search

web-auth / webauthn-framework

FIDO-U2F / FIDO2 / Webauthn Framework
MIT License
423 stars 54 forks source link

json_encode() of PublicKeyCredentialRequestOptions fails #655

Open ptmkenny opened 4 weeks ago

ptmkenny commented 4 weeks ago

Version(s) affected

5.0

Description

Works in 4.9 but not 5.0: json_encode(\Webauthn\PublicKeyCredentialRequestOptions::create(random_bytes(32), allowCredentials: []))

I need to json_encode() it to submit the request to my site via a JSON-RPC endpoint.

The docs still say:

The PublicKeyCredentialRequestOptions object is designed to be easily serialized into a JSON object. This will ease the integration into an HTML page or through an API endpoint.

How to reproduce

With 4.9, I was using this code:

      $public_key_credential_request_options = PublicKeyCredentialRequestOptions::create(
        $this->webauthn->createChallenge(),
        allowCredentials: $allowed_credentials,
      );
      $this->tempstore->set(self::TEMP_STORE_REQUEST_OPTIONS, $public_key_credential_request_options);

      $stringified_json = json_encode($public_key_credential_request_options);
      if (is_string($stringified_json)) {
      }

After upgrading to 5.0, this fails because the value of json_encode() is false.

Possible Solution

No response

Additional Context

No response

albanx commented 3 weeks ago

I had the same issue today, the only way to make it work is to serialize it and send as JSON string:

This is the example in the docs:

use Symfony\Component\Serializer\Encoder\JsonEncode;
use Symfony\Component\Serializer\Normalizer\AbstractObjectNormalizer;

// The serializer is the same as the one created in the previous pages
$jsonObject = $serializer->serialize(
    $publicKeyCredentialCreationOptions,
    'json',
    [ // Optional
        AbstractObjectNormalizer::SKIP_NULL_VALUES => true,
        JsonEncode::OPTIONS => JSON_THROW_ON_ERROR,
    ]
);
Spomky commented 3 weeks ago

After upgrading to 5.0, this fails because the value of json_encode() is false.

Indeed, json_encode should not be used as in 5.0.+ the objects do not implement the JsonSerializable interface. Please use the Serializer instead.

ptmkenny commented 3 weeks ago

Thank you for the updates. Also, Webauthn\PublicKeyCredentialSource::jsonSerialize() was removed, but this isn't listed in the migration docs.