mirror of
https://gh.wpcy.net/https://github.com/discourse/discourse.git
synced 2026-05-03 08:18:42 +08:00
0626ec1a29
**Currently, passkey registration has two bugs:** 1. Registration fails with an HTTP 500 for authenticators that include extension data (i.e. `hmac-secret` in their attestation response) because we slice all bytes after the credential ID the public key. 2. Registration fails with `NotAllowedError` on some hardware keys (i.e. Solo 2) because `pubKeyCredParams` includes invalid HMAC symmetric algorithms from the `COSE` gem, which strict authenticator firmware rejects. **This fix:** 1. Uses `CBOR::Unpacker` streaming decode to read exactly one `CBOR` object from the byte stream, stopping before any trailing extension data. Also adds `COSE::MalformedKeyError` to the rescue block so future failures return a proper error response. 2. Replaces the blanket `COSE::Algorithm.registered_algorithm_ids` with an explicit list of asymmetric signature algorithms valid for `WebAuthn`. Meta bug report: https://meta.discourse.org/t/cant-set-up-passkey-on-any-discourse/397642/ |
||
|---|---|---|
| .. | ||
| authentication_service_spec.rb | ||
| challenge_generator_spec.rb | ||
| discourse_webauthn_spec.rb | ||
| registration_service_spec.rb | ||
