web-auth / webauthn-helper Goto Github PK

on login recently Im getting errors about Invalid Base 64 Url Safe character

Note the issue is intermittent because not every string encoded by this lib will result in a string with banned chars in it. The example below is a good example where each string ends in a = which is invalid for a base64url

This was all working well, until a few days ago when one of the web-auth libs upgraded.

On inspecting the signed request I note that the values are base64 encoded and not base64url encoded... (evidenced by appended equals signs which are invalid for base64url encoded)

{
"id": "QRX-uGMoPEsiIY_OZJIR7tD9o3jB4eYAmXZ1Ikpt3KFWK8JNBHMBggwMMC8ynXtDonp5nmW-BDTEBigv5d-LpQ", 
"rawId": "QRX+uGMoPEsiIY/OZJIR7tD9o3jB4eYAmXZ1Ikpt3KFWK8JNBHMBggwMMC8ynXtDonp5nmW+BDTEBigv5d+LpQ==", 
"response": {
"authenticatorData": "d2m7v2nZjBFAnawAPbcoXuOsb/WObPUBvBxuOGBMcocFAAACVQ==", 
"clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoidklvOEt5N01QVlg1TkUwTmlQakVMbUhYT0doeTh0eW1JSVcxN2JZSWFWQSIsIm9yaWdpbiI6Imh0dHBzOi8vbWFuYWdlLm15c2l0ZXMuZ3VydSIsImNyb3NzT3JpZ2luIjpmYWxzZX0=", 
"signature": "MEUCIQCnmDWCDjxYP+O5VtFfREj0A0rA6ALmWJwtPq6MTiX/TgIgfbhYLU/VYGJmSannRdfsfj2DPkhkeDvbcXHYphchPZM=", 
"userHandle": ""
}, 
"type": "public-key"
}

If I manually convert those from base64 to base64url then the exception is resolved and I can login again.

I think the problem might be this comment being incorrect:

// Converts an array of bytes into a Base64Url string

https://github.com/web-auth/webauthn-helper/blob/e30930982857d9b57f188878cb1a53e3e771e099/src/common.js#L36-37

According to https://developer.mozilla.org/en-US/docs/Web/API/btoa

The btoa() method creates a [Base64](https://developer.mozilla.org/en-US/docs/Glossary/Base64)-encoded ASCII string from a binary string

That to me sounds like a base64 and not a base64url despite the comment telling me that is should return a base64url

my stack is symfony 6.1 with

    web-auth/cose-lib: v4.0.6
    web-auth/metadata-service: 4.1.2
    web-auth/webauthn-lib: 4.1.2
    web-auth/webauthn-symfony-bundle: 4.1.2
    web-token/jwt-core: 3.1.1
    web-token/jwt-signature: 3.1.1

Sentry.io Stack Trace for reference https://sentry.io/share/issue/e173edee1abc4c6693ef24ee8a68644e/ (click FULL once page loaded)

Hi

how i can debug optionsUrl result, i want get rp object data make some indication site when that is ready

.then(result) not show optionsUrl data

Any response code from the server should be return as an error, and only consider 2XX as successful.

There is currently error reporting on actionResponse but not on optionsResponse

please add code like below.

if (! optionsResponse.ok) {
          throw json;
        } 

const useRegistration = ({actionUrl = '/register', actionHeader = {}, optionsUrl = '/register/options'}, optionsHeader = {}) => {
    return async (data) => {
        const optionsResponse = await fetchEndpoint(data, optionsUrl, optionsHeader);
        const json = await optionsResponse.json();
        if (! optionsResponse.ok) {
          throw json;
        } 
        const publicKey = preparePublicKeyOptions(json);
        const credentials = await navigator.credentials.create({publicKey});
        const publicKeyCredential = preparePublicKeyCredentials(credentials);
        const actionResponse = await fetchEndpoint(publicKeyCredential, actionUrl, actionHeader);
        if (! actionResponse.ok) {
            throw actionResponse;
        }
        const responseBody = await actionResponse.text();

        return responseBody !== '' ? JSON.parse(responseBody) : responseBody;
    };
};

If a response with no content is returned (like a 204), the scripts throws an error.

This is mainly due to parsing the JSON data of the response which is non-existent, I believe.

Hello,
Is there any plan to add a build to this lib? This would allow easier usage of it, since it's bad practice to build external dependencies. I can submit a PR if you want