webauthn: ensure allowCredentials[].id is an ArrayBuffer

closes gh-16439

Signed-off-by: Daniel Garnier-Moiroux <git@garnier.wf>

javascript/lib/webauthn-core.js

@@ -41,8 +41,16 @@ async function authenticate(headers, contextPath, useConditionalMediation) {
   }
 
   // FIXME: Use https://www.w3.org/TR/webauthn-3/#sctn-parseRequestOptionsFromJSON
+  const decodedAllowCredentials = !options.allowCredentials
+    ? []
+    : options.allowCredentials.map((cred) => ({
+        ...cred,
+        id: base64url.decode(cred.id),
+      }));
+
   const decodedOptions = {
     ...options,
+    allowCredentials: decodedAllowCredentials,
     challenge: base64url.decode(options.challenge),
   };
 

javascript/test/webauthn-core.test.js

@@ -85,7 +85,13 @@ describe("webauthn-core", () => {
       challenge: "nRbOrtNKTfJ1JaxfUDKs8j3B-JFqyGQw8DO4u6eV3JA",
       timeout: 300000,
       rpId: "localhost",
-      allowCredentials: [],
+      allowCredentials: [
+        {
+          id: "nOsjw8eaaqSwVdTBBYE1FqfGdHs",
+          type: "public-key",
+          transports: [],
+        },
+      ],
       userVerification: "preferred",
       extensions: {},
     };
@@ -172,7 +178,13 @@ describe("webauthn-core", () => {
           challenge: base64url.decode("nRbOrtNKTfJ1JaxfUDKs8j3B-JFqyGQw8DO4u6eV3JA"),
           timeout: 300000,
           rpId: "localhost",
-          allowCredentials: [],
+          allowCredentials: [
+            {
+              id: base64url.decode("nOsjw8eaaqSwVdTBBYE1FqfGdHs"),
+              type: "public-key",
+              transports: [],
+            },
+          ],
           userVerification: "preferred",
           extensions: {},
         },