Closed alexhauser closed 3 years ago
Hi @alexhauser
I'm open to a discussion in any form you like around this issue. It seems pretty damming for this library. When I looked into this and created the first implementation of SQRL Login, there were no other libraries available. Perhaps we should do another take on the landscape.
I can see at least 3 different solutions:
Best regards Daniel
Right, @kalaspuffar.
I would suggest to merge this fix for now as a mitigation for #481 and then think about how to approach a general solution for this topic.
So, if you or maybe @JamesonNetworks could test this first as well, that would be great!
Closing this in favor of #489.
This proposes a temporary mitigation for issue #481 and should form the base for a discussion on the topic.
Description:
It turns out that our method of reading and concatinating the
SCAN_RESULT_BYTE_SEGMENTS_{x}
withinUtils.readSQRLQRCode(...)
would sometimes leave us with chunks of the SQRL login URL missing, as layed out in issue #481. It seems as those chunks are simply not present in the byte segments contained in the intent that gets passed in toonActivityResult(...)
. To me, this looks like a bug in either thezxing-android-embedded
library that we're using, or even in the underlyingzxing:core
library.That being said, using
IntentIntegrator.parseActivityResult(...).getContents()
, which returns the decoded QR code as a string, seems to be delivering correct results for non-binary inputs (which all login URLs should be).This however does not work for identity QR codes, since they consist of binary data. This seems to be a problem in its own right, given the discussion found here. So not only do we have the uncertainty of missing byte segements, but also that binary data doesn't seem to be supported anyway. So after all, we might have only gotten lucky with our limited testing of importing identity QR codes up to now.
@kalaspuffar, I'd appreciate a short discussion on the topic before we jump to any conclusions.
What this PR proposes (as a temporary mitigation):
This now uses
IntentIntegrator.parseActivityResult(...).getContents()
for login QR codes and only falls back to reading the binarySCAN_RESULT_BYTE_SEGMENTS_{x}
when dealing with identity QR codes. This should at least make the decoding of login QR codes much more robust.