[3.x] FIX: userHandle compatibility between webauthn.js and Webpass (#94

)

src/Assertion/Validator/Pipes/CheckCredentialIsForUser.php

@@ -4,6 +4,7 @@
 
 use Closure;
 use Laragear\WebAuthn\Assertion\Validator\AssertionValidation;
+use Laragear\WebAuthn\ByteBuffer;
 use Laragear\WebAuthn\Exceptions\AssertionException;
 use Ramsey\Uuid\Exception\InvalidUuidStringException;
 use Ramsey\Uuid\Uuid;
@@ -67,12 +68,18 @@ protected function validateId(AssertionValidation $validation): void
         // of the authenticator, which is pushed from the application to be saved. If
         // the userHandle cannot be decoded and normalized, then surely is invalid.
         try {
-            $handle = Uuid::fromString($validation->json->get('response.userHandle'))->getHex()->toString();
+            $handle = Uuid::fromString($validation->json->get('response.userHandle'));
         } catch (InvalidUuidStringException) {
-            throw AssertionException::make('The userHandle is not a valid hexadecimal UUID (32/36 characters).');
+            try {
+                // This is required for compatibility with credentials created by versions
+                // of Webpass that used SimpleWebAuthn/browser < v10.0.0
+                $handle = Uuid::fromString(ByteBuffer::decodeBase64Url($validation->json->get('response.userHandle')));
+            } catch (InvalidUuidStringException) {
+                throw AssertionException::make('The userHandle is not a valid hexadecimal UUID (32/36 characters).');
+            }
         }
 
-        if (! hash_equals(Uuid::fromString($validation->credential->user_id)->getHex()->toString(), $handle)) {
+        if (! hash_equals(Uuid::fromString($validation->credential->user_id)->getHex()->toString(), $handle->getHex()->toString())) {
             throw AssertionException::make('User ID is not owner of the stored credential.');
         }
     }

src/Attestation/Creator/Pipes/AddUserDescriptor.php

@@ -4,6 +4,7 @@
 
 use Closure;
 use Laragear\WebAuthn\Attestation\Creator\AttestationCreation;
+use Ramsey\Uuid\Uuid;
 
 /**
  * @internal
@@ -19,7 +20,7 @@ public function handle(AttestationCreation $attestable, Closure $next): mixed
         $existingId = $attestable->user->webAuthnCredentials()->getQuery()->value('user_id');
 
         $attestable->json->set('user', [
-            'id' => $existingId ?: $attestable->user->webAuthnId()->getHex()->toString(),
+            'id' => ($existingId ? Uuid::fromString($existingId) : $attestable->user->webAuthnId())->getHex()->toString(),
             ...$attestable->user->webAuthnData(),
         ]);
 

tests/Assertion/ValidationTest.php

@@ -277,6 +277,19 @@ public function test_credential_check_is_malformed_user_handle(): void
         $this->validator->send($this->validation)->thenReturn();
     }
 
+    public function test_credential_check_base64_user_handle(): void
+    {
+        $assertionResponse = FakeAuthenticator::assertionResponse();
+
+        $assertionResponse['response']['userHandle'] = base64_encode($assertionResponse['response']['userHandle']);
+
+        $this->validation->json = new JsonTransport($assertionResponse);
+
+        $this->validation->user = WebAuthnAuthenticatableUser::query()->first();
+
+        static::assertInstanceOf(AssertionValidation::class, $this->validator->send($this->validation)->thenReturn());
+    }
+
     public function test_credential_check_is_not_for_user_id(): void
     {
         DB::table('webauthn_credentials')->where('id', FakeAuthenticator::CREDENTIAL_ID)->update([

tests/Attestation/CreatorTest.php

@@ -170,7 +170,7 @@ public function test_user_reuses_uuid_from_other_credential(): void
         ])->save();
 
         $this->response()
-            ->assertJsonPath('user.id', $uuid->toString());
+            ->assertJsonPath('user.id', $uuid->getHex()->toString());
     }
 
     public function test_adds_existing_credentials_if_unique_by_default(): void