Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] | Passkey Creation - Unable to register #338

Open
2 tasks done
upstreamsea opened this issue Mar 24, 2024 · 4 comments
Open
2 tasks done

[Bug] | Passkey Creation - Unable to register #338

upstreamsea opened this issue Mar 24, 2024 · 4 comments
Labels
bug Something isn't working

Comments

@upstreamsea
Copy link

Are you using the latest release?

  • Yes, I am using the latest release.

Have you checked a bug report doesn't already exist?

  • Yes, I have checked the existing bug reports.

What happened?

Whenever trying to add a passkey, 2 errors are returned:

  • Unexpected RP ID hash
  • InvalidRegistrationResponse

This issue happens on all devices, and has had issues on the latest versions of Chrome, Edge, and Safari.

Virtualisation

Docker

What operating system are you seeing the problem on?

Linux

What browsers are you seeing the problem on?

Chrome, Safari, Microsoft Edge

Project Location

Local

Bug Description

Unable to create Passkey, results in error.

Steps to Reproduce

No response

Relevant Log Output

"GET /api/mfa/registration HTTP/1.1" 200 461 "https://join.tl8.org/admin/settings/mfa"
20:29:58 INFO 127.0.0.1 - - [2024-03-23 20:29:58] "GET /api/mfa/registration HTTP/1.0" 200 704 0.072868
[2024-03-23 20:30:00,296] ERROR in app: Exception on /api/mfa/registration [POST]
Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/flask/app.py", line 1484, in full_dispatch_request
    rv = self.dispatch_request()
         ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask/app.py", line 1469, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask_restx/api.py", line 404, in wrapper
    resp = resource(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask/views.py", line 109, in view
    return current_app.ensure_sync(self.dispatch_request)(**kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask_restx/resource.py", line 46, in dispatch_request
    resp = meth(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask_jwt_extended/view_decorators.py", line 170, in decorator
    return current_app.ensure_sync(fn)(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/wizarr/backend/api/routes/mfa_api.py", line 258, in post
    verified_credential = verify_registration_response(
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/webauthn/registration/verify_registration_response.py", line 163, in verify_registration_response
    raise InvalidRegistrationResponse("Unexpected RP ID hash")
webauthn.helpers.exceptions.InvalidRegistrationResponse: Unexpected RP ID hash
20:30:00 ERROR Exception on /api/mfa/registration [POST]
Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/flask/app.py", line 1484, in full_dispatch_request
    rv = self.dispatch_request()
         ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask/app.py", line 1469, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask_restx/api.py", line 404, in wrapper
    resp = resource(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask/views.py", line 109, in view
    return current_app.ensure_sync(self.dispatch_request)(**kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask_restx/resource.py", line 46, in dispatch_request
    resp = meth(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/flask_jwt_extended/view_decorators.py", line 170, in decorator
    return current_app.ensure_sync(fn)(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/wizarr/backend/api/routes/mfa_api.py", line 258, in post
    verified_credential = verify_registration_response(
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/webauthn/registration/verify_registration_response.py", line 163, in verify_registration_response
    raise InvalidRegistrationResponse("Unexpected RP ID hash")
webauthn.helpers.exceptions.InvalidRegistrationResponse: Unexpected RP ID hash
"POST /api/mfa/registration HTTP/1.1" 500 124 "https://join.tl8.org/admin/settings/mfa"
20:30:00 INFO 127.0.0.1 - - [2024-03-23 20:30:00] "POST /api/mfa/registration HTTP/1.0" 500 386 0.032193
@upstreamsea upstreamsea added the bug Something isn't working label Mar 24, 2024
@WeetbixNMilk
Copy link

Just confirming if this issue is fixed or still exists?
I am having the same issue and my setup/errors match yours.

@ecapuano
Copy link

Same issue.

@Cousclou
Copy link

Cousclou commented Oct 4, 2024

I modified the API at "/wizarr/backend/api/routes/mfa_api.py" to fix the RP_ID error.

I am not a Python expert; I relied quite a bit on ChatGPT, but this could already be a lead for a future correction:

Definition of the RP_ID and RP_ORIGIN constants:

RP_ID = "wizarr.domaine.tld"
RP_ORIGIN = "https://wizarr.domaine.tld"

Using Constants in MFARegisterAPI.get

Using RP ID and RP ORIGIN Constants

rp_id = RP_ID
rp_name = "Wizarr"
user_id = str(current_user["id"])
user_name = str(current_user["username"])

Instead of deriving rp_id dynamically from the headers, it is now fixed to RP_ID.

Verifying the Registration Response with Constants

verified_credential = verify_registration_response(
    credential=RegistrationCredential.parse_raw(credential),
    expected_challenge=registration_options.challenge,
    expected_rp_id=RP_ID,  # Use the defined RP ID
    expected_origin=RP_ORIGIN  # Use the defined origin
)

This ensures that the verification always uses the correct RP ID and origin.

Using Constants in MFAAuthenticateAPI

Using RP ID and RP ORIGIN Constants

rp_id = RP_ID

Similarly, during authentication, the RP ID and origin are set to constant values.

Exception Handling with Logs

except InvalidRegistrationResponse as e:
    info(f"Error during MFA registration: {str(e)}")
    return {"message": "Invalid registration response"}, 400

Code:

https://memos.cous.re/m/WyAN2h2eiiKBA6wSJw5zUg

There is also a flaw in the connection; you need to enter the login to use the passkey. Ideally, it should be possible to use the passkey without having to enter the login, and even better, to disable the login in favor of the passkey.

MEqMY

and it works when I enter the login :

CZdpS

@salty2011
Copy link

Im not even able to register for a passkey, seems to think Safari, Edge don't support them despite being able to.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ecapuano @salty2011 @upstreamsea @WeetbixNMilk @Cousclou