Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat/530-remove-user-id-footgun #552

Merged
merged 12 commits into from
Apr 12, 2024
Merged

feat/530-remove-user-id-footgun #552

merged 12 commits into from
Apr 12, 2024

Conversation

MasterKale
Copy link
Owner

@MasterKale MasterKale commented Apr 12, 2024
edited
Loading

This PR updates @simplewebauthn/server and @simplewebauthn/browser to always base64url-encode the now optional userID bytes. In addition, a 32-byte-long random user identifier will now be generated when calling generateRegistrationOptions() without specifying a value for userID.

Going forward SimpleWebAuthn will encourage new library users to not specify a value for userID! The docs will be updated accordingly once this all goes live.

However, existing users that upgrade to v10 of @simplewebauthn/browser (containing these changes) and wish to continue specifying their own UTF-8 user IDs can continue to do so by accounting for this when generating registration options and parsing userHandle after authentication.

Fixes #530.

Breaking Changes

String values for userID are no longer allowed.

The library will throw an error with a link to https://simplewebauthn.dev/docs/advanced/server/custom-user-ids for refactor guidance. The guidance will boil down to wrapping existing string identifiers in a call to isoUint8Array.fromUTF8String() to get them to Uint8Arrays, and then using isoBase64URL.toString() on userHandle after auth to get back the UTF-8 user identifier.

Before:

// @simplewebauthn/server
const opts = generateRegistrationOptions({
  // ...
  userID: 'randomUserID',
});
// @simplewebauthn/browser
const credential = await startAuthentication(...);
sendToServer(credential);
// @simplewebauthn/server
const credential = await receiveFromBrowser();
console.log(
  credential.response.userhandle,  // 'randomUserID'
);

After:

// @simplewebauthn/server
import { isoUint8Array } from '@simplewebauthn/server/helpers';

const opts = generateRegistrationOptions({
  // ...
  userID: isoUint8Array.fromUTF8String('randomUserID'),
});
// @simplewebauthn/browser
const credential = await startAuthentication(...);
sendToServer(credential);
// @simplewebauthn/server
import { isoBase64URL } from '@simplewebauthn/server/helpers';

const credential = await receiveFromBrowser();
console.log(
  isoBase64URL.toUTF8String(credential.response.userhandle),  // 'randomUserID'
);

isoBase64URL.toString() and isoBase64URL.fromString() have been renamed

The method names have been updated to reflect the use of UTF-8 string encoding.

Before:

const foo = isoBase64URL.toString('...');
const bar = isoBase64URL.fromString('...');

After:

const foo = isoBase64URL.toUTF8String('...');
const bar = isoBase64URL.fromUTF8String('...');

@MasterKale MasterKale added this to the v10.0.0 milestone Apr 12, 2024
@MasterKale MasterKale added package:browser @simplewebauthn/browser package:server @simplewebauthn/server package:types @simplewebauthn/typescript-types labels Apr 12, 2024
@MasterKale MasterKale removed this from the v10.0.0 milestone Apr 12, 2024
@MasterKale MasterKale merged commit b2a6e96 into master Apr 12, 2024
1 check passed
@MasterKale MasterKale deleted the feat/530-remove-user-id-footgun branch April 12, 2024 20:34
@joostdebruijn joostdebruijn mentioned this pull request Apr 21, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
package:browser @simplewebauthn/browser package:server @simplewebauthn/server package:types @simplewebauthn/typescript-types
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove footgun related to random user IDs
1 participant
@MasterKale