Not work check Authenticate Users, Invalid user handler

[dizard]

Version(s) affected

4.8

Description

/** @var PublicKeyCredential $publicKeyCredential */
        $publicKeyCredential = $serializer->deserialize(
            $request->getContent(),
            PublicKeyCredential::class,
            'json'
        );
        $authenticatorAssertionResponse = $publicKeyCredential->response;

        if (! $authenticatorAssertionResponse instanceof AuthenticatorAssertionResponse) {
            throw ValidationException::withMessages([
                'username' => 'Invalid response type',
            ]);
        }

        $res = Authenticator::where('credential_id', base64_encode($publicKeyCredential->rawId))->first();
        if (!$res) {
            throw ValidationException::withMessages([
                'username' => 'Invalid response type',
            ]);
        }

        /** @var PublicKeyCredentialSource $publicKeyCredentialSource */
        $publicKeyCredentialSource = $serializer->deserialize($res->public_key, PublicKeyCredentialSource::class, 'json');

        dd($publicKeyCredentialSource->userHandle, $publicKeyCredential->response->userHandle);
        // $publicKeyCredentialSource->userHandle - binary
        // $publicKeyCredential->response->userHandle - string

        $publicKeyCredentialSource = $responseValidator->check(
            $publicKeyCredentialSource,
            $authenticatorAssertionResponse,
            $publicKeyCredentialCreationOptions,
            $request->getHost(),
            $authenticatorAssertionResponse->userHandle,
        );
        // then exception 
        // Webauthn\Exception\InvalidUserHandleException: Invalid user handle in file /application/vendor/web-auth/webauthn-lib/src/Exception/InvalidUserHandleException.php on line 13
#0 /application/vendor/web-auth/webauthn-lib/src/CeremonyStep/CheckUserHandle.php(29): Webauthn\Exception\InvalidUserHandleException::create()
#1 /application/vendor/web-auth/webauthn-lib/src/CeremonyStep/CeremonyStepManager.php(31): Webauthn\CeremonyStep\CheckUserHandle->process(Object(Webauthn\PublicKeyCredentialSource), Object(Webauthn\AuthenticatorAssertionResponse), Object(Webauthn\PublicKeyCredentialRequestOptions), 'maykl', 'localhost')

How to reproduce

yes, it’s very easy to do according to the documentation and you’ll get this crap https://webauthn-doc.spomky-labs.com/v/v4.8/pure-php/authenticate-your-users

Possible Solution

No response

Additional Context

No response

[dizard]

Problem different string

// $publicKeyCredentialSource->userHandle - binary // $publicKeyCredential->response->userHandle - string

[Spomky]

Hi @dizard,

Can you show me the part where the pk source is stored?

Many thanks. Regards.

[dizard]

during experiments there was a problem in syphony serialize If you just do json encode and put it in the database and then createFromArray everything is ok

[dizard]

Moreover, if you use serialize from CORE PHP and then call it to deserialize it in order to use the object, there will be the same problem

[Spomky]

during experiments there was a problem in syphony serialize

You are not supposed to use the Symfony serializer to convert the pk source into a JSON object. This is not supported at the moment.

If you just do json encode and put it in the database and then createFromArray everything is ok

Yes it works. This is mentioned in the documentation (last hint at the bottom of the page). Note that createFromArray is deprecated and a dedicated serializer is available (not the one from Symfony)

Moreover, if you use serialize from CORE PHP and then call it to deserialize it in order to use the object, there will be the same problem

I am not sure to understand what is CORE PHP compared to json_encode

[Spomky]

This is now possible with the release 4.9.0. Let me know if you have any question. Regards.

[github-actions[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.