search

web-auth / webauthn-helper

JS functions to ease the use of the library or the Symfony bundle
MIT License
13 stars 5 forks source link

Invalid Base 64 Url Safe character. #28

Open PhilETaylor opened 2 years ago

PhilETaylor commented 2 years ago

on login recently Im getting errors about Invalid Base 64 Url Safe character

Note the issue is intermittent because not every string encoded by this lib will result in a string with banned chars in it. The example below is a good example where each string ends in a = which is invalid for a base64url

This was all working well, until a few days ago when one of the web-auth libs upgraded.

On inspecting the signed request I note that the values are base64 encoded and not base64url encoded... (evidenced by appended equals signs which are invalid for base64url encoded)

{
"id": "QRX-uGMoPEsiIY_OZJIR7tD9o3jB4eYAmXZ1Ikpt3KFWK8JNBHMBggwMMC8ynXtDonp5nmW-BDTEBigv5d-LpQ", 
"rawId": "QRX+uGMoPEsiIY/OZJIR7tD9o3jB4eYAmXZ1Ikpt3KFWK8JNBHMBggwMMC8ynXtDonp5nmW+BDTEBigv5d+LpQ==", 
"response": {
"authenticatorData": "d2m7v2nZjBFAnawAPbcoXuOsb/WObPUBvBxuOGBMcocFAAACVQ==", 
"clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoidklvOEt5N01QVlg1TkUwTmlQakVMbUhYT0doeTh0eW1JSVcxN2JZSWFWQSIsIm9yaWdpbiI6Imh0dHBzOi8vbWFuYWdlLm15c2l0ZXMuZ3VydSIsImNyb3NzT3JpZ2luIjpmYWxzZX0=", 
"signature": "MEUCIQCnmDWCDjxYP+O5VtFfREj0A0rA6ALmWJwtPq6MTiX/TgIgfbhYLU/VYGJmSannRdfsfj2DPkhkeDvbcXHYphchPZM=", 
"userHandle": ""
}, 
"type": "public-key"
}

If I manually convert those from base64 to base64url then the exception is resolved and I can login again.

I think the problem might be this comment being incorrect:

// Converts an array of bytes into a Base64Url string

https://github.com/web-auth/webauthn-helper/blob/e30930982857d9b57f188878cb1a53e3e771e099/src/common.js#L36-37

According to https://developer.mozilla.org/en-US/docs/Web/API/btoa

The btoa() method creates a [Base64](https://developer.mozilla.org/en-US/docs/Glossary/Base64)-encoded ASCII string from a binary string

That to me sounds like a base64 and not a base64url despite the comment telling me that is should return a base64url

my stack is symfony 6.1 with 

    web-auth/cose-lib: v4.0.6
    web-auth/metadata-service: 4.1.2
    web-auth/webauthn-lib: 4.1.2
    web-auth/webauthn-symfony-bundle: 4.1.2
    web-token/jwt-core: 3.1.1
    web-token/jwt-signature: 3.1.1

Sentry.io Stack Trace for reference https://sentry.io/share/issue/e173edee1abc4c6693ef24ee8a68644e/ (click FULL once page loaded)

Spomky commented 2 years ago

Hi,

Thank you for reporting this issue. More and more servers become fully compliant with the Webauthn specification. This frontend library is not. For the moment, I would suggest you to use https://github.com/MasterKale/SimpleWebAuthn which is really great. I will certainly update this library, but I cannot say when.

PhilETaylor commented 2 years ago

Absolutely no worries :-) I just converted the incoming request back to base64url myself and my app is up and running again and working :) but wanted to ensure that it was logged - as others will probably get the same issue eventually.

Certainly zero pressure from me for a fix here :) Thanks for your work, saved me hours not having to reinvent the wheel.

stayallive commented 2 years ago

@Spomky maybe it's an idea to link to this other library the docs of the PHP library since I just ran into this while following the instructions: https://webauthn-doc.spomky-labs.com/prerequisites/javascript.