search

Laragear / WebAuthn

Authenticate users with Passkeys: fingerprints, patterns and biometric data.
MIT License
305 stars 37 forks source link

[1.0] WebAuthn().register() throw 403 error. #46

Closed tobz-nz closed 1 year ago

tobz-nz commented 1 year ago

PHP & Platform

8.2.2

Database

No response

Laravel version

10.13.5

Have you done this?

Expectation

When calling new WebAuthn().register() the request to /webauthn/register/options should succeed.

Description

But is does not:

image

Reproduction

On a Fresh install,

update vite.config.js 

-input: ['resources/css/app.css', 'resources/js/app.js'],
+input: ['resources/css/app.css', 'resources/js/app.js', 'resources/js/webauthn/webauthn.js'],

add WebAuthn::routes(); to routes/web.php,

then create a page like:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <title></title>
    <meta name="viewport" content="width=device-width, initial-scale=1">

    <link rel="preconnect" href="https://fonts.bunny.net">
    @vite('resources/js/app.js')
    <script src="{{ Vite::asset('/resources/js/vendor/webauthn/webauthn.js') }}"></script>
</head>
<body>
    <main>
        <form id="register-form">
            <button type="submit" value="Register authenticator">Register authenticator</button>
        </form>

<script defer>
if (WebAuthn.doesntSupportWebAuthn()) {
    alert('Your device is not secure enough to use this site!');
}

const register = event => {
    event.preventDefault()

    new WebAuthn().register()
      .then(response => alert('Registration successful!'))
      .catch(error => alert('Something went wrong, try again!'))
}

document.getElementById('register-form').addEventListener('submit', register)
</script>

    </main>
</body>
</html>

load the page page and click the button. 💥

Stack trace & logs

No response

tobz-nz commented 1 year ago

oh... is register() for existing logged in users and login() for new users? That's ... confusing.

or have I got it wrong?

DarkGhostHunter commented 1 year ago

It's only for existing users. You can register them beforehand or even using the same data being sent as part of the Registration, using the provided tools.

Otherwise, the Attestation (registration of device) won't work because there is no User to link the public key.

tobz-nz commented 1 year ago

@DarkGhostHunter Sorry - really struggling to understand how this works - how would I create the user at the same time as registration?

DarkGhostHunter commented 1 year ago

Fetch the registration info in a separate form. Once is created, albeit not confirmed, fetch the device registration.

This is an issue tracker btw, if you need help on that you're on wrong track.