Invalid user.id length for passkeys handlers

[LeoColomb]

Environment

SaaS (https://sentry.io/)

Steps to Reproduce

1. Having a passkeys manager running (e.g: a password manager)
2. Being authenticated on Sentry
3. Go to the U2F page https://sentry.io/settings/account/security/mfa/u2f/enroll/

Expected Result

All the enrollment to run without issues and the key challenge to be accepted.
The user.id standard to be respected

• https://w3c.github.io/webauthn/#dom-publickeycredentialuserentity-id
• https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/create#id_5

Actual Result

The interface shows an error.

The passkeys manager receives an incorrect user.id length.

The password manager logs an error.

[Fido2Client] Invalid 'user.id' length: oWlwdWJsaWNLZXmmYnJwomJpZGlzZW50c[truncated] (589)

Ref: bitwarden/clients#8756

I tried to dig in where the wrong length was created, but it seems to be generated to correct way:

sentry/src/sentry/auth/authenticators/u2f.py

Line 111 in 9d20448

"id": user.id.to_bytes(64, byteorder="big"),

Some ideas:

• Fido2 Server is re-processing the user.id
• There is a mismatch in the encoding/decoding somewhere, possibly while the data transited on the frontend React page.

Product Area

Settings - Auth

Link

https://sentry.io/settings/account/security/mfa/u2f/enroll/

DSN

No response

Version

No response

[getsantry]

Assigning to @getsentry/support for routing ⏲️

[getsantry]

Routing to @getsentry/product-owners-settings-auth for triage ⏲️

[leedongwei]

We're looking into this. Thanks for the detailed bug report!

[mdtro]

@LeoColomb

I'm able to recreate this using the Bitwarden Browser Extension 2024.4.2 and Chrome 124.0.6367.156. I don't receive a prompt from Bitwarden to setup a passkey. Is this what you're experiencing? Could you share your extension and browser versions?

Interestingly, I cannot recreate this using 1Password. It successfully prompts to create a new passkey and registers it fine.

[LeoColomb]

@mdtro Good to know!
I don't think the version numbers are going to explain anything: I've tried with 3 different browsers (Chrome, Firefox, Brave), with different versions (I'm facing this issue for half a year at least).
Same for Bitwarden.
In any case, the latest versions are affected.

The prompt is not shown because of the error reported by Bitwarden's background script.

[LeoColomb]

@mdtro After further investigation, it appears that the user.id provided is actually the challenge data encoded with CBOR+base64.
The user.id inside that data is the valid one.

[mdtro]

@LeoColomb Good catch! Our backend API returns this in a JSON response to a GET on /api/0/users/me/authenticators/u2f/enroll/.

{
    ...
    "challenge": {
        "webAuthnRegisterData": "<encoded data>"
    }
}

@leedongwei I'm not great with the frontend code. Is it possible we are decoding this incorrectly and putting the wrong values in user.id? Or is this an issue with the BitWarden client/extension?