Description

This fixes two bugs with compatibility of the userHandle parameter between the now-deprecated webauthn.js library and Webpass that I encountered when trying to upgrade my app from webauthn.js to Webpass. May be related to Laragear/webpass#16.

In order to clear the pathway for migration to Webpass, Webpass must also be updated to use SimpleWebAuthn/browser v10. I believe this should be a drop-in upgrade as the only change in that version is the handling of userHandle.

This update is now in https://github.com/Laragear/webpass/pull/18 and passes tests with no other changes as expected.

Details

The first fix is to normalise the user_id retrieved from the DB when a user creates additional credentials. Since #90 this is not strictly required, however not normalising this value does cause an issue with the old webpass.js, and more than that, it's nice to be consistent.

The second fix will retain compatibility with credentials created with current versions of Webpass after it is updated to use SimpleWebAuthn v10. The old webauthn.js and SWA v10 use base64url on the userHandle and so are compatible, whereas SWA v9 uses TextEncoder, which just requires an additional base64 decode on the server side to obtain the original userHandle.

Laragear / WebAuthn

[3.x] FIX: userHandle compatibility between webauthn.js and Webpass #94

Description

Details

Quality Gate passed