Type error in Verifying FIDO2 Challenge Response

[ivixvi]

When attempting to sign in using the passkey stored in the AuthenticatorsTable in the following format and algorithm RS256, a TypeError occurs.

  "jwk": {
    "M": {
      "alg": {
        "S": "RS256"
      },
      "e": {
        "B": "AQAB"
      },
      "kty": {
        "S": "RSA"
      },
      "n": {
        "B": "{omission}"
      }
    }
  },

Use Library Version: v0.13.1 (P.S. This credential is created at Library Version: v0.10.0) and we confirm that this issue is observed in the following device:

• Device: Surface Laptop 5
• OS: Windows11 (23H2)
• Passkey Store: Windows Hello

The traceback is as follows:

TypeError [ERR_INVALID_ARG_TYPE]: The "key.n" property must be of type string. Received an instance of Uint8Array
    at new NodeError (node:internal/errors:405:5)
    at validateString (node:internal/validators:162:11)
    at getKeyObjectHandleFromJwk (node:internal/crypto/keys:497:3)
    at prepareAsymmetricKey (node:internal/crypto/keys:549:22)
    at createPublicKey (node:internal/crypto/keys:613:5)
    at verifyChallenge (file:///var/task/index.mjs:177:96)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async addChallengeVerificationResultToEvent (file:///var/task/index.mjs:114:5)
    at async Runtime.handler (file:///var/task/index.mjs:1713:7) {
  code: 'ERR_INVALID_ARG_TYPE'
}

[ivixvi]

We specified only RS256 as the allowed algorithm at this line, but it seems that there are terminals where it is successfully saved as a base64url string on DynamoDB.

https://github.com/aws-samples/amazon-cognito-passwordless-auth/blob/main/cdk/custom-auth/fido2-credentials-api.ts#L67

Device: laptop PC manufactured by VAIO OS: Windows 11 Home (23H2) Passkey Store: Windows Hello

---

P.S. Use Library Version: v0.13.1

[ivixvi]

If it's acceptable to directly address the point of error, you may want to insert the following code to rectify the issue.

https://github.com/aws-samples/amazon-cognito-passwordless-auth/blob/main/cdk/custom-auth/fido2.ts#L356:L358

  if(storedCredential.jwk.n instanceof Uint8Array) {
    storedCredential.jwk.n = Buffer.from(storedCredential.jwk.n).toString('base64url');
  }
  if(storedCredential.jwk.e instanceof Uint8Array) {
    storedCredential.jwk.e = Buffer.from(storedCredential.jwk.e).toString('base64url');
  }

[ottokruse]

Hi mate!

This should have been fixed in https://github.com/aws-samples/amazon-cognito-passwordless-auth/pull/148/files

So that is since https://github.com/aws-samples/amazon-cognito-passwordless-auth/releases/tag/v0.12.2

What version are you on?

But you're right that that fix stops new cases from arising, but for existing records in the DB you'd need code similar to yours or do a one time DB fix: update records when n and e are stored as bindary and base64url them

[ivixvi]

Thank you for answering!

but for existing records in the DB you'd need code similar to yours or do a one time DB fix: update records when n and e are stored as bindary and base64url them

Certainly, the credentials mentioned in the issue may have been created at the time of v0.10.0 I also reviewed that PR, but I overlooked the impact on existing records... X(

Given the responsibilities of this repository, we believe there is no need to be overly sensitive to backward compatibility. Or should I create a PR?

If it's not necessary, I will close this issue after confirming its operation.

[ottokruse]

Ok thanks for the confirmation

Agreed, don't think a PR is necessary.

Thanks for reporting anyway!

[ivixvi]

I have confirmed the operation, so I will close this issue. Thank you again!