brauliomartinezlm
commented
3 years ago Hi @pouya314 ,
Sorry it took me so long to get back to you on this. Yeah, what you are describing makes sense to me. However I don't think this is unexpected behavior.
Let me explain myself:
By performing the flow you describe, you're actually not using the same credential for those 2 users. You get 2 different users with one credential each.
The first time you register, the process performed in the app creates a user with such username and with a webauthn_id we send to the authenticator device (in this case your macbook keychain that authenticate you with the built-in sensor).
After that, you do a second registration and the same thing happens again, but for another user with a different webauthn_id and hence creating a new credential in you keychain.
The key point is, although you are using the same authenticator device, you're registering 2 different credentials for 2 different users in it. Thus, you're seeing 2 different external_ids in the database from our app.
Do I make sense? Hope it helps!
Hi,
I know there is another merged PR that had addressed this issue, but I just jumped on https://webauthn.cedarcode.com/ and was still able to register two different users (with different usernames) with the same credential. I used my Macbook's built-in fingerprint sensor to produce this issue.
Usernames:
And Credential/Security Key nickname for both is 'abc'.
I am on a 2018 MacBook Pro running macOS Catalina.
I was able to reproduce this issue on a local setup as well.
I understand in PR #108 this line was added to Credential model:
validates :external_id, uniqueness: trueLooking at my local database I have noticed the external_id's for these two different usernames are different for some reason I do not understand!!! (Even though the same built-in sensor was used during registration) Would you be able to have a look at the DB behind 'https://webauthn.cedarcode.com' and check if it's the same problem?
Appreciate your help in looking into this issue.
Thanks, Pouya