You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have checked my logs and I'm sure is a bug in this package.
I can reproduce this bug in isolation (vanilla Laravel install)
I can suggest a workaround as a Pull Request
Expectation
When I use 1Password / my macbook's TouchId, as long as I have registered it in the system, I should be able to login.
Description
When using 1Password as a Passkey, 1Password seems to be sending the userHandle in the format that this package expects, which is without dash, e.g.: 6943324022c046d395de29ceda194b63
Which will be validated in \Laragear\WebAuthn\Assertion\Validator\Pipes\CheckCredentialIsForUser@validateId like so:
hash_equals(Uuid::fromString($validation->credential->user_id)->getHex()->toString(), $handle);
// using the userHandle 1Password provided, the line above becomes:'6943324022c046d395de29ceda194b63' === '6943324022c046d395de29ceda194b63';
But my MBP's TouchID seems to sent userHandle with dash, i.e.: 69433240-22c0-46d3-95de-29ceda194b63
the hash_equals above effectively becomes:
// sorry, don't have the time to make a repro, feel free to just close this issue :)// the issue itself is easily fixable on userland, with a little hack.
PHP & Platform
8.3.6 - macOS 14.4.1 aarch64
Database
PostgreSQL 14.11
Laravel version
11.5.0
Have you done this?
Expectation
When I use 1Password / my macbook's TouchId, as long as I have registered it in the system, I should be able to login.
Description
When using 1Password as a Passkey, 1Password seems to be sending the
userHandle
in the format that this package expects, which is without dash, e.g.:6943324022c046d395de29ceda194b63
Which will be validated in
\Laragear\WebAuthn\Assertion\Validator\Pipes\CheckCredentialIsForUser@validateId
like so:But my MBP's TouchID seems to sent
userHandle
with dash, i.e.:69433240-22c0-46d3-95de-29ceda194b63
the
hash_equals
above effectively becomes:This makes logging-in using my TouchID to be impossible, I reckon other people also can not login.
Right now this issue is not a problem in my projects, as I am using this workaround in my
WebAuthnLoginController.php
:But someone might want to address this issue
Reproduction
Stack trace & logs
The text was updated successfully, but these errors were encountered: