search

MasterKale / SimpleWebAuthn

WebAuthn, Simplified. A collection of TypeScript-first libraries for simpler WebAuthn integration. Supports modern browsers, Node, Deno, and more.
https://simplewebauthn.dev
MIT License
1.63k stars 137 forks source link

"list" argument must be an Array of Buffers #110

Closed GagnDeep closed 3 years ago

GagnDeep commented 3 years ago

I was trying to use @simplewebauthn/server in cloudflare workers, but getting this error when verifying attestation

TypeError: "list" argument must be an Array of Buffers
    at Function.a.concat (index.js:376)
    at Object.convertCOSEtoPKCS [as default] (convertCOSEtoPKCS.js:19)
    at Object.verifyAttestationPacked [as default] (verifyPacked.js:50)
    at verifyAttestationResponse (verifyAttestationResponse.js:166)

Cloudflare workers provide access to most browser api's including cypto api. Is this possible to run this package in cloudflare workers with browserifying ?

MasterKale commented 3 years ago

@GagnDeep Can you provide an example of how you're calling verifyAttestationResponse, including the arguments you're feeding it?

GagnDeep commented 3 years ago 
async function handleVerifyAttestation({attestationRes, user, rpID, expectedOrigin}) {
    const expectedChallenge = user.currentChallenge;
    try {
      const opts = {
        credential: attestationRes,
        expectedChallenge: `${expectedChallenge}`,
        expectedOrigin,
        expectedRPID: rpID
      };

      return await verifyAttestationResponse(opts);
    } catch (error) {
      throw error;
    }
  }

Here attestationRes will be the response of calling startAttestation in browser, similar to in example.

Here's a codesanbox link. Worker i cannot share easily but running it here provides similar enviroment of what i have in worker. And here also it throws same error "list" argument must be an Array of Buffers

When running this example just don't use the embedded browser. Click on open in new tab and open console to see that error

MasterKale commented 3 years ago

Thank you for providing the CodeSandbox. It appears this is an issue with attestation statement verification. The following direct attestations generate that error:

FIDO-U2F: SimpleWebAuthn debugger link

Packed: SimpleWebAuthn debugger link

I'll dig into this and report back :)

MasterKale commented 3 years ago

@GagnDeep I ran those two attestation responses through unit testing and they verified fine for me. Upon close examination of that CodeSandbox example, it appears to me that it's polyfilling enough of Node's APIs to mostly enable execution of @simplewebauthn/server in the browser. I hope you'll understand when I say that that's not a supported use case of that package - it's Node or nothing 😂

As for your Cloudflare Worker issue, I imagine your problem there is that Cloudflare Workers execute JavaScript in an environment that is more similar to browsers than Node. CF Workers and Node are both V8-powered, but offer separate collections of APIs and so are not equivalent runtime environments. The issue with "list" argument must be an Array of Buffers is probably somehow related to the fact that Buffer values, which @simplewebauthn/server make extensive use of, are a NodeJS data type that browser-like runtime environments lack native support for.

Browser polyfills to support NodeJS Buffers exist, so there's a chance you could get something to work, but at this time this is not a supported use case of @simplewebauthn/server.