Skip to content
Permalink
Browse files
[WebAuthn] CTAP2_ERR_USER_ACTION_TIMEOUT isn't handled properly
https://bugs.webkit.org/show_bug.cgi?id=241565
rdar://95040155

Reviewed by Brent Fulgham.

Authenticators will time out operations after so many seconds of
waiting for user interaction, returning an error of
CTAP2_ERR_USER_ACTION_TIMEOUT. This patch handles that error
by reissuing the request, instead of letting it go to U2F fallback
and failing there with "no credentials found."

Tested with a Yubikey 5c.

* Source/WebCore/Modules/webauthn/fido/FidoConstants.cpp:
(fido::isCtapDeviceResponseCode):
* Source/WebCore/Modules/webauthn/fido/FidoConstants.h:
* Source/WebKit/UIProcess/WebAuthentication/fido/CtapAuthenticator.cpp:
(WebKit::CtapAuthenticator::continueMakeCredentialAfterResponseReceived):
(WebKit::CtapAuthenticator::continueGetAssertionAfterResponseReceived):

Canonical link: https://commits.webkit.org/251511@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@295506 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
pascoej committed Jun 14, 2022
1 parent eabf693 commit 6610edac17911517f82bc4daa30bf5cab3b52ffb
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 0 deletions.
@@ -82,6 +82,7 @@ bool isCtapDeviceResponseCode(CtapDeviceResponseCode code)
case CtapDeviceResponseCode::kCtap2ErrPinPolicyViolation:
case CtapDeviceResponseCode::kCtap2ErrPinTokenExpired:
case CtapDeviceResponseCode::kCtap2ErrRequestTooLarge:
case CtapDeviceResponseCode::kCtap2ErrActionTimeout:
case CtapDeviceResponseCode::kCtap2ErrOther:
case CtapDeviceResponseCode::kCtap2ErrSpecLast:
case CtapDeviceResponseCode::kCtap2ErrExtensionFirst:
@@ -98,6 +98,7 @@ enum class CtapDeviceResponseCode : uint8_t {
kCtap2ErrPinPolicyViolation = 0x37,
kCtap2ErrPinTokenExpired = 0x38,
kCtap2ErrRequestTooLarge = 0x39,
kCtap2ErrActionTimeout = 0x3A,
kCtap2ErrOther = 0x7F,
kCtap2ErrSpecLast = 0xDF,
kCtap2ErrExtensionFirst = 0xE0,
@@ -119,6 +119,11 @@ void CtapAuthenticator::continueMakeCredentialAfterResponseReceived(Vector<uint8
if (!response) {
auto error = getResponseCode(data);

if (error == CtapDeviceResponseCode::kCtap2ErrActionTimeout) {
makeCredential();
return;
}

if (error == CtapDeviceResponseCode::kCtap2ErrCredentialExcluded) {
receiveRespond(ExceptionData { InvalidStateError, "At least one credential matches an entry of the excludeCredentials list in the authenticator."_s });
return;
@@ -173,6 +178,11 @@ void CtapAuthenticator::continueGetAssertionAfterResponseReceived(Vector<uint8_t
if (!response) {
auto error = getResponseCode(data);

if (error == CtapDeviceResponseCode::kCtap2ErrActionTimeout) {
getAssertion();
return;
}

if (!isPinError(error) && tryDowngrade())
return;

0 comments on commit 6610eda

Please sign in to comment.