[WebAuthn] CTAP2_ERR_USER_ACTION_TIMEOUT isn't handled properly

https://bugs.webkit.org/show_bug.cgi?id=241565 rdar://95040155 Reviewed by Brent Fulgham. Authenticators will time out operations after so many seconds of waiting for user interaction, returning an error of CTAP2_ERR_USER_ACTION_TIMEOUT. This patch handles that error by reissuing the request, instead of letting it go to U2F fallback and failing there with "no credentials found." Tested with a Yubikey 5c. * Source/WebCore/Modules/webauthn/fido/FidoConstants.cpp: (fido::isCtapDeviceResponseCode): * Source/WebCore/Modules/webauthn/fido/FidoConstants.h: * Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp: (WebKit::CtapAuthenticator::continueMakeCredentialAfterResponseReceived): (WebKit::CtapAuthenticator::continueGetAssertionAfterResponseReceived): Canonical link: https://commits.webkit.org/251511@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@295506 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Jun 14, 2022 · 6610edac17911517f82bc4daa30bf5cab3b52ffb · 6610eda
1 parent eabf693
commit 6610edac17911517f82bc4daa30bf5cab3b52ffb
Showing 3 changed files with 12 additions and 0 deletions.
diff --git a/Source/WebCore/Modules/webauthn/fido/FidoConstants.cpp b/Source/WebCore/Modules/webauthn/fido/FidoConstants.cpp
@@ -82,6 +82,7 @@ bool isCtapDeviceResponseCode(CtapDeviceResponseCode code)
     case CtapDeviceResponseCode::kCtap2ErrPinPolicyViolation:
     case CtapDeviceResponseCode::kCtap2ErrPinTokenExpired:
     case CtapDeviceResponseCode::kCtap2ErrRequestTooLarge:
+    case CtapDeviceResponseCode::kCtap2ErrActionTimeout:
     case CtapDeviceResponseCode::kCtap2ErrOther:
     case CtapDeviceResponseCode::kCtap2ErrSpecLast:
     case CtapDeviceResponseCode::kCtap2ErrExtensionFirst:

diff --git a/Source/WebCore/Modules/webauthn/fido/FidoConstants.h b/Source/WebCore/Modules/webauthn/fido/FidoConstants.h
@@ -98,6 +98,7 @@ enum class CtapDeviceResponseCode : uint8_t {
     kCtap2ErrPinPolicyViolation = 0x37,
     kCtap2ErrPinTokenExpired = 0x38,
     kCtap2ErrRequestTooLarge = 0x39,
+    kCtap2ErrActionTimeout = 0x3A,
     kCtap2ErrOther = 0x7F,
     kCtap2ErrSpecLast = 0xDF,
     kCtap2ErrExtensionFirst = 0xE0,

diff --git a/Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp b/Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp
@@ -119,6 +119,11 @@ void CtapAuthenticator::continueMakeCredentialAfterResponseReceived(Vector<uint8
     if (!response) {
         auto error = getResponseCode(data);
 
+        if (error == CtapDeviceResponseCode::kCtap2ErrActionTimeout) {
+            makeCredential();
+            return;
+        }
+
         if (error == CtapDeviceResponseCode::kCtap2ErrCredentialExcluded) {
             receiveRespond(ExceptionData { InvalidStateError, "At least one credential matches an entry of the excludeCredentials list in the authenticator."_s });
             return;
@@ -173,6 +178,11 @@ void CtapAuthenticator::continueGetAssertionAfterResponseReceived(Vector<uint8_t
     if (!response) {
         auto error = getResponseCode(data);
 
+        if (error == CtapDeviceResponseCode::kCtap2ErrActionTimeout) {
+            getAssertion();
+            return;
+        }
+
         if (!isPinError(error) && tryDowngrade())
             return;