From c6d03be3786edb76268d3d7a6056aa29242f47e2 Mon Sep 17 00:00:00 2001 From: Alan Parra Date: Fri, 2 Feb 2024 12:22:20 -0300 Subject: [PATCH] Be resilient to open errors --- lib/auth/webauthncli/fido2.go | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/lib/auth/webauthncli/fido2.go b/lib/auth/webauthncli/fido2.go index 61c42a4f0ad83..db3595aa456d4 100644 --- a/lib/auth/webauthncli/fido2.go +++ b/lib/auth/webauthncli/fido2.go @@ -680,8 +680,15 @@ func startDevices( dev, err := fidoNewDevice(path) if err != nil { - closeAll() - return nil, nil, trace.Wrap(err, "device open") + // Be resilient to open errors. + // This can happen to devices that failed to cancel (and thus are still + // asserting) when we run sequential operations. For example: registration + // immediately followed by assertion (in a single process). + // This is largely safe to ignore, as opening is fairly consistent in + // other situations and failures are likely from a non-chosen device in + // multi-device scenarios. + log.Debugf("FIDO2: Device %v failed to open, skipping: %v", path, err) + continue } fidoDevs = append(fidoDevs, dev) @@ -690,6 +697,9 @@ func startDevices( dev: dev, }) } + if len(fidoDevs) == 0 { + return nil, nil, errors.New("failed to open security keys") + } // Prompt touch, it's about to begin. ackTouch, err := prompt.PromptTouch()