search

getsentry / sentry

Developer-first error tracking and performance monitoring
https://sentry.io
Other
37.51k stars 4.04k forks source link

Invalid `user.id` length for passkeys handlers #70412

Open LeoColomb opened 1 month ago

LeoColomb commented 1 month ago

Environment

SaaS (https://sentry.io/)

Steps to Reproduce

  1. Having a passkeys manager running (e.g: a password manager)
  2. Being authenticated on Sentry
  3. Go to the U2F page https://sentry.io/settings/account/security/mfa/u2f/enroll/

Expected Result

All the enrollment to run without issues and the key challenge to be accepted. The user.id standard to be respected

Actual Result

The interface shows an error. image

The passkeys manager receives an incorrect user.id length.

image

The password manager logs an error.

[Fido2Client] Invalid 'user.id' length: oWlwdWJsaWNLZXmmYnJwomJpZGlzZW50c[truncated] (589)

Ref: https://github.com/bitwarden/clients/issues/8756

I tried to dig in where the wrong length was created, but it seems to be generated to correct way:

https://github.com/getsentry/sentry/blob/9d2044811ebac0d3412a57cb755c79d650fd8668/src/sentry/auth/authenticators/u2f.py#L111

Some ideas:

Product Area

Settings - Auth

Link

https://sentry.io/settings/account/security/mfa/u2f/enroll/

DSN

No response

Version

No response

getsantry[bot] commented 1 month ago

Assigning to @getsentry/support for routing ⏲️

getsantry[bot] commented 1 month ago

Routing to @getsentry/product-owners-settings-auth for triage ⏲️

leedongwei commented 1 month ago

We're looking into this. Thanks for the detailed bug report!

mdtro commented 1 month ago

@LeoColomb

I'm able to recreate this using the Bitwarden Browser Extension 2024.4.2 and Chrome 124.0.6367.156. I don't receive a prompt from Bitwarden to setup a passkey. Is this what you're experiencing? Could you share your extension and browser versions?

Interestingly, I cannot recreate this using 1Password. It successfully prompts to create a new passkey and registers it fine.

LeoColomb commented 1 month ago

@mdtro Good to know! I don't think the version numbers are going to explain anything: I've tried with 3 different browsers (Chrome, Firefox, Brave), with different versions (I'm facing this issue for half a year at least). Same for Bitwarden. In any case, the latest versions are affected.

The prompt is not shown because of the error reported by Bitwarden's background script.

LeoColomb commented 1 month ago

@mdtro After further investigation, it appears that the user.id provided is actually the challenge data encoded with CBOR+base64. The user.id inside that data is the valid one.

image

mdtro commented 1 month ago

@LeoColomb Good catch! Our backend API returns this in a JSON response to a GET on /api/0/users/me/authenticators/u2f/enroll/.

{
    ...
    "challenge": {
        "webAuthnRegisterData": "<encoded data>"
    }
}

@leedongwei I'm not great with the frontend code. Is it possible we are decoding this incorrectly and putting the wrong values in user.id? Or is this an issue with the BitWarden client/extension?