wizarr icon indicating copy to clipboard operation
wizarr copied to clipboard
verified publisher icon wizarrrr

[Bug] | Passkey Creation - Unable to register

Open upstreamsea opened this issue 1 year ago • 6 comments

Are you using the latest release?

  • [X] Yes, I am using the latest release.

Have you checked a bug report doesn't already exist?

  • [X] Yes, I have checked the existing bug reports.

What happened?

Whenever trying to add a passkey, 2 errors are returned:

  • Unexpected RP ID hash
  • InvalidRegistrationResponse

This issue happens on all devices, and has had issues on the latest versions of Chrome, Edge, and Safari.

Virtualisation

Docker

What operating system are you seeing the problem on?

Linux

What browsers are you seeing the problem on?

Chrome, Safari, Microsoft Edge

Project Location

Local

Bug Description

Unable to create Passkey, results in error.

Steps to Reproduce

No response

Relevant Log Output

"GET /api/mfa/registration HTTP/1.1" 200 461 "https://join.tl8.org/admin/settings/mfa"
20:29:58 INFO 127.0.0.1 - - [2024-03-23 20:29:58] "GET /api/mfa/registration HTTP/1.0" 200 704 0.072868
[2024-03-23 20:30:00,296] ERROR in app: Exception on /api/mfa/registration [POST]
Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/flask/app.py", line 1484, in full_dispatch_request
    rv = self.dispatch_request()
         ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask/app.py", line 1469, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask_restx/api.py", line 404, in wrapper
    resp = resource(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask/views.py", line 109, in view
    return current_app.ensure_sync(self.dispatch_request)(**kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask_restx/resource.py", line 46, in dispatch_request
    resp = meth(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask_jwt_extended/view_decorators.py", line 170, in decorator
    return current_app.ensure_sync(fn)(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/wizarr/backend/api/routes/mfa_api.py", line 258, in post
    verified_credential = verify_registration_response(
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/webauthn/registration/verify_registration_response.py", line 163, in verify_registration_response
    raise InvalidRegistrationResponse("Unexpected RP ID hash")
webauthn.helpers.exceptions.InvalidRegistrationResponse: Unexpected RP ID hash
20:30:00 ERROR Exception on /api/mfa/registration [POST]
Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/flask/app.py", line 1484, in full_dispatch_request
    rv = self.dispatch_request()
         ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask/app.py", line 1469, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask_restx/api.py", line 404, in wrapper
    resp = resource(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask/views.py", line 109, in view
    return current_app.ensure_sync(self.dispatch_request)(**kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask_restx/resource.py", line 46, in dispatch_request
    resp = meth(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask_jwt_extended/view_decorators.py", line 170, in decorator
    return current_app.ensure_sync(fn)(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/wizarr/backend/api/routes/mfa_api.py", line 258, in post
    verified_credential = verify_registration_response(
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/webauthn/registration/verify_registration_response.py", line 163, in verify_registration_response
    raise InvalidRegistrationResponse("Unexpected RP ID hash")
webauthn.helpers.exceptions.InvalidRegistrationResponse: Unexpected RP ID hash
"POST /api/mfa/registration HTTP/1.1" 500 124 "https://join.tl8.org/admin/settings/mfa"
20:30:00 INFO 127.0.0.1 - - [2024-03-23 20:30:00] "POST /api/mfa/registration HTTP/1.0" 500 386 0.032193

upstreamsea avatar Mar 24 '24 01:03 upstreamsea

Just confirming if this issue is fixed or still exists? I am having the same issue and my setup/errors match yours.

WeetbixNMilk avatar May 21 '24 11:05 WeetbixNMilk

Same issue.

ecapuano avatar Sep 27 '24 16:09 ecapuano

I modified the API at "/wizarr/backend/api/routes/mfa_api.py" to fix the RP_ID error.

I am not a Python expert; I relied quite a bit on ChatGPT, but this could already be a lead for a future correction:

Definition of the RP_ID and RP_ORIGIN constants:

RP_ID = "wizarr.domaine.tld"
RP_ORIGIN = "https://wizarr.domaine.tld"

Using Constants in MFARegisterAPI.get

Using RP ID and RP ORIGIN Constants

rp_id = RP_ID
rp_name = "Wizarr"
user_id = str(current_user["id"])
user_name = str(current_user["username"])

Instead of deriving rp_id dynamically from the headers, it is now fixed to RP_ID.

Verifying the Registration Response with Constants

verified_credential = verify_registration_response(
    credential=RegistrationCredential.parse_raw(credential),
    expected_challenge=registration_options.challenge,
    expected_rp_id=RP_ID,  # Use the defined RP ID
    expected_origin=RP_ORIGIN  # Use the defined origin
)

This ensures that the verification always uses the correct RP ID and origin.

Using Constants in MFAAuthenticateAPI

Using RP ID and RP ORIGIN Constants

rp_id = RP_ID

Similarly, during authentication, the RP ID and origin are set to constant values.

Exception Handling with Logs

except InvalidRegistrationResponse as e:
    info(f"Error during MFA registration: {str(e)}")
    return {"message": "Invalid registration response"}, 400

Code:

https://memos.cous.re/m/WyAN2h2eiiKBA6wSJw5zUg

There is also a flaw in the connection; you need to enter the login to use the passkey. Ideally, it should be possible to use the passkey without having to enter the login, and even better, to disable the login in favor of the passkey.

MEqMY

and it works when I enter the login :

CZdpS

Cousclou avatar Oct 04 '24 21:10 Cousclou

Im not even able to register for a passkey, seems to think Safari, Edge don't support them despite being able to.

salty2011 avatar Nov 19 '24 10:11 salty2011

Just wanted to comment that this is still an issue. I have tried both Firefox and Chrome and received the same errors as OP.

mcreekmore avatar Jan 24 '25 18:01 mcreekmore

I am experiencing this issue as the OP has stated. The logs are exactly the time in my logs as what is posted inside the bug. Any update on this?

lordvon01 avatar Mar 01 '25 02:03 lordvon01