webauthn: ensure allowCredentials[].id is an ArrayBuffer

closes gh-16439 Signed-off-by: Daniel Garnier-Moiroux <git@garnier.wf>
2025-01-17 15:07:24 +01:00 · 2025-01-17 15:07:24 +01:00 · 5bf42bb7a8
parent 60dbeba985
commit 5bf42bb7a8
2 changed files with 22 additions and 2 deletions
--- a/javascript/lib/webauthn-core.js
+++ b/javascript/lib/webauthn-core.js
@ -41,8 +41,16 @@ async function authenticate(headers, contextPath, useConditionalMediation) {
  }

  // FIXME: Use https://www.w3.org/TR/webauthn-3/#sctn-parseRequestOptionsFromJSON
+  const decodedAllowCredentials = !options.allowCredentials
+    ? []
+    : options.allowCredentials.map((cred) => ({
+        ...cred,
+        id: base64url.decode(cred.id),
+      }));
+
  const decodedOptions = {
    ...options,
+    allowCredentials: decodedAllowCredentials,
    challenge: base64url.decode(options.challenge),
  };

--- a/javascript/test/webauthn-core.test.js
+++ b/javascript/test/webauthn-core.test.js
@ -85,7 +85,13 @@ describe("webauthn-core", () => {
      challenge: "nRbOrtNKTfJ1JaxfUDKs8j3B-JFqyGQw8DO4u6eV3JA",
      timeout: 300000,
      rpId: "localhost",
-      allowCredentials: [],
+      allowCredentials: [
+        {
+          id: "nOsjw8eaaqSwVdTBBYE1FqfGdHs",
+          type: "public-key",
+          transports: [],
+        },
+      ],
      userVerification: "preferred",
      extensions: {},
    };
@ -172,7 +178,13 @@ describe("webauthn-core", () => {
          challenge: base64url.decode("nRbOrtNKTfJ1JaxfUDKs8j3B-JFqyGQw8DO4u6eV3JA"),
          timeout: 300000,
          rpId: "localhost",
-          allowCredentials: [],
+          allowCredentials: [
+            {
+              id: base64url.decode("nOsjw8eaaqSwVdTBBYE1FqfGdHs"),
+              type: "public-key",
+              transports: [],
+            },
+          ],
          userVerification: "preferred",
          extensions: {},
        },