From cfab865c1d448541cf8b3c69f4f18ce53e3e3f6d Mon Sep 17 00:00:00 2001
From: Gregory Letellier <gregory_letellier@hotmail.com>
Date: Fri, 2 Feb 2024 09:43:38 +0100
Subject: [PATCH] Fix userHandle null, and force using security key when
 windows hello is activated in windows

---
 resources/js/webauthn.js                                   | 2 +-
 src/Assertion/Creator/Pipes/AddConfiguration.php           | 2 +-
 src/Assertion/Validator/Pipes/CheckCredentialIsForUser.php | 5 +++++
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/resources/js/webauthn.js b/resources/js/webauthn.js
index 74c4e02..c8adaab 100644
--- a/resources/js/webauthn.js
+++ b/resources/js/webauthn.js
@@ -269,7 +269,7 @@ class WebAuthn {
         ]
             .filter(key => key in credentials.response)
             .forEach(key => parseCredentials.response[key] = WebAuthn.#arrayToBase64String(credentials.response[key]));
-
+        parseCredentials.response['userId'] = credentials.id;
         return parseCredentials;
     }
 
diff --git a/src/Assertion/Creator/Pipes/AddConfiguration.php b/src/Assertion/Creator/Pipes/AddConfiguration.php
index 77d819c..2dff4f8 100644
--- a/src/Assertion/Creator/Pipes/AddConfiguration.php
+++ b/src/Assertion/Creator/Pipes/AddConfiguration.php
@@ -28,7 +28,7 @@ class AddConfiguration
     public function handle(AssertionCreation $assertion, Closure $next): mixed
     {
         $assertion->json->set('timeout', $this->config->get('webauthn.challenge.timeout') * 1000);
-
+        $assertion->json->set('hints', ['security-key']); // Force security proposal for windows 10 and prevent Windows Hello
         return $next($assertion);
     }
 }
diff --git a/src/Assertion/Validator/Pipes/CheckCredentialIsForUser.php b/src/Assertion/Validator/Pipes/CheckCredentialIsForUser.php
index cd56e32..2603a88 100644
--- a/src/Assertion/Validator/Pipes/CheckCredentialIsForUser.php
+++ b/src/Assertion/Validator/Pipes/CheckCredentialIsForUser.php
@@ -71,6 +71,11 @@ class CheckCredentialIsForUser
     protected function validateId(AssertionValidation $validation): void
     {
         $handle = $validation->request->json('response.userHandle');
+        $userId = $validation->request->json('response.userId');
+
+        if(! $handle && $userId) {
+            return;
+        }
 
         if (! $handle || ! hash_equals(Uuid::fromString($validation->credential->user_id)->getHex()->toString(), $handle)) {
             throw AssertionException::make('User ID is not owner of the stored credential.');