Prevent overwriting passkeys when using registering with the same Use…

…r ID (#1) * check to prevent creating new credential when if one already exists on authenticator * add user-friendly error message * add check to make sure credential IDs in excludeCredentials are binary * store credentials as array to prevent overwriting credentials * refactor
mylofi · Mar 13, 2024 · a306697 · a306697
1 parent af84b23
commit a306697
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 5 deletions.
diff --git a/src/index.js b/src/index.js
@@ -127,6 +127,20 @@ export default publicAPI;
 async function register(regOptions = regDefaults()) {
  try {
  if (supportsWebAuthn) {
+ // ensure credential IDs are binary (not base64 string)
+ if (Array.isArray(regOptions[regOptions[credentialTypeKey]].excludeCredentials)) {
+ regOptions[regOptions[credentialTypeKey]].excludeCredentials = (
+ regOptions[regOptions[credentialTypeKey]].excludeCredentials.map(entry => ({
+ ...entry,
+ id: (
+ typeof entry.id == "string" ?
+ sodium.from_base64(entry.id,sodium.base64_variants.ORIGINAL) :
+ entry.id
+ ),
+ }))
+ );
+ }
+
  let regResult = await navigator.credentials.create(regOptions);
 
  let regClientDataRaw = new Uint8Array(regResult.response.clientDataJSON);

diff --git a/test/test.js b/test/test.js
@@ -143,6 +143,10 @@ async function registerNewCredential(name,userIDStr) {
  displayName: name,
  id: userID,
  },
+ excludeCredentials: credentialsByID[userIDStr]?.map(({ credentialID }) => ({ 
+ type: "public-key", 
+ id: credentialID, 
+ })) ?? [],
  });
  try {
  let regResult = await register(regOptions);
@@ -166,16 +170,38 @@ async function registerNewCredential(name,userIDStr) {
 
  // keep registered credential info in memory only
  // (no persistence)
- credentialsByID[userIDStr] = {
- credentialID: regResult.response.credentialID,
- publicKey: regResult.response.publicKey,
- };
+ if (userIDStr in credentialsByID) {
+ credentialsByID[userIDStr] = [
+ ...credentialsByID[userIDStr],
+ {
+ credentialID: regResult.response.credentialID,
+ publicKey: regResult.response.publicKey,
+ }
+ ];
+ } else {
+ credentialsByID[userIDStr] = [{
+ credentialID: regResult.response.credentialID,
+ publicKey: regResult.response.publicKey,
+ }]
+ }
 
  console.log("regResult:",regResult);
  }
  }
  catch (err) {
  logError(err);
+
+ if (err.cause instanceof Error) {
+ var errorString = err.cause.toString();
+ if (errorString.includes("credentials already registered with the relying party")) {
+ showError(`
+ A credential already exists for this User ID.
+ Please try a different User ID or pick a different authenticator.
+ `);
+ return
+ }
+ } 
+
  showError("Registering credential failed. Please try again.");
  }
 }
@@ -278,7 +304,10 @@ async function promptProvideAuth() {
 
  cancelToken = new AbortController();
  var authOptions = authDefaults({
- allowCredentials: [ { type: "public-key", id: credentialsByID[userID].credentialID, }, ],
+ allowCredentials: credentialsByID[userID].map(({ credentialID }) => ({ 
+ type: "public-key", 
+ id: credentialID, 
+ })),
  signal: cancelToken.signal,
  });
  try {