webauthn_components
webauthn_components copied to clipboard
liveshowy
[BUG] - Value of form input for email is over-trusted
Description
The handle_info of :registration_successful trusts the assigned form value of the email. The email could be changed during the WebAuthn flow.
Steps To Reproduce
Steps to reproduce the behavior:
- Visit http://localhost:4000/sign-in
- Enter
[email protected]into the email input. - In console, run this JS:
function changeEmail() {
var emailInput = document.getElementById("email")
emailInput.value = "[email protected]";
emailInput.dispatchEvent(new Event("input", {bubbles: true}))
}
setTimeout(changeEmail, 10000);
- Click "Sign Up".
- Wait at most 10 seconds for the email input to change (because of JS from step 3).
- Complete the sign up flow successfully.
Expected behavior
The difference in the form email and the email of the created passkey should cause user creation to fail.
Suggestion
Pass the email back as part of the :registration_successful payload and check that the form email matches exactly.
I do not think this is a realistic attack vector for any serious system. Email confirmation should be done after creating the passkey.
I see what's happening here. The email field from the form is being read when :registration_successful is received, where it should be taking the value from the @webauthn_user assign or possibly a separate assign.
It may also be preferable to remove the email form field when the registration starts so it can't be modified. That may lead to a bit of rethinking the design of the authentication_live.ex template used by the code generator. 🤔
Good catch! I will consider breaking up the form into a multistep process, which will probably affect the way the component works as well.