search

davidearl / webauthn

An implementation of webauthn in PHP on the server side (e.g Yubico 2 and Google Titan keys)
https://webauthn.davidearl.uk
MIT License
132 stars 24 forks source link

excludeCredentials implementation #14

Closed mrvanes closed 5 years ago

mrvanes commented 5 years ago

I'm trying to implement excludeCredentials in prepare_challenge_for_registration by supplying a list of PublicKeyCredentialDescriptor's I have registered just like the code in prepare_for_login, using the same key objects I pull from DB:

    $denies = array();
    if (! empty($exclude)) {
      $deny = (object)array();
      $deny->type = 'public-key';
      $deny->transports = array('usb','nfc','ble');
      foreach(json_decode($exclude) as $key) {
        $deny->id = $key->id;
        $denies[] = clone $deny;
      }
    }

    $result->excludeCredentials = $denies;

but my client (Google Chrome) keeps crashing on creating the CredentialsContainer:

TypeError: Failed to execute 'create' on 'CredentialsContainer': The provided value is not of type '(ArrayBuffer or ArrayBufferView)'

If I log the respective challenges, the allowCredentials and excludeCredentials object are frighteningly similar, but registration keeps failing and validation succeeds?

    [excludeCredentials] => Array
        (
            [0] => stdClass Object
                (
                    [type] => public-key
                    [transports] => Array
                        (
                            [0] => usb
                            [1] => nfc
                            [2] => ble
                        )

                    [id] => Array
                        (
                            [0] => 188
                            [1] => 242
    [allowCredentials] => Array
        (
            [0] => stdClass Object
                (
                    [type] => public-key
                    [transports] => Array
                        (
                            [0] => usb
                            [1] => nfc
                            [2] => ble
                        )

                    [id] => Array
                        (
                            [0] => 188
                            [1] => 242

Does anybody have any clue what might be going wrong here?

mrvanes commented 5 years ago

Found it, the

    key.publicKey.excludeCredentials.forEach(function(k, idx){
        key.publicKey.excludeCredentials[idx].id = new Uint8Array(k.id);
    });

was missing from webauthnRegister