Be resilient to open errors

gravitational · Feb 2, 2024 · c6d03be · c6d03be
1 parent 37d3e68
commit c6d03be
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/lib/auth/webauthncli/fido2.go b/lib/auth/webauthncli/fido2.go
@@ -680,8 +680,15 @@ func startDevices(
 
 		dev, err := fidoNewDevice(path)
 		if err != nil {
-			closeAll()
-			return nil, nil, trace.Wrap(err, "device open")
+			// Be resilient to open errors.
+			// This can happen to devices that failed to cancel (and thus are still
+			// asserting) when we run sequential operations. For example: registration
+			// immediately followed by assertion (in a single process).
+			// This is largely safe to ignore, as opening is fairly consistent in
+			// other situations and failures are likely from a non-chosen device in
+			// multi-device scenarios.
+			log.Debugf("FIDO2: Device %v failed to open, skipping: %v", path, err)
+			continue
 		}
 
 		fidoDevs = append(fidoDevs, dev)
@@ -690,6 +697,9 @@ func startDevices(
 			dev:  dev,
 		})
 	}
+	if len(fidoDevs) == 0 {
+		return nil, nil, errors.New("failed to open security keys")
+	}
 
 	// Prompt touch, it's about to begin.
 	ackTouch, err := prompt.PromptTouch()