Closed mscansian closed 1 year ago
It looks like this is caused by a change in fido2
where the return value from Fido2Server.register_begin
changed with version 1.1.0
from a Dict
to a Dataclass
.
You can probably verify by making sure that the underlying fido2
version is 1.0.0
.
And this probably should be fixed by converting the dataclass to dictionary before encoding it.
This should be fixed once #182 is done.
Hello,
I'm getting an error when accessing the endpoint
authentication/request/
. I'm not sure if it's something in my code, but from the error and the code it seems that it's an issue with django-fido.What is the error and why it's related to django-fido?
So the error I'm hitting when accessing the endpoint is this:
This error is caused by the django-fido calling
JsonResponse
and passing a non-dict to be encoded without thesafe=True
flag.https://github.com/CZ-NIC/django-fido/blob/master/django_fido/views.py#L164
If we look at Django code, it seems that if we pass anything other than a
dict
without the flag we will get this exception.https://github.com/django/django/blob/004f985b918d5ea36fbed9b050459dd22edaf396/django/http/response.py#L678
When it started happening?
This error started in version
1.0.0
and does not occur in version0.42
. It's easy to see why, since these lines were modified during the updated and we started using a Django JSON encoder. https://github.com/CZ-NIC/django-fido/compare/0.42...1.0.0#diff-918f1e7fc0ca9225c78224e07e38006adf5fedfa0cf3781ef9b5376dd7570239L166Whats the proposed solution?
I think the
django-fido
lib is misusing the Django JSON encoder. I would say we setsafe=True
but I'm not 100% confident we have not a single byte of user input in that variable that could cause a security issue. If would guys help me understand this, I can gladly open a PR.