Discrepancy in webauthn.py Between GitHub Code and PyPI Package Causes Error with WebAuthn 2.0

[level09]

Hello,

I've identified a specific code discrepancy in the webauthn.py file of the Flask-Security package between the version available on GitHub and the one published on PyPI. This discrepancy leads to compatibility issues with WebAuthn 2.0.

In the version installed via PyPI, the code segment within webauthn.py looks as follows:

ro = dict(
    challenge=challenge.encode(),
    rp_name=cv("WAN_RP_NAME"),
    rp_id=request.host.split(":")[0],
    user_id=current_user.fs_webauthn_user_handle,
    user_name=current_user.calc_username(),
    timeout=cv("WAN_REGISTER_TIMEOUT"),
    exclude_credentials=create_credential_list(
        current_user, ["first", "secondary"]
    ),
)

However, to ensure compatibility with WebAuthn 2.0, the user_id needs to be encoded, as shown below:

user_id=current_user.fs_webauthn_user_handle.encode(),

Without this modification, the following error is thrown when interacting with WebAuthn 2.0

ValueError: user_id must be bytes

The issue can be fixed if you synchronize the Github code with pypi.

[jwag956]

Release 5.4.0 has been published.