sentry icon indicating copy to clipboard operation
sentry copied to clipboard

Published 20 hours ago verified publisher icon getsentry

Invalid `user.id` length for passkeys handlers

Open LeoColomb opened this issue 1 year ago • 5 comments
trafficstars

Environment

SaaS (https://sentry.io/)

Steps to Reproduce

  1. Having a passkeys manager running (e.g: a password manager)
  2. Being authenticated on Sentry
  3. Go to the U2F page https://sentry.io/settings/account/security/mfa/u2f/enroll/

Expected Result

All the enrollment to run without issues and the key challenge to be accepted. The user.id standard to be respected

  • https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-id
  • https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/create#id_5

Actual Result

The interface shows an error. image

The passkeys manager receives an incorrect user.id length.

image

The password manager logs an error.

[Fido2Client] Invalid 'user.id' length: oWlwdWJsaWNLZXmmYnJwomJpZGlzZW50c[truncated] (589)

Ref: https://github.com/bitwarden/clients/issues/8756

I tried to dig in where the wrong length was created, but it seems to be generated to correct way:

https://github.com/getsentry/sentry/blob/9d2044811ebac0d3412a57cb755c79d650fd8668/src/sentry/auth/authenticators/u2f.py#L111

Some ideas:

  • Fido2 Server is re-processing the user.id
  • There is a mismatch in the encoding/decoding somewhere, possibly while the data transited on the frontend React page.

Product Area

Settings - Auth

Link

https://sentry.io/settings/account/security/mfa/u2f/enroll/

DSN

No response

Version

No response

LeoColomb avatar May 07 '24 12:05 LeoColomb

Assigning to @getsentry/support for routing ⏲️

getsantry[bot] avatar May 07 '24 12:05 getsantry[bot]

Routing to @getsentry/product-owners-settings-auth for triage ⏲️

getsantry[bot] avatar May 08 '24 09:05 getsantry[bot]

We're looking into this. Thanks for the detailed bug report!

leedongwei avatar May 09 '24 20:05 leedongwei

@LeoColomb

I'm able to recreate this using the Bitwarden Browser Extension 2024.4.2 and Chrome 124.0.6367.156. I don't receive a prompt from Bitwarden to setup a passkey. Is this what you're experiencing? Could you share your extension and browser versions?

Interestingly, I cannot recreate this using 1Password. It successfully prompts to create a new passkey and registers it fine.

mdtro avatar May 09 '24 21:05 mdtro

@mdtro Good to know! I don't think the version numbers are going to explain anything: I've tried with 3 different browsers (Chrome, Firefox, Brave), with different versions (I'm facing this issue for half a year at least). Same for Bitwarden. In any case, the latest versions are affected.

The prompt is not shown because of the error reported by Bitwarden's background script.

LeoColomb avatar May 10 '24 09:05 LeoColomb

@mdtro After further investigation, it appears that the user.id provided is actually the challenge data encoded with CBOR+base64. The user.id inside that data is the valid one.

image

LeoColomb avatar May 11 '24 11:05 LeoColomb

@LeoColomb Good catch! Our backend API returns this in a JSON response to a GET on /api/0/users/me/authenticators/u2f/enroll/.

{
    ...
    "challenge": {
        "webAuthnRegisterData": "<encoded data>"
    }
}

@leedongwei I'm not great with the frontend code. Is it possible we are decoding this incorrectly and putting the wrong values in user.id? Or is this an issue with the BitWarden client/extension?

mdtro avatar May 13 '24 16:05 mdtro

@mdtro @leedongwei If I may, is there any other data/info I can provide to help?

LeoColomb avatar Jul 28 '24 22:07 LeoColomb

We need to schedule the work but there are competing priorities. I'll try my best to get someone to address it this month.

leedongwei avatar Aug 05 '24 19:08 leedongwei

Closing as an issue on Bitwarden side.

LeoColomb avatar Oct 15 '24 13:10 LeoColomb