This repository has been archived by the owner on Nov 8, 2024. It is now read-only.
Consider validating server responses on the JS side #64
Comments
|
I consider this lower priority, as the default UI is intended to be used with our default filter implementations. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The JS code expects server responses to adhere to a certain format ; e.g. the call to
/webauthn/register/optionsshould return certain fields. The Spring Security implementation is expected to respond with the correct format, but user implementations may be incorrect, missing a field, having an incorrect type, etc.Currently the JS throws an error, and the message might be surprising, e.g.
can't access property "replace", base64url is undefinedinstead of something akin tothe /webauthn/register/options call should have a "user.id" property.Following the stack trace, a user may be able to find what the problem is, but it is not trivial, as it might be the second or third line in the stack trace that shows the incriminating call site.
Responses to validate:
/webauthn/register/options/webauthn/register/webauthn/authenticate/options/login/webauthnThe text was updated successfully, but these errors were encountered: