Fix userHandle null, and force using security key when windows hello is activated in windows

rename package
2024-02-02 09:43:38 +01:00 · 2024-02-01 19:00:44 +01:00
4 changed files with 13 additions and 3 deletions
--- a/composer.json
+++ b/composer.json
@@ -1,5 +1,5 @@
 {
-    "name": "laragear/webauthn",
+    "name": "kletellier/webauthn",
    "description": "Authenticate users with Passkeys: fingerprints, patterns and biometric data.",
    "type": "library",
    "license": "MIT",
@@ -25,6 +25,11 @@
            "email": "DarkGhostHunter@Gmail.com",
            "role": "Developer",
            "homepage": "https://github.com/sponsors/DarkGhostHunter"
+        },
+        {
+            "name": "Gregory Letellier",
+            "email": "register@gletellier.com",
+            "role": "Developer"
        }
    ],
    "support": {
--- a/resources/js/webauthn.js
+++ b/resources/js/webauthn.js
@@ -269,7 +269,7 @@ class WebAuthn {
        ]
            .filter(key => key in credentials.response)
            .forEach(key => parseCredentials.response[key] = WebAuthn.#arrayToBase64String(credentials.response[key]));
-
+        parseCredentials.response['userId'] = credentials.id;
        return parseCredentials;
    }

--- a/src/Assertion/Creator/Pipes/AddConfiguration.php
+++ b/src/Assertion/Creator/Pipes/AddConfiguration.php
@@ -28,7 +28,7 @@ class AddConfiguration
    public function handle(AssertionCreation $assertion, Closure $next): mixed
    {
        $assertion->json->set('timeout', $this->config->get('webauthn.challenge.timeout') * 1000);
-
+        $assertion->json->set('hints', ['security-key']); // Force security proposal for windows 10 and prevent Windows Hello
        return $next($assertion);
    }
 }
--- a/src/Assertion/Validator/Pipes/CheckCredentialIsForUser.php
+++ b/src/Assertion/Validator/Pipes/CheckCredentialIsForUser.php
@@ -71,6 +71,11 @@ class CheckCredentialIsForUser
    protected function validateId(AssertionValidation $validation): void
    {
        $handle = $validation->request->json('response.userHandle');
+        $userId = $validation->request->json('response.userId');
+
+        if(! $handle && $userId) {
+            return;
+        }

        if (! $handle || ! hash_equals(Uuid::fromString($validation->credential->user_id)->getHex()->toString(), $handle)) {
            throw AssertionException::make('User ID is not owner of the stored credential.');
Author	SHA1	Message	Date
Gregory Letellier	cfab865c1d	Fix userHandle null, and force using security key when windows hello is activated in windows	2024-02-02 09:43:38 +01:00
Kregs	b421096758	rename package	2024-02-01 19:00:44 +01:00