error on android HOT 2
- `danger_set_user_presence_only_security_keys()` seems not to be working HOT 2
- Dependency on old compact_jwt revision HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn-rs.