config/tfa: webauthn: disallow registering a token twice

by adding the existing credential id to the 'excludeCredentials' list this prevents the browser from registering a token twice, which lets authentication fail on some browser/token combinations (e.g. onlykey/solokey+chromium) while is seems this is currently a bug in chromium, in a future spec update the underlying behaviour should be better defined, making this an authenticator bug also explicitly catch registering errors and show appropriate error messages 0: https://bugs.chromium.org/p/chromium/issues/detail?id=1087642 Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2021-02-25 10:01:21 +01:00
parent b452e2df74
commit 831c43c91b
2 changed files with 39 additions and 3 deletions
--- a/src/config/tfa.rs
+++ b/src/config/tfa.rs
@ -803,9 +803,20 @@ impl TfaUserData {
        userid: &Userid,
        description: String,
    ) -> Result<String, Error> {
+        let cred_ids: Vec<_> = self
+            .enabled_webauthn_entries()
+            .map(|cred| cred.cred_id.clone())
+            .collect();
+
        let userid_str = userid.to_string();
-        let (challenge, state) = webauthn
-            .generate_challenge_register(&userid_str, Some(UserVerificationPolicy::Discouraged))?;
+        let (challenge, state) = webauthn.generate_challenge_register_options(
+            userid_str.as_bytes().to_vec(),
+            userid_str.clone(),
+            userid_str.clone(),
+            Some(cred_ids),
+            Some(UserVerificationPolicy::Discouraged),
+        )?;
+
        let challenge_string = challenge.public_key.challenge.to_string();
        let challenge = serde_json::to_string(&challenge)?;