Skip to content
This repository has been archived by the owner on May 10, 2024. It is now read-only.

excludeCredentials should return InvalidStateError #1413

Closed
jumde opened this issue Aug 20, 2019 · 1 comment · Fixed by #1423
Closed

excludeCredentials should return InvalidStateError #1413

jumde opened this issue Aug 20, 2019 · 1 comment · Fixed by #1423
Assignees
@jumde
Labels
bug Epic: WebAuthn QA Pass - iPad QA Pass - iPhone X QA Pass - iPhone QA/Yes release-notes/exclude
Milestone
1.12

Comments

@jumde
Copy link
Contributor

jumde commented Aug 20, 2019

Brave Version:
1.11.1 (19.08.13.17)

Device details:
iPhone Xr (12.3.1)

I noticed that if I set excludeCredentials and list a credentialId that is already created while creating another credential that a NotAllowedError is returned now.

In this same scenario, Chrome, Edge and FF all return an InvalidStateError. I didn't confirm with the spec which is the correct behavior.

Steps to reproduce:

Go to below site to submit webauthn request:
https://eparkko-lab.github.io/webauthn-playground/?requestType=create&webauthnRequest=eyJjaGFsbGVuZ2UiOiJhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhIiwicnAiOnsiaWQiOiJlcGFya2tvLWxhYi5naXRodWIuaW8iLCJuYW1lIjoiZXBhcmtrby1sYWIuZ2l0aHViLmlvIn0sImF1dGhlbnRpY2F0b3JTZWxlY3Rpb24iOnsidXNlclZlcmlmaWNhdGlvbiI6InByZWZlcnJlZCIsImF1dGhlbnRpY2F0b3JBdHRhY2htZW50IjoiY3Jvc3MtcGxhdGZvcm0ifSwidGltZW91dCI6MTUwMDAsImF0dGVzdGF0aW9uIjoiZGlyZWN0IiwicHViS2V5Q3JlZFBhcmFtcyI6W3sidHlwZSI6InB1YmxpYy1rZXkiLCJhbGciOi03fV0sInVzZXIiOnsiaWQiOiJiYmJiYmJiIiwibmFtZSI6IkJvYmJ5QGxvY2FsaG9zdCIsImRpc3BsYXlOYW1lIjoiYmJiYmJiYiJ9fQ%3D%3D&submitRequest=true

In same browser then submit another request which uses excludeCredentials:
https://eparkko-lab.github.io/webauthn-playground/?requestType=create&webauthnRequest=eyJjaGFsbGVuZ2UiOiJhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhIiwicnAiOnsiaWQiOiJlcGFya2tvLWxhYi5naXRodWIuaW8iLCJuYW1lIjoiZXBhcmtrby1sYWIuZ2l0aHViLmlvIn0sImF1dGhlbnRpY2F0b3JTZWxlY3Rpb24iOnsidXNlclZlcmlmaWNhdGlvbiI6InByZWZlcnJlZCIsImF1dGhlbnRpY2F0b3JBdHRhY2htZW50IjoiY3Jvc3MtcGxhdGZvcm0ifSwidGltZW91dCI6MTUwMDAsImF0dGVzdGF0aW9uIjoiZGlyZWN0IiwicHViS2V5Q3JlZFBhcmFtcyI6W3sidHlwZSI6InB1YmxpYy1rZXkiLCJhbGciOi03fV0sInVzZXIiOnsiaWQiOiJiYmJiYmJiIiwibmFtZSI6IkJvYmJ5QGxvY2FsaG9zdCIsImRpc3BsYXlOYW1lIjoiYmJiYmJiYiJ9LCJleGNsdWRlQ3JlZGVudGlhbHMiOlt7InR5cGUiOiJwdWJsaWMta2V5IiwiaWQiOiIke2xhc3RHZW5lcmF0ZWRJZH0ifV19&submitRequest=true

Notice the NotAllowedError returned by Brave vs InvalidStateError that is returned by other browsers. This could potentially have an impact on RPs.
@jumde jumde mentioned this issue Aug 20, 2019
Closed
@jumde jumde self-assigned this Aug 20, 2019
@jumde jumde mentioned this issue Aug 21, 2019
Merged
7 tasks
@jhreis jhreis added this to the 1.12 milestone Aug 23, 2019
This was referenced Sep 5, 2019
Closed
Closed
Closed
@srirambv
Copy link
Contributor

srirambv commented Sep 10, 2019
edited
Loading

Verification passed on iPhone XR with iOS 12.1 running 1.12(19.09.07.08)
Webauthn_1413.zip

Verification PASSED on iPad Air 3rd Generation with iOS 13.1 running 1.12 (19.09.10.13):

IMG_0024

Verification passed on iPhone 7+ with iOS 12.4.1 running 1.12(19.09.13.06)
image

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jumde jumde

Labels
bug Epic: WebAuthn QA Pass - iPad QA Pass - iPhone X QA Pass - iPhone QA/Yes release-notes/exclude
Projects
None yet
Milestone
1.12
4 participants
@jumde @kjozwiak @jhreis @srirambv