Closed paeifbnaeufbpae closed 1 year ago
This should realistically always be run on a HTTPS endpoint, and a secure default is in line with our design standards.
I think the reason I had this as false was for http testing between a laptop and a nearby ipadh for passkey dev, but now I'm okay to change it since we have other options for testing.
EDIT: Opps, the patch/pr is doing the opposite. I think localhost is always a secure context, so is https, but if you did mydemo.example.com to ::1
then this would fail because that wouldn't be a secure context which would cause the failure here.
Given it's a demo I'm okay to flip it to insecure, but also I'd like to think as a demo we should model best practice?
@paeifbnaeufbpae Can you elaborate on the reason or error you hit with this in your testing?
On my setup (macOS 13.4.1, Safari 16.5.2), the session KV store isn't persisted between the different stages without this change. It's empty at the start of fn start_register
, making the retrieval of key "reg_state"
fail.
Trying to access the the server via https://localhost:8080
instead of http://localhost:8080
isn't possible, at least not out of the box.
http://localhost should be considered a secure origin. So there is something else going on. Does it work on chrome / firefox? I wonder if safari is breaking local storage or cookies here somehow.
@paeifbnaeufbpae is this still an issue?
Works on Chrome, but Safari does not store the cookie and doesn't send it back with the register_finish
request unless SessionLayer::with_secure
is set to false. I'm on macos 13.5.1 and Safari 16.6 (18615.3.12.11.2)
My guess is that safari does not consider localhost a secure origin, where chrome and ff does.
I don't see an issue adding this then.
Enables the tutorial to be runnable locally by default. Without this,
finish_register
returnsErr(WebauthnError::CorruptSession)
when running locally.