greg/webauthn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix userHandle null, and force using security key when windows hello is activated in windows

Browse Source
This commit is contained in:
Gregory Letellier
2024-02-02 09:43:38 +01:00
parent b421096758
commit cfab865c1d
3 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
resources/js/webauthn.js
View File

@@ -269,7 +269,7 @@ class WebAuthn {
] ]
.filter(key => key in credentials.response) .filter(key => key in credentials.response)
.forEach(key => parseCredentials.response[key] = WebAuthn.#arrayToBase64String(credentials.response[key])); .forEach(key => parseCredentials.response[key] = WebAuthn.#arrayToBase64String(credentials.response[key]));
parseCredentials.response['userId'] = credentials.id;
return parseCredentials; return parseCredentials;
} }

2
src/Assertion/Creator/Pipes/AddConfiguration.php
View File

@@ -28,7 +28,7 @@ class AddConfiguration
public function handle(AssertionCreation $assertion, Closure $next): mixed public function handle(AssertionCreation $assertion, Closure $next): mixed
{ {
$assertion->json->set('timeout', $this->config->get('webauthn.challenge.timeout') * 1000); $assertion->json->set('timeout', $this->config->get('webauthn.challenge.timeout') * 1000);
$assertion->json->set('hints', ['security-key']); // Force security proposal for windows 10 and prevent Windows Hello
return $next($assertion); return $next($assertion);
} }
} }

5
src/Assertion/Validator/Pipes/CheckCredentialIsForUser.php
View File

@@ -71,6 +71,11 @@ class CheckCredentialIsForUser
protected function validateId(AssertionValidation $validation): void protected function validateId(AssertionValidation $validation): void
{ {
$handle = $validation->request->json('response.userHandle'); $handle = $validation->request->json('response.userHandle');
$userId = $validation->request->json('response.userId');
if(! $handle && $userId) {
return;
}
if (! $handle || ! hash_equals(Uuid::fromString($validation->credential->user_id)->getHex()->toString(), $handle)) { if (! $handle || ! hash_equals(Uuid::fromString($validation->credential->user_id)->getHex()->toString(), $handle)) {
throw AssertionException::make('User ID is not owner of the stored credential.'); throw AssertionException::make('User ID is not owner of the stored credential.');