SessionLayer::with_secure(false)

kanidm / webauthn-rs

An implementation of webauthn components for Rustlang servers

Mozilla Public License 2.0

483 stars 80 forks source link

SessionLayer::with_secure(false) #336

Closed paeifbnaeufbpae closed 1 year ago

paeifbnaeufbpae commented 1 year ago

Enables the tutorial to be runnable locally by default. Without this, finish_register returns Err(WebauthnError::CorruptSession) when running locally.

[x] cargo test has been run and passes
[x] documentation has been updated with relevant examples (if relevant)

yaleman commented 1 year ago

This should realistically always be run on a HTTPS endpoint, and a secure default is in line with our design standards.

Firstyear commented 1 year ago

I think the reason I had this as false was for http testing between a laptop and a nearby ipadh for passkey dev, but now I'm okay to change it since we have other options for testing.

EDIT: Opps, the patch/pr is doing the opposite. I think localhost is always a secure context, so is https, but if you did mydemo.example.com to ::1 then this would fail because that wouldn't be a secure context which would cause the failure here.

Given it's a demo I'm okay to flip it to insecure, but also I'd like to think as a demo we should model best practice?

Firstyear commented 1 year ago

@paeifbnaeufbpae Can you elaborate on the reason or error you hit with this in your testing?

paeifbnaeufbpae commented 1 year ago

On my setup (macOS 13.4.1, Safari 16.5.2), the session KV store isn't persisted between the different stages without this change. It's empty at the start of fn start_register, making the retrieval of key "reg_state" fail.

Trying to access the the server via https://localhost:8080 instead of http://localhost:8080 isn't possible, at least not out of the box.

Firstyear commented 1 year ago

http://localhost should be considered a secure origin. So there is something else going on. Does it work on chrome / firefox? I wonder if safari is breaking local storage or cookies here somehow.

yaleman commented 1 year ago

@paeifbnaeufbpae is this still an issue?

muxcmux commented 1 year ago

Works on Chrome, but Safari does not store the cookie and doesn't send it back with the register_finish request unless SessionLayer::with_secure is set to false. I'm on macos 13.5.1 and Safari 16.6 (18615.3.12.11.2)

Firstyear commented 1 year ago

My guess is that safari does not consider localhost a secure origin, where chrome and ff does.

I don't see an issue adding this then.