Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Opt-out of backup elligible checking for a given credential #351

Open
erincandescent opened this issue Dec 15, 2024 · 4 comments
Open

Opt-out of backup elligible checking for a given credential #351

erincandescent opened this issue Dec 15, 2024 · 4 comments
Labels
status/needs-triage Issues that need to be triaged. type/feature-request Feature Requests

Comments

@erincandescent
Copy link

Description

I have a service which used an older version of this library to implement webauthn. Users enrolled credentials for which the Backup Elligible flag wasn't stored. I would like a way to flag to the library that this information is unknown and should not be validated

The obvious solution would be to make the the BackupEligible flag a three valued type (true, fals, unknown) but that obviously poses compatibility challenges.

Use Case

Users who enrolled to my service for which the Backup Elligible flag wasn't stored should be able to login.

Documentation

No response
@erincandescent erincandescent added status/needs-triage Issues that need to be triaged. type/feature-request Feature Requests labels Dec 15, 2024
@erincandescent
Copy link
Author

n.b. currently i'm pinning 0.10.2 but this isn't a long-term sustainable option.

@james-d-elliott
Copy link
Member

james-d-elliott commented Dec 15, 2024
edited
Loading

Why not handle this via determining if the value was ever stored in your storage solution (i.e. nullable column) and on login update the credential in that instance to the attested value?

@erincandescent
Copy link
Author

That's what I want to do, but I haven't spotted any way to do this other than opting out of the checking for the user's first login after upgrading?

@james-d-elliott
Copy link
Member

james-d-elliott commented Dec 24, 2024
edited
Loading

You should be able during the parsing phase to detect the current flags from the credential following this path:

  1. Use protocol.ParseCredentialRequestResponse to parse the response from the authenticator.
  2. Load credentials with a null-like value which match the requested credential and update them if returned using the following structure path from the result from 1 i.e. .Response.AuthenticatorData.Flags:
    1. https://pkg.go.dev/github.com/go-webauthn/webauthn/protocol#ParsedAssertionResponse
    2. https://pkg.go.dev/github.com/go-webauthn/webauthn/protocol#AuthenticatorData
    3. https://pkg.go.dev/github.com/go-webauthn/webauthn/protocol#AuthenticatorFlags
  3. Use webauthn WebAuthn.ValidateLogin or webauthn WebAuthn.ValidateDiscoverableLogin to validate the updated credential (if you're using the discoverable one you'll have to update it as part of the user lookup func).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status/needs-triage Issues that need to be triaged. type/feature-request Feature Requests
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@erincandescent @james-d-elliott