Skip to content

fix(protocol): conditional create fail #434

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(protocol): conditional create fail #434

wants to merge 1 commit into from

Conversation

dseg
Copy link

@dseg dseg commented Jun 19, 2025

This fixes conditional create would fail.
In this case, UP and UV flags will always false.
According to WebAuthn L3 spec, UP flag will be verified when options.mediation is not set to "conditional".
Step 15:
https://www.w3.org/TR/webauthn-3/#sctn-registering-a-new-credential

Related to #361

@dseg
fix(protocol): conditional create fail
aca8350 
This fixes conditional create would fail.
In this case, UP and UV flags will always false.
According to WebAuthn L3 spec, UP flag will be verified when options.mediation is not set to "conditional".
Step 15: https://www.w3.org/TR/webauthn-3/#sctn-registering-a-new-credential

Related to go-webauthn#361
@dseg dseg requested a review from a team as a code owner June 19, 2025 09:45
@coderabbitai coderabbitai
Copy link

coderabbitai bot commented Jun 19, 2025
edited
Loading

Walkthrough

The changes introduce a new boolean parameter to several Verify methods across protocol and webauthn packages to control user presence verification independently from user verification. Related test cases and method invocations are updated accordingly. The SessionData struct is extended with a Mediation field, and mediation logic is used to conditionally set user presence verification during registration.

Changes

File(s) Change Summary
protocol/assertion.go, protocol/attestation.go, protocol/authenticator.go, protocol/credential.go Added a userPresenceRequired/verifyUserPresence boolean parameter to Verify methods; updated calls to pass this flag.
protocol/assertion_test.go, protocol/attestation_test.go, protocol/authenticator_test.go, protocol/credential_test.go Updated test cases to include the new boolean parameter in Verify method calls.
webauthn/login.go, webauthn/registration.go Added logic to set and pass the user presence verification flag when calling Verify.
webauthn/types.go Added Mediation field to SessionData struct.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant WebAuthnServer
    participant Protocol

    Client->>WebAuthnServer: Submit credential (login/register)
    WebAuthnServer->>SessionData: Check Mediation (registration only)
    WebAuthnServer->>WebAuthnServer: Set shouldVerifyUserPresence flag
    WebAuthnServer->>Protocol: Call Verify(..., verifyUser, verifyUserPresence, ...)
    Protocol->>Protocol: Verify user presence if verifyUserPresence is true
    Protocol-->>WebAuthnServer: Return verification result
    WebAuthnServer-->>Client: Respond with outcome
Loading

Suggested reviewers

  • james-d-elliott

Poem

A hop and a skip, a presence to check,
The rabbits ensure your login’s not a wreck.
Mediation in tow, with a flag set true,
Verification’s now smarter, for me and for you!
🐇✨

— CodeRabbit

✨ Finishing Touches
  • 📝 Generate Docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

coderabbitai[bot]
coderabbitai bot reviewed Jun 19, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 98b9f20 and aca8350.

📒 Files selected for processing (11)
  • protocol/assertion.go (2 hunks)
  • protocol/assertion_test.go (1 hunks)
  • protocol/attestation.go (1 hunks)
  • protocol/attestation_test.go (1 hunks)
  • protocol/authenticator.go (2 hunks)
  • protocol/authenticator_test.go (4 hunks)
  • protocol/credential.go (2 hunks)
  • protocol/credential_test.go (1 hunks)
  • webauthn/login.go (2 hunks)
  • webauthn/registration.go (2 hunks)
  • webauthn/types.go (1 hunks)
🔇 Additional comments (19)
webauthn/login.go (1)

371-371: Verify the Verify method signature update.

The addition of the shouldVerifyUserPresence parameter to the Verify method call looks correct and aligns with the protocol-level changes.

However, ensure this change is coordinated with the fix for line 360 to properly implement conditional user presence verification.

webauthn/types.go (1)

215-215: Good addition for conditional verification support.

The Mediation field addition to SessionData properly supports the conditional user presence verification feature. The field type and JSON tag are appropriate.

protocol/attestation_test.go (1)

32-32: Test method signature update looks correct.

The addition of the false parameter for verifyUserPresence correctly matches the updated Verify method signature from the protocol changes.

protocol/assertion_test.go (1)

183-183: Test method signature update is correct.

The addition of the false parameter for verifyUserPresence correctly aligns with the updated Verify method signature in the protocol layer.

webauthn/registration.go (3)

104-104: Proper mediation tracking in session data.

Setting Mediation: creation.Mediation correctly stores the mediation requirement in the session for later use during verification.

235-235: Correct implementation of conditional user presence logic.

The logic session.Mediation != protocol.MediationConditional properly implements the WebAuthn Level 3 specification requirement that user presence should only be verified when mediation is not "conditional".

239-239: Verify method call updated correctly.

The addition of the shouldVerifyUserPresence parameter to the parsedResponse.Verify() call correctly integrates with the protocol-level changes.

protocol/credential_test.go (1)

246-246: LGTM: Test updated correctly for new method signature.

The test call properly includes the new verifyUserPresence parameter set to false, which is appropriate for this general verification test case.

protocol/authenticator_test.go (3)

434-434: LGTM: Test structure properly extended for user presence requirements.

The addition of userPresenceRequired parameter to the test args struct correctly supports testing the new conditional user presence verification logic.

477-483: LGTM: Test case correctly validates conditional user presence checking.

The test properly sets userPresenceRequired: true and validates the improved error message when the User Present flag is not set but required.

512-512: LGTM: Method call correctly passes the new parameter.

The call to a.Verify() properly includes the userPresenceRequired parameter from the test arguments.

protocol/attestation.go (2)

131-131: LGTM: Method signature correctly updated for conditional user presence verification.

The addition of the userPresenceRequired parameter to the Verify method signature is consistent with the broader changes to support conditional user presence checking.

135-135: LGTM: Parameter properly propagated to AuthData verification.

The userPresenceRequired parameter is correctly passed to the underlying AuthData.Verify() method, maintaining the verification flow integrity.

protocol/authenticator.go (3)

388-388: LGTM: Method signature correctly updated for conditional user presence verification.

The addition of the userPresenceRequired parameter enables conditional enforcement of the User Present flag check, which is the core fix for this PR.

397-401: LGTM: Conditional user presence verification correctly implemented.

The logic if userPresenceRequired && !a.Flags.UserPresent() properly implements conditional UP flag checking per WebAuthn Level 3 specification. The error message improvement removes unnecessary fmt.Sprintf for a static string.

407-407: LGTM: Error message simplified appropriately.

Removing fmt.Sprintf for the static error message is a good improvement for readability and performance.

protocol/assertion.go (2)

142-142: LGTM: Method signature consistently updated for conditional user presence verification.

The addition of the verifyUserPresence parameter maintains consistency with the conditional user presence verification functionality across the assertion verification flow.

163-163: LGTM: Parameter correctly propagated to authenticator data verification.

The verifyUserPresence parameter is properly passed to the AuthenticatorData.Verify() method, ensuring the conditional user presence logic is applied during assertion verification.

protocol/credential.go (1)

164-164: Verify the parameter order matches the updated AttestationObject.Verify signature.

The verifyUserPresence parameter is correctly passed to the AttestationObject.Verify method. Ensure that the parameter order in this call matches the expected signature of the AttestationObject.Verify method.

#!/bin/bash
# Description: Verify the AttestationObject.Verify method signature to ensure parameter order matches

# Search for the AttestationObject.Verify method definition
ast-grep --pattern $'func ($$$) Verify($$$) $$$'

webauthn/login.go
@@ -357,6 +357,7 @@ func (webauthn *WebAuthn) validateLogin(user User, session SessionData, parsedRe
}

shouldVerifyUser := session.UserVerification == protocol.VerificationRequired
shouldVerifyUserPresence := true
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Implement conditional user presence verification logic.

The hardcoded shouldVerifyUserPresence := true doesn't align with the WebAuthn Level 3 specification and the fix described in the PR objectives. According to the spec, user presence should only be verified when mediation is not "conditional".

Apply this diff to implement proper conditional logic:

-	shouldVerifyUserPresence := true
+	shouldVerifyUserPresence := session.Mediation != protocol.MediationConditional

This matches the implementation in webauthn/registration.go line 235 and ensures consistency across login and registration flows.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
shouldVerifyUserPresence := true
- shouldVerifyUserPresence := true
+ shouldVerifyUserPresence := session.Mediation != protocol.MediationConditional
🤖 Prompt for AI Agents 
In webauthn/login.go at line 360, replace the hardcoded assignment of
shouldVerifyUserPresence to true with conditional logic that sets it to true
only when the mediation value is not "conditional". This aligns with the
WebAuthn Level 3 specification and matches the approach used in
webauthn/registration.go at line 235, ensuring consistent user presence
verification behavior between login and registration flows.

protocol/credential.go
@@ -145,7 +145,7 @@ func (ccr CredentialCreationResponse) Parse() (pcc *ParsedCredentialCreationData
// Verify the Client and Attestation data.
//
// Specification: §7.1. Registering a New Credential (https://www.w3.org/TR/webauthn/#sctn-registering-a-new-credential)
func (pcc *ParsedCredentialCreationData) Verify(storedChallenge string, verifyUser bool, relyingPartyID string, rpOrigins, rpTopOrigins []string, rpTopOriginsVerify TopOriginVerificationMode, mds metadata.Provider, credParams []CredentialParameter) (clientDataHash []byte, err error) {
func (pcc *ParsedCredentialCreationData) Verify(storedChallenge string, verifyUser bool, verifyUserPresence bool, relyingPartyID string, rpOrigins, rpTopOrigins []string, rpTopOriginsVerify TopOriginVerificationMode, mds metadata.Provider, credParams []CredentialParameter) (clientDataHash []byte, err error) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Consider parameter placement for less disruptive API changes.

Adding the new verifyUserPresence parameter in the middle of the parameter list creates a more disruptive breaking change than necessary. Consider placing new parameters at the end of the parameter list in future API changes to minimize disruption.

Additionally, the method documentation should be updated to explain the new parameter's purpose and its relationship to the WebAuthn Level 3 conditional mediation behavior.

-func (pcc *ParsedCredentialCreationData) Verify(storedChallenge string, verifyUser bool, verifyUserPresence bool, relyingPartyID string, rpOrigins, rpTopOrigins []string, rpTopOriginsVerify TopOriginVerificationMode, mds metadata.Provider, credParams []CredentialParameter) (clientDataHash []byte, err error) {
+func (pcc *ParsedCredentialCreationData) Verify(storedChallenge string, verifyUser bool, relyingPartyID string, rpOrigins, rpTopOrigins []string, rpTopOriginsVerify TopOriginVerificationMode, mds metadata.Provider, credParams []CredentialParameter, verifyUserPresence bool) (clientDataHash []byte, err error) {

Update the method documentation:

 // Verify the Client and Attestation data.
+// The verifyUserPresence parameter controls whether the User Present (UP) flag is verified,
+// allowing conditional mediation behavior as per WebAuthn Level 3 specification.
 //
 // Specification: §7.1. Registering a New Credential (https://www.w3.org/TR/webauthn/#sctn-registering-a-new-credential)
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
func (pcc *ParsedCredentialCreationData) Verify(storedChallenge string, verifyUser bool, verifyUserPresence bool, relyingPartyID string, rpOrigins, rpTopOrigins []string, rpTopOriginsVerify TopOriginVerificationMode, mds metadata.Provider, credParams []CredentialParameter) (clientDataHash []byte, err error) {
// Verify the Client and Attestation data.
// The verifyUserPresence parameter controls whether the User Present (UP) flag is verified,
// allowing conditional mediation behavior as per WebAuthn Level 3 specification.
//
// Specification: §7.1. Registering a New Credential (https://www.w3.org/TR/webauthn/#sctn-registering-a-new-credential)
func (pcc *ParsedCredentialCreationData) Verify(storedChallenge string, verifyUser bool, relyingPartyID string, rpOrigins, rpTopOrigins []string, rpTopOriginsVerify TopOriginVerificationMode, mds metadata.Provider, credParams []CredentialParameter, verifyUserPresence bool) (clientDataHash []byte, err error) {
// existing implementation...
}
🤖 Prompt for AI Agents 
In protocol/credential.go at line 148, the new parameter verifyUserPresence is
inserted in the middle of the Verify method's parameter list, causing a
disruptive API change. To fix this, move verifyUserPresence to the end of the
parameter list to minimize breaking changes. Also, update the method's
documentation to describe the purpose of verifyUserPresence and how it relates
to WebAuthn Level 3 conditional mediation behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@dseg