Bug: credentials are stored when key decoding failed resulting in continuous fails on main page

google / webauthndemo

An example Node.js Relying Party implementation of the WebAuthn specification

https://try-webauthn.appspot.com

Apache License 2.0

563 stars 123 forks source link

Bug: credentials are stored when key decoding failed resulting in continuous fails on main page #62

Closed ckahlo closed 5 years ago

ckahlo commented 5 years ago

When trying to register a credential containing a public key with its parameters encoded as strings instead of integers the credential is stored with an empty key. When refreshing the page the URL https://webauthndemo.appspot.com/RegisteredKeys is called to display already registered credentials. The code throws NullPointerExceptions when trying to encode the public key x and y coordinates with EccKey getX(), getY() or encode(). This renders the demo application unusable.

cpiper commented 5 years ago

Thanks for the report. In https://github.com/google/webauthndemo/commit/b16354e7440b4f2e66157837d76f5a56d31f619a I am now rejecting such invalid entries. Invalid entries should be cleared from the database, but let me know if you still run into issues.