search

MasterKale / SimpleWebAuthn

WebAuthn, Simplified. A collection of TypeScript-first libraries for simpler WebAuthn integration. Supports modern browsers, Node, Deno, and more.
https://simplewebauthn.dev
MIT License
1.62k stars 137 forks source link

Got errors from `startRegistration` with 1Password #438

Closed unix closed 1 year ago

unix commented 1 year ago

Describe the issue

With the latest version of 1Password, we are able to register and auth on passkey-enabled websites, here is an online example from google that works well with 1Password. (source code)

Icreated a simple example using SimpleWebAuthn, but ran into a different error:

HTTP

We can eventually complete startRegistration using a browser or other device, but it will throw an error (from 1Password).

https://github.com/MasterKale/SimpleWebAuthn/assets/11304944/18f19209-531b-4ed9-b853-0acb5c8b44c1

HTTPS

With HTTPS, we get an Illegal invocation error and the process is blocked.

https://github.com/MasterKale/SimpleWebAuthn/assets/11304944/3d5b1544-ec43-4abf-9615-6dcbc3564bbd

Reproduction Steps

I've provided an online sample project that replicates this issue: SimpleWebAuthn-1PD.

  1. Download 1Password & 1Password browser extension;
  2. Clone example: git clone https://github.com/unix/SimpleWebAuthn-1PD;
  3. Install deps: pnpm install;
  4. Run server: pnpm serve;
  5. Run web: pnpm dev.

We can switch HTTP or HTTPS in the vite.config.ts file to view the issue.

Expected behavior

Code Samples + WebAuthn Options and Responses

Dependencies

SimpleWebAuthn Libraries

├── @simplewebauthn/browser@8.0.2 -> ./node_modules/.pnpm/@simplewebauthn+browser@8.0.2/node_modules/@simplewebauthn/browser
├── @simplewebauthn/server@8.1.1 -> ./node_modules/.pnpm/@simplewebauthn+server@8.1.1/node_modules/@simplewebauthn/server

Additional context

According to my debugging results, the following lines of code are able to work if commented out, but I'm not sure if these methods are useful on different platforms, and for my project, commenting out these will make the example work correctly:

If the user doesn't need to choose the public key and algorithm, then adding a parameter as an escape route (ignoring these methods) is a good way to go? SimpleWebAuthn is terrific repository and I hope to use it in my own projects.

MasterKale commented 1 year ago

I took your repro repo out for a quick localhost test drive and once I updated the RP ID from "example.site" to "localhost" I was able to at least complete registration with both Chrome and iCloud Keychain passkeys both within Chrome Beta 118. As you can see at the start of this video, though, 1Password doesn't seem to like localhost...

https://github.com/MasterKale/SimpleWebAuthn/assets/5166470/a66ba74b-0b38-4784-a74d-a22f4829ebe6

Screenshot 2023-09-17 at 3 21 45 PM Screenshot 2023-09-17 at 3 21 36 PM

I'm having this same issue with the SimpleWebAuthn example site served at http://localhost:8000 - the example site works fine for the typical WebAuthn modal experience in Chrome with both Chrome's internal authenticator and its new-gained access to iCloud Keychain passkeys coming in Chrome 118.

The fact that 1Password cannot handle the same code is making me want to say it's something wrong with the 1Password extension.

I can test with a non-localhost domain over a proper https:// connection (using Let's Encrypt instead of your demo's use of mkcert) in the next couple of days to confirm my hunch.

unix commented 1 year ago

@MasterKale

I can test with a non-localhost domain over a proper https:// connection (using Let's Encrypt instead of your demo's use of mkcert) in the next couple of days to confirm my hunch.

I tried the test with a Cloudflare-generated certificate, and still have the same result in the demo

The fact that 1Password cannot handle the same code is making me want to say it's something wrong with the 1Password extension.

The 1Password may not be handling localhost as expected, and I have yet to find a working solution, this seems unrelated to this repo. For HTTPS, I create a pull-request (#439) to solve this issue and everything seems to work fine.

neoplastic commented 1 year ago

So I've experienced the same issue on localhost but I've also got a testing app running on a domain name, it comes up with a different error.

Screenshot 2023-09-22 at 1 08 39 pm
unix commented 1 year ago

@neoplastic If you need it urgently, you can refer to the PR I created, and then use the pnpm patch to patch the library.

MasterKale commented 1 year ago

This should be fixed in the newly published @simplewebauthn/browser@8.2.0 ✌️