FroMage
commented
9 months ago Missing authenticator option
I believe this one is due to the vert.x webauthn transports not supporting the hybrid transport. I see another one is missing: smart-card.
Why this passes registration, I'm not sure, but it means I can't log back in because this transport is not enabled.
No username on login
Well, I'm not sure if this is a bug or not, but I've a question related to https://github.com/vert-x3/vertx-web/commit/b6c97e2c8287019b65306a5cd8e074ae9b0130b0 which allows not having a username for login requests, which I think is only valid if
requireResidentKeyis true. This appears to be for PassKeys support. On registration, a username is still required, so it's probably still saved somewhere in the DB.But if we authenticate using no username, this appears to rely on
credIDto find the credentials, and they Vert.x produces aUserand I wonder how it saves this user into the session, if not by username? I don't see anywhere in the code where we extract the username back from the credentials to put it into theUser, or the session. Or, perhaps, Vert.x doesn't store the username in the session, but the entireUserobject?Also, does this mean that in order to support PassKeys, we must set that option?
Missing authenticator option
On my Linux laptop, using Google Chrome, when I hit a
registerendpoint, it asks me if I want to authenticate using my security key (yubikey) or my Android phone. When I use yubikey, the rest works. But when I use my Android Phone, I can register, but when I logout and try to login again, my browser only proposes the security key, and not the Android phone anymore.I suspect that is info that is stored in the credentials, perhaps, that is missing from the login challenge that would otherwise enable the proper authentication method?
Where should I start looking?
Upon login, 500 on missing user
If I try to get a login challenge with a username that has no credentials, Vert.x will return a 500 status (https://github.com/vert-x3/vertx-web/blob/master/vertx-web/src/main/java/io/vertx/ext/web/handler/impl/WebAuthnHandlerImpl.java#L253), is it by design, or should it be a 4xx status?