webauthn-framework icon indicating copy to clipboard operation
webauthn-framework copied to clipboard

Published 20 hours ago verified publisher icon web-auth

decodeNoPadding() doesn't tolerate padding

Open Nevercold opened this issue 2 years ago • 4 comments

Hey,

After upgrading from 4.0.5 to 4.2.0, I get the following error during password read login

decodeNoPadding() doesn't tolerate padding

what can I do about it?

Full Error: https://gist.github.com/Nevercold/fcb84bde9203ca85adfaf3f402337790

Nevercold avatar Sep 18 '22 09:09 Nevercold

Code: https://gist.github.com/Nevercold/86e951e63f3932790ef8f461f3b49de5

Nevercold avatar Sep 18 '22 09:09 Nevercold

Hi,

Starting with v4.1.0, this framework is fully in line with the Webauthn specification. If it does not tolerate the padding, this is because the specification and the compliance test tool provided by the FIDO Alliance do not tolerate either. See https://www.w3.org/TR/webauthn-2/#sctn-dependencies:

The term Base64url Encoding refers to the base64 encoding using the URL- and filename-safe character set defined in Section 5 of [RFC4648], with all trailing '=' characters omitted (as permitted by Section 3.2) and without the inclusion of any line breaks, whitespace, or other additional characters.

I am sorry if sticking to the specification requirements induces breaks for clients, but it seems complicated to go back. What I suggest for the moment is to

  • prevent the installation of the v4.1+
  • start fixing base64 encoding on client/server side
  • update to the newer versions

Note that as per the security policy, the version 4.0.x will also receive patches if any.

Spomky avatar Sep 18 '22 15:09 Spomky

Hey,

I have looked a bit, and do not quite understand where I have the error. Is it possible that you tell me where the error might lie?

Code: https://gist.github.com/Nevercold/86e951e63f3932790ef8f461f3b49de5

Nevercold avatar Oct 06 '22 13:10 Nevercold

Okay, nevermind.

I fixed the padding thing. I am now on 4.3.0 and it works. However, I still have one problem: When I use the PublicKeyCredentialRequestOptions ->allowCredentials(...$allowedCredentials), I get the error: "The credential ID is not allowed." Although when debugging it outputs exactly the same ID as saved, and without this it works.

Nevercold avatar Oct 07 '22 19:10 Nevercold

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Nov 13 '22 14:11 stale[bot]

Reopen

Nevercold avatar Nov 13 '22 14:11 Nevercold

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jan 08 '23 01:01 stale[bot]

Were you able to fix this? I'm getting the same error.

Using https://github.com/web-auth/webauthn-helper

rochamarcelo avatar Jan 18 '23 19:01 rochamarcelo

Hi,

There is nothing to fix here. The problems are from the web-auth/webauthn-helper which is now deprecated. I highly recommend the use of @simplewebauthn/browser, which is maintained and fully compliant with the specification. Also, it provides lots of nice feature and is easy to use.

Spomky avatar Jan 22 '23 19:01 Spomky

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

github-actions[bot] avatar Sep 09 '23 00:09 github-actions[bot]