laragear / webauthn Goto Github PK

PHP & Platform

8.3.3 - Linux aarch64

Database

MariaDB 11.3.2

Laravel version

10.48.3

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

Migrate create_webauthn_credentials

Description

Table index names have a maximum length of 64 characters. The relevant generated index name is 66 characters long:

webauthn_credentials_authenticatable_type_authenticatable_id_index

Maybe this is more of an issue for laragear/meta-model

A possible workaround is to shorten the table name in AppServiceProvider before run the migration:

<?php

namespace App\Providers;

use Illuminate\Support\ServiceProvider;

class AppServiceProvider extends ServiceProvider
{
    public function register(): void
    {
        \Laragear\WebAuthn\Models\WebAuthnCredential::$useTable = 'webauthn';

    }
}

However, this is not so elegant. The max length also applies to MySQL or PostgreSQL.

Reproduction

php artisan webauthn:install;
php artisan migrate;

Stack trace & logs

2024_03_15_173020_create_webauthn_credentials  6ms FAIL

Illuminate\Database\QueryException 

SQLSTATE[42000]: Syntax error or access violation: 1059 Identifier name 'webauthn_credentials_authenticatable_type_authenticatable_id_index' is too long (Connection: mariadb, SQL: alter table `webauthn_credentials` add index `webauthn_credentials_authenticatable_type_authenticatable_id_index`(`authenticatable_type`, `authenticatable_id`))

  at vendor/laravel/framework/src/Illuminate/Database/Connection.php:829
    825▕                     $this->getName(), $query, $this->prepareBindings($bindings), $e
    826▕                 );
    827▕             }
    828▕ 
  ➜ 829▕             throw new QueryException(
    830▕                 $this->getName(), $query, $this->prepareBindings($bindings), $e
    831▕             );
    832▕         }
    833▕     }

      +45 vendor frames 

  46  artisan:35
      Illuminate\Foundation\Console\Kernel::handle(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))

PHP & Platform

Laravel version

Authenticator type

No response

OS and Browser versions

No response

Have you done this?

• I am willing to share my stack trace and logs
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

All imports of php attributes should be provided in composer.

Description

When using vscode attributes are not being recognised:

    #[ArrayShape(['binaryData' => "string"])]
    public function __serialize(): array
    {
        return ['binaryData' => static::encodeBase64Url($this->binaryData)];
    }

Those require

use JetBrains\PhpStorm\ArrayShape;

Reproduction

Open ByteBuffer.php in vscode.

Stack trace & logs

No response

Attestation / Assertion objects

No response

Are you a Patreon supporter?

No, don't give priority to this

PHP & Platform

8.2.1 & MacOs

Database

No response

Laravel version

10

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

PhpStorm doesn't throw a warning

Description

When I add: // WebAuthn Routes WebAuthn::routes(); to my routes file, I get a warning: Class WebAuthn is marked as @internal

Reproduction

Import the routes in your routes files in Phpstorm

Stack trace & logs

No response

Please check these requirements

• This feature helps everyone using this package
• It's feasible and maintainable
• It's non breaking
• I issued a PR with the implementation (optional)

Description

Please i am trying to use webauthn in my app i had to upgrade to laravel 9 to user Laragear/WebAuthn because i was unable to set up Larapass and i can't create any issue there.

Wel Successfull Set WebAuthn but having Issue registering Device...
I get 422 Error Code

And when I tried publishing the config file.

php artisan vendor:publish --provider="Laragear\WebAuthn\WebAuthnServiceProvider" --tag="config"

It doesn't work.

Please I need guidelines on how to successfully set it up

Code sample

public function register(AttestedRequest $request): Response
    {
        $request->save();

        return response()->noContent();
    }

PHP & Platform

8.1.6 - Windows 11

Database

MySQL 8.0.27

Laravel version

9.33.0

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

On new install, have in my /routes/web

use Laragear\WebAuthn\WebAuthn;
WebAuthn::routes();

When I try to use the register/options route, I get a 500 error

Description

In the log, I get this:

[2022-10-04 01:07:58] local.ERROR: Target class [App\Http\Controllers\App\Http\Controllers\WebAuthn\WebAuthnRegisterController] does not exist. {"exception":"[object] (Illuminate\\Contracts\\Container\\BindingResolutionException(code: 0): Target class [App\\Http\\Controllers\\App\\Http\\Controllers\\WebAuthn\\WebAuthnRegisterController] does not exist. at C:\\wamp\\www\\station\\vendor\\laravel\\framework\\src\\Illuminate\\Container\\Container.php:877)
[stacktrace]

It appears that there is a namespacing issue because App\Http\Controllers is repeated.

For example, when I put the following in my web.php file, it works:

Route::controller(WebAuthnRegisterController::class)->middleware('web')->prefix('webauthn')->group(function () {
  Route::post('register/options', 'options')->name('webauthn.register.options');
  Route::post('register', 'register')->name('webauthn.register');
});
Route::controller(WebAuthnLoginController::class)->middleware('web')->prefix('webauthn')->group(function () {
  Route::post('login/options', 'options')->name('webauthn.login.options');
  Route::post('login', 'login')->name('webauthn.login');
});

Reproduction

As above

Stack trace & logs

as above

PHP & Platform

8.2.2

Database

No response

Laravel version

10.13.5

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

When calling new WebAuthn().register() the request to /webauthn/register/options should succeed.

Description

But is does not:

Reproduction

On a Fresh install,

update vite.config.js

-input: ['resources/css/app.css', 'resources/js/app.js'],
+input: ['resources/css/app.css', 'resources/js/app.js', 'resources/js/webauthn/webauthn.js'],

add WebAuthn::routes(); to routes/web.php,

then create a page like:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <title></title>
    <meta name="viewport" content="width=device-width, initial-scale=1">

    <link rel="preconnect" href="https://fonts.bunny.net">
    @vite('resources/js/app.js')
    <script src="{{ Vite::asset('/resources/js/vendor/webauthn/webauthn.js') }}"></script>
</head>
<body>
    <main>
        <form id="register-form">
            <button type="submit" value="Register authenticator">Register authenticator</button>
        </form>

<script defer>
if (WebAuthn.doesntSupportWebAuthn()) {
    alert('Your device is not secure enough to use this site!');
}

const register = event => {
    event.preventDefault()

    new WebAuthn().register()
      .then(response => alert('Registration successful!'))
      .catch(error => alert('Something went wrong, try again!'))
}

document.getElementById('register-form').addEventListener('submit', register)
</script>

    </main>
</body>
</html>

load the page page and click the button. 💥

Stack trace & logs

No response

PHP & Platform

8.1.23 - Ubuntu 22.04.3 LTS WSL

Database

MySQL 8.0.33-0ubuntu0.22.04.4

Laravel version

10.10

Have you done this?

• I have checked my logs and I'm sure is a bug in this package. - [X] I can reproduce this bug in isolation (vanilla Laravel install) - [ ] I can suggest a workaround as a Pull Request

Expectation

Just installed this package did not change anything, following the documentation, attestation does not work and I need help . Thanks :)

Description

[2023-09-24 08:12:33] local.ERROR: SQLSTATE[01000]: Warning: 1265 Data truncated for column 'authenticatable_id' at row 1 (Connection: mysql, SQL: insert into webauthn_credentials (authenticatable_id, authenticatable_type, id, user_id, alias, counter, rp_id, origin, transports, aaguid, public_key, attestation_format, updated_at, created_at) value (detail in the stack logs).

I used ulid instead of id in the users table.

Reproduction

async function func_registerkey () { new WebAuthn().register().then(response => { alert('Registration successful!') }).catch(error => { console.log(error); alert('Something went wrong, try again!') }); }

Stack trace & logs

shell [2023-09-24 08:12:33] local.ERROR: SQLSTATE[01000]: Warning: 1265 Data truncated for column 'authenticatable_id' at row 1 (Connection: mysql, SQL: insert into `webauthn_credentials` (`authenticatable_id`, `authenticatable_type`, `id`, `user_id`, `alias`, `counter`, `rp_id`, `origin`, `transports`, `aaguid`, `public_key`, `attestation_format`, `updated_at`, `created_at`) values (01hanwjtzrrn2mf7wfpa9ns6jb, App\Models\User, Ki0iUkN3NYMdIQnQxRgyGQ, c9b23794b1fa48cdb9f6b31440c28958, ?, 0, https://dev.test, https://dev.test, ?, 531126d6-e717-415c-9320-3d9aa6981239, eyJpdiI6InlaS2ZPdmxuL1cxajdPdWRYcHk2OVE9PSIsInZhbHVlIjoiU3owM3RuNy9nZCtHRi80dDlUMVFPZ0FCUFAvamZUYlJDL0ZXY0cyS0ZZS3dLdTdWTUVNUVU2dURTbXJrRlZ2Skw5RFQ5dUltanBoV1ZkWllMSUJIYXBmQTlHS2w0b3dLWCt3T1RsUXp0UXhrc0xXQkpqamZPZ3kvcFVVY0hWVVRwZTkrVU1VSjlnUzNXQ2dBR1lVT0F5ZHRLOUVMZWdoM0NJWGYwY1U5OEtWellLNkt1Yk5sRVV6WmdFM3RZVTg0MDhMVGNpR29kSUZmUk90dy94TkJNV3VNVUJWTDdPYjdTaTV5SG9mRzh2aFdXWW83S2Q5YVpDUlh3VlU2VWpyTiIsIm1hYyI6ImQ2NTcxZWY1YzQxYzA3NTIzNDY3ZWY1NmQ1ZWQ1MDUyZDQyYzZjYzg4ZDI5YjE1OWQyZTI5ODE3YjY4ZWRkM2YiLCJ0YWciOiIifQ==, none, 2023-09-24 08:12:33, 2023-09-24 08:12:33)) {"userId":"01hanwjtzrrn2mf7wfpa9ns6jb","exception":"[object] (Illuminate\\Database\\QueryException(code: 01000): SQLSTATE[01000]: Warning: 1265 Data truncated for column 'authenticatable_id' at row 1 (Connection: mysql, SQL: insert into `webauthn_credentials` (`authenticatable_id`, `authenticatable_type`, `id`, `user_id`, `alias`, `counter`, `rp_id`, `origin`, `transports`, `aaguid`, `public_key`, `attestation_format`, `updated_at`, `created_at`) values (01hanwjtzrrn2mf7wfpa9ns6jb, App\\Models\\User, Ki0iUkN3NYMdIQnQxRgyGQ, c9b23794b1fa48cdb9f6b31440c28958, ?, 0, https://dev.test, https://dev.test, ?, 531126d6-e717-415c-9320-3d9aa6981239, eyJpdiI6InlaS2ZPdmxuL1cxajdPdWRYcHk2OVE9PSIsInZhbHVlIjoiU3owM3RuNy9nZCtHRi80dDlUMVFPZ0FCUFAvamZUYlJDL0ZXY0cyS0ZZS3dLdTdWTUVNUVU2dURTbXJrRlZ2Skw5RFQ5dUltanBoV1ZkWllMSUJIYXBmQTlHS2w0b3dLWCt3T1RsUXp0UXhrc0xXQkpqamZPZ3kvcFVVY0hWVVRwZTkrVU1VSjlnUzNXQ2dBR1lVT0F5ZHRLOUVMZWdoM0NJWGYwY1U5OEtWellLNkt1Yk5sRVV6WmdFM3RZVTg0MDhMVGNpR29kSUZmUk90dy94TkJNV3VNVUJWTDdPYjdTaTV5SG9mRzh2aFdXWW83S2Q5YVpDUlh3VlU2VWpyTiIsIm1hYyI6ImQ2NTcxZWY1YzQxYzA3NTIzNDY3ZWY1NmQ1ZWQ1MDUyZDQyYzZjYzg4ZDI5YjE1OWQyZTI5ODE3YjY4ZWRkM2YiLCJ0YWciOiIifQ==, none, 2023-09-24 08:12:33, 2023-09-24 08:12:33)) at /var/www/projects/evangeline/vendor/laravel/framework/src/Illuminate/Database/Connection.php:801) [stacktrace] #0 /var/www/projects/evangeline/vendor/laravel/framework/src/Illuminate/Database/Connection.php(755): Illuminate\\Database\\Connection->runQueryCallback() #1 /var/www/projects/evangeline/vendor/laravel/framework/src/Illuminate/Database/Connection.php(581): Illuminate\\Database\\Connection->run() #2 /var/www/projects/evangeline/vendor/laravel/framework/src/Illuminate/Database/Connection.php(533): Illuminate\\Database\\Connection->statement() #3 /var/www/projects/evangeline/vendor/laravel/framework/src/Illuminate/Database/Query/Builder.php(3338): Illuminate\\Database\\Connection->insert() #4 /var/www/projects/evangeline/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Builder.php(1968): Illuminate\\Database\\Query\\Builder->insert() #5 /var/www/projects/evangeline/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Model.php(1309): Illuminate\\Database\\Eloquent\\Builder->__call() #6 /var/www/projects/evangeline/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Model.php(1137): Illuminate\\Database\\Eloquent\\Model->performInsert() #7 /var/www/projects/evangeline/vendor/laragear/webauthn/src/Http/Requests/AttestedRequest.php(83): Illuminate\\Database\\Eloquent\\Model->sav

PHP & Platform

8.2.1 & MacOs

Database

No response

Laravel version

10

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

My understanding is that if there is no associated credential to the user, the challenge should be empty.

Description

I created a new user and on the first login, I want the user to login via the password as no passkey as been saved to the device yet. But, when I hit the /login/options route, I get a challenge instead of the null value.

Reproduction

1- Create a new user
2- Send the email as the credential to the `/login/options` route

Stack trace & logs

No response

PHP & Platform

8.2.2

Database

No response

Laravel version

10.13.5

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

On a login/register options request, if validation fails, errors should be availabe in the catch(resposne => {}) method.

Description

On a login/register options request, if validation fails, there is no way to display the specific errors to the user.

Reproduction

new WebAuthn().login({
    email: 'not a valid email',
}, {
    remember: 'on',
}).then(response => {
    // 
})
    .catch(response => {

    if (reponse.status === 422) {

        // response.errors should be an array of errors, and response.message should be the main validation message

        let errors = response.errors;
        for (let key in errors) {
            document.getElementById(key).setCustomValidity(errors[key][0]);
            document.getElementById(key).reportValidity();
        }

        return;
    }

})

Stack trace & logs

No response

PHP & Platform

8.1.2 & Ubuntu

Database

No response

Laravel version

9

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

Description

Hey Guys,

The README file talks about an AttestationController file. This is not created during installation.

1. How do I create these?
2. How does Laravel know to speak to this controller?

Reproduction

-

Stack trace & logs

No response

PHP & Platform

8.3.7 MacOS

Database

MariaDB 11.3.2

Laravel version

11.7.0

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

I've gone through the README steps in a brand new Laravel install.

I've configured the user provider to eloquent-webauthn as described in the readme:

    'providers' => [
        'users' => [
            'driver' => 'eloquent-webauthn',
            'model' => App\Models\User::class,
            'password_fallback' => false,
        ],
    ],

I ran the install and migrate scripts

php artisan webauthn:install
php artisan migrate

Description

When attempting to log in, I get a database error:

Column not found: 1054 Unknown column 'rawId' in 'where clause'

Looking at my database, I don't see that column on the users table either.

Reproduction

await Webpass.assert("/webauthn/login/options", "/webauthn/login")

### Stack trace & logs

```shell
[2024-05-18 17:50:12] local.ERROR: SQLSTATE[42S22]: Column not found: 1054 Unknown column 'rawId' in 'where clause' (Connection: mysql, SQL: select * from `users` where `id` = QnWxGTtsch2q8KZef5SOl7Z2yYHSVdvhQ_JP7vLH9tk and `rawId` = QnWxGTtsch2q8KZef5SOl7Z2yYHSVdvhQ_JP7vLH9tk and `response` in (SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MFAAAAAA, eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoib3JMd21VTVA1VjFQdWo4cXBsVjVDQSIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODAwMCIsImNyb3NzT3JpZ2luIjpmYWxzZX0, MEUCIQDjh1bTeARNmaNiWSmv4jp7EtRsPVfCHala0-PXkYEJNgIgIXsv10E1GwTp410zovTsXxOMVgu9rZXrOQwhu7Co0i4, ��]�G����=�\�Oz{��ۭu) and `type` = public-key limit 1) {"exception":"[object] (Illuminate\\Database\\QueryException(code: 42S22): SQLSTATE[42S22]: Column not found: 1054 Unknown column 'rawId' in 'where clause' (Connection: mysql, SQL: select * from `users` where `id` = QnWxGTtsch2q8KZef5SOl7Z2yYHSVdvhQ_JP7vLH9tk and `rawId` = QnWxGTtsch2q8KZef5SOl7Z2yYHSVdvhQ_JP7vLH9tk and `response` in (SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MFAAAAAA, eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoib3JMd21VTVA1VjFQdWo4cXBsVjVDQSIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODAwMCIsImNyb3NzT3JpZ2luIjpmYWxzZX0, MEUCIQDjh1bTeARNmaNiWSmv4jp7EtRsPVfCHala0-PXkYEJNgIgIXsv10E1GwTp410zovTsXxOMVgu9rZXrOQwhu7Co0i4, ��]�G\u001b׍���=�\\�Oz{��ۭu) and `type` = public-key limit 1) at /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Database/Connection.php:813)
[stacktrace]
#0 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Database/Connection.php(767): Illuminate\\Database\\Connection->runQueryCallback('select * from `...', Array, Object(Closure))
#1 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Database/Connection.php(398): Illuminate\\Database\\Connection->run('select * from `...', Array, Object(Closure))
#2 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Database/Query/Builder.php(2993): Illuminate\\Database\\Connection->select('select * from `...', Array, true)
#3 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Database/Query/Builder.php(2978): Illuminate\\Database\\Query\\Builder->runSelect()
#4 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Database/Query/Builder.php(3566): Illuminate\\Database\\Query\\Builder->Illuminate\\Database\\Query\\{closure}()
#5 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Database/Query/Builder.php(2977): Illuminate\\Database\\Query\\Builder->onceWithColumns(Array, Object(Closure))
#6 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Builder.php(749): Illuminate\\Database\\Query\\Builder->get(Array)
#7 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Builder.php(731): Illuminate\\Database\\Eloquent\\Builder->getModels(Array)
#8 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Database/Concerns/BuildsQueries.php(335): Illuminate\\Database\\Eloquent\\Builder->get(Array)
#9 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Auth/EloquentUserProvider.php(139): Illuminate\\Database\\Eloquent\\Builder->first()
#10 /Users/aaronpk/Code/Laravel/vendor/laragear/webauthn/src/Auth/WebAuthnUserProvider.php(59): Illuminate\\Auth\\EloquentUserProvider->retrieveByCredentials(Array)
#11 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Auth/SessionGuard.php(393): Laragear\\WebAuthn\\Auth\\WebAuthnUserProvider->retrieveByCredentials(Array)
#12 /Users/aaronpk/Code/Laravel/vendor/laragear/webauthn/src/Http/Requests/AssertedRequest.php(57): Illuminate\\Auth\\SessionGuard->attempt(Array, false)
#13 /Users/aaronpk/Code/Laravel/app/Http/Controllers/WebAuthn/WebAuthnLoginController.php(33): Laragear\\WebAuthn\\Http\\Requests\\AssertedRequest->login()
#14 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php(46): App\\Http\\Controllers\\WebAuthn\\WebAuthnLoginController->login(Object(Laragear\\WebAuthn\\Http\\Requests\\AssertedRequest))
#15 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Routing/Route.php(260): Illuminate\\Routing\\ControllerDispatcher->dispatch(Object(Illuminate\\Routing\\Route), Object(App\\Http\\Controllers\\WebAuthn\\WebAuthnLoginController), 'login')
#16 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Routing/Route.php(206): Illuminate\\Routing\\Route->runController()
#17 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Routing/Router.php(806): Illuminate\\Routing\\Route->run()
#18 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(144): Illuminate\\Routing\\Router->Illuminate\\Routing\\{closure}(Object(Illuminate\\Http\\Request))
#19 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Routing/Middleware/SubstituteBindings.php(50): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#20 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(183): Illuminate\\Routing\\Middleware\\SubstituteBindings->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#21 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php(88): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#22 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(183): Illuminate\\Foundation\\Http\\Middleware\\VerifyCsrfToken->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#23 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/View/Middleware/ShareErrorsFromSession.php(49): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#24 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(183): Illuminate\\View\\Middleware\\ShareErrorsFromSession->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#25 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(121): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#26 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(64): Illuminate\\Session\\Middleware\\StartSession->handleStatefulRequest(Object(Illuminate\\Http\\Request), Object(Illuminate\\Session\\Store), Object(Closure))
#27 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(183): Illuminate\\Session\\Middleware\\StartSession->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#28 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/AddQueuedCookiesToResponse.php(37): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#29 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(183): Illuminate\\Cookie\\Middleware\\AddQueuedCookiesToResponse->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#30 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php(75): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#31 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(183): Illuminate\\Cookie\\Middleware\\EncryptCookies->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#32 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(119): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#33 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Routing/Router.php(805): Illuminate\\Pipeline\\Pipeline->then(Object(Closure))
#34 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Routing/Router.php(784): Illuminate\\Routing\\Router->runRouteWithinStack(Object(Illuminate\\Routing\\Route), Object(Illuminate\\Http\\Request))
#35 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Routing/Router.php(748): Illuminate\\Routing\\Router->runRoute(Object(Illuminate\\Http\\Request), Object(Illuminate\\Routing\\Route))
#36 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Routing/Router.php(737): Illuminate\\Routing\\Router->dispatchToRoute(Object(Illuminate\\Http\\Request))
#37 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(200): Illuminate\\Routing\\Router->dispatch(Object(Illuminate\\Http\\Request))
#38 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(144): Illuminate\\Foundation\\Http\\Kernel->Illuminate\\Foundation\\Http\\{closure}(Object(Illuminate\\Http\\Request))
#39 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#40 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ConvertEmptyStringsToNull.php(31): Illuminate\\Foundation\\Http\\Middleware\\TransformsRequest->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#41 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(183): Illuminate\\Foundation\\Http\\Middleware\\ConvertEmptyStringsToNull->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#42 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#43 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TrimStrings.php(51): Illuminate\\Foundation\\Http\\Middleware\\TransformsRequest->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#44 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(183): Illuminate\\Foundation\\Http\\Middleware\\TrimStrings->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#45 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Http/Middleware/ValidatePostSize.php(27): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#46 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(183): Illuminate\\Http\\Middleware\\ValidatePostSize->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#47 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/PreventRequestsDuringMaintenance.php(110): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#48 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(183): Illuminate\\Foundation\\Http\\Middleware\\PreventRequestsDuringMaintenance->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#49 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Http/Middleware/HandleCors.php(49): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#50 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(183): Illuminate\\Http\\Middleware\\HandleCors->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#51 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Http/Middleware/TrustProxies.php(57): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#52 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(183): Illuminate\\Http\\Middleware\\TrustProxies->handle(Object(Illuminate\\Http\\Request), Object(Closure))
#53 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(119): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}(Object(Illuminate\\Http\\Request))
#54 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(175): Illuminate\\Pipeline\\Pipeline->then(Object(Closure))
#55 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(144): Illuminate\\Foundation\\Http\\Kernel->sendRequestThroughRouter(Object(Illuminate\\Http\\Request))
#56 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Foundation/Application.php(1172): Illuminate\\Foundation\\Http\\Kernel->handle(Object(Illuminate\\Http\\Request))
#57 /Users/aaronpk/Code/Laravel/public/index.php(17): Illuminate\\Foundation\\Application->handleRequest(Object(Illuminate\\Http\\Request))
#58 /Users/aaronpk/Code/Laravel/vendor/laravel/framework/src/Illuminate/Foundation/resources/server.php(16): require_once('/Users/aaronpk/...')
#59 {main}```

PHP & Platform

8.2.2

Database

No response

Laravel version

10.13.5

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

When I click the "register" or "login" buttons the WebAuthn class is initialised and run.

Description

The ReferenceError: WebAuthn is not defined error is thrown.

I suspect this is due to Vite loading the script as type="module" and so the WebAuthn class is in a different scope.

Reproduction

after adding the code from the documentation:


<html>
<head>
@vite(['resources/js/app.js', 'resources/js/vendor/webauthn/webauthn.js'])
</head>
<body>
<form id="register-form">
    <button type="submit">Register authenticator</button>
</form>

<!-- Registering credentials -->
<script>
    const register = event => {
        event.preventDefault()

        new WebAuthn().register()
          .then(response => alert('Registration successful!'))
          .catch(error => alert('Something went wrong, try again!'))
    }

    document.getElementById('register-form').addEventListener('submit', register)
</script>
</body>
</html>


click the `Register authenticator` button.

Stack trace & logs

No response

PHP & Platform

8.2.8 - MacOS

Database

MySQL 8.0.27

Laravel version

10

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

when i try to login. but it prompt the error below.

Description

Prompt my user table missing column. i just migrate the default db souce from package

Reproduction

i was used the default function from package
public function login(AssertedRequest $request): Response
 {
     return response()->noContent($request->login('admin') ? 204 : 422);
 }

Stack trace & logs

Column not found: 1054 Unknown column 'rawId' in 'where clause' (Connection: mysql, SQL: select * from table where id = IUFjLK-rfAh7U3oV_zP_uJ6YW3umWXo3fipCY3HE6Ho and rawId = IUFjLK+rfAh7U3oV/zP/uJ6YW3umWXo3fipCY3HE6Ho= and response in (u2ghoRLl52c6KTnfJU/7W3nVPzrVuUA/98mAWWV0hw8FAAAAAA==, eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiX2QtNC1tVjJfUEVueUFTZkJHNnBRdyIsIm9yaWdpbiI6Imh0dHBzOi8vYmFzZS10ZW1wbGF0ZS50ZXN0IiwiY3Jvc3NPcmlnaW4iOmZhbHNlfQ==, MEYCIQDhaC21Gjmin6oB9tyvrQJSsrukRNcscvd8s36HRxrT+AIhAL3RS6G4idm6mgfoWeak8SIgtJla++A4saiAznGWV6ih, a07bc26051d04b909c9dfce9f9068255) and type = public-key limit 1)

PHP & Platform

8.1.3 & MacOs

Database

MYSQL 5

Laravel version

Laravel 9

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

When you login with credentials, it should log the user in

Description

I get a 422 error on login

Reproduction

Setup back and frontend and try to login.

Stack trace & logs

I was able to pinpoint the issue. In the webauthn file, in the login method:


async login(request = {}, response = {}) {
        const optionsResponse = await this.#fetch(
            request,
            this.routes.loginOptions
        );
        const json = await optionsResponse.json();
        const publicKey = this.#parseIncomingServerOptions(json);
        const credentials = await navigator.credentials.get({ publicKey });
        console.log(credentials);
        const publicKeyCredential = this.#parseOutgoingCredentials(credentials);

        Object.assign(publicKeyCredential, response);

        return await this.#fetch(
            publicKeyCredential,
            this.routes.login,
            response
        ).then(WebAuthn.#handleResponse);
    }

THe credentials has a userHandle of null, so it fails the check in the backend eventually.

Edit:
I checked that during creation, the userHandle is not even set by the navigator.

In the documentation, it does say it maybe be null:

For [navigator.credentials.create()](https://developer.mozilla.org/en-US/docs/Web/API/CredentialsContainer/create) calls made with a non-empty allowCredentials properties, the returned userHandle may be null.

https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorAssertionResponse/userHandle

PHP & Platform

8.1.2 - Ubuntu 22.04 WSL

Database

MySQL 8.0.28

Laravel version

10.10

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

How to change the webauthn_credentials.authenticatable_id data type?

I can change it manually after the migration is done but how can I change it in the migration file instead? Is it possible?

$table->morphs('authenticatable', 'webauthn_user_index');

Thanks.

Description

I use ULID as ID (primary key) in the users table and everytime I tried to attest it is failed because the authenticatable_id column in the webauthn_credentials table does not match with the data type of my users table's ID column, how can I change the authenticatable_id to match the users.id data type which is CHAR(26)?

Thanks.

Reproduction

.

Stack trace & logs

No response

PHP & Platform

8.2.7 Ubuntu 22.04.2

Database

MariaDB 10.10.5

Laravel version

10.14.1

Browser

Google Chrome 114.0.5735.198

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

Not sure

Description

When logging in the response from the browser publicKeyCredential.response contains userHandle: ''

not sure why its empty but it ise (I checked on a few other site using webauthn, and it's empty there also).

However in the database the user_id field is populated,
In Laragear\WebAuthn\Assertion\Validator\Pipes\CheckCredentialIsForUser::validateId there is a check againest user_id on the credentials model, this throws an exception when handle is empty.

Reproduction

public function registerOpts(AttestationRequest $request): Responsable
{
    return $request
        ->secureRegistration()
        //->fastRegistration()
        //->userless()
        //->allowDuplicates()
        ->toCreate();
}

public function register(AttestedRequest $request): Response
{
    $request->save($request->only(['alias']));

    return response()->noContent();
}


public function loginOpts(AssertionRequest $request): Responsable
{
    /** @var User $user */
    $user = Auth::guard('web')->user();

    return $request
        ->secureLogin()
        ->toVerify($user->only(['email']));
}

public function login(Request $request, AssertionValidator $assertion): Response
{
    $credential = $assertion
        ->send(new AssertionValidation($request))
        ->thenReturn()
        ->credential;

    if (!$credential) return \response()->noContent(422);

    session(['webauthn' => true]);

    return response()->noContent();
}

Stack trace & logs

not applicable

PHP & Platform

8.1.5

Laravel version

9.16.0

Authenticator type

No response

OS and Browser versions

No response

Have you done this?

• I am willing to share my stack trace and logs
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

For my main site, I have a default database connection that goes to "DifferentSchema".
For my auth, I have another database connection that goes to "AuthSchema"

I can't seem to figure out how to make webauthn use my "AuthSchema" connection. I added the "AuthSchema" database connection in App\User::class, and that fixed one of the errors, but there's more further down the "webauthn process" that I'm not sure how to fix.

Is there a way to specify what connection WebAuthn uses?

Thanks

Description

https://pastebin.com/raw/yrbc05V3 - Shows the default database connection being used and not the "AuthSchema" database connection I set in App\User::class

Reproduction

N/A

Stack trace & logs

https://pastebin.com/raw/yrbc05V3

Attestation / Assertion objects

No response

Are you a Patreon supporter?

No, don't give priority to this

PHP & Platform

8.1 (Debian - Bookworm)

Database

PostgreSQL 15

Laravel version

10.40.0

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

When I am trying to register a yubikey, I expect it to be registered with my account.

Description

Impossible to register my yubikey (or any platform authenticator, in my case Touch ID).

I guess that the javascript used in @simplewebauthn/browser is a bit different which causes this issue.

Reproduction

I've used the following example https://github.com/MasterKale/SimpleWebAuthn/blob/master/example/public/index.html

Adjusted the urls and tried to register a yubikey and tried to register Touch ID.

Stack trace & logs

When trying to register I get the following validation error:

ByteBuffer: Invalid offset or length.

PHP & Platform

8.3.6 - macOS 14.4.1 aarch64

Database

PostgreSQL 14.11

Laravel version

11.5.0

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

When I use 1Password / my macbook's TouchId, as long as I have registered it in the system, I should be able to login.

Description

When using 1Password as a Passkey, 1Password seems to be sending the userHandle in the format that this package expects, which is without dash, e.g.:
6943324022c046d395de29ceda194b63

Which will be validated in \Laragear\WebAuthn\Assertion\Validator\Pipes\CheckCredentialIsForUser@validateId like so:

hash_equals(Uuid::fromString($validation->credential->user_id)->getHex()->toString(), $handle);
// using the userHandle 1Password provided, the line above becomes:
'6943324022c046d395de29ceda194b63' === '6943324022c046d395de29ceda194b63';

But my MBP's TouchID seems to sent userHandle with dash, i.e.: 69433240-22c0-46d3-95de-29ceda194b63
the hash_equals above effectively becomes:

'6943324022c046d395de29ceda194b63' === '69433240-22c0-46d3-95de-29ceda194b63';

This makes logging-in using my TouchID to be impossible, I reckon other people also can not login.

Right now this issue is not a problem in my projects, as I am using this workaround in my WebAuthnLoginController.php:

    public function login(AssertedRequest $request)
        : \Symfony\Component\HttpFoundation\Response
    {
        // hacky workaround =>
        $userHandle = $request->json()->get('response.userHandle');

        $request->json()->set('response',
            [
                'userHandle' => Str::replace(
                    '-', '', $userHandle ?? ''
                )
            ]
            + $request->json('response')
        );

        $user = $request->login();

        // ...
    }

But someone might want to address this issue

Reproduction

// sorry, don't have the time to make a repro, feel free to just close this issue :)
// the issue itself is easily fixable on userland, with a little hack.

Stack trace & logs

// This is the TouchID
[2024-05-03 09:50:12] local.DEBUG: array (
  'request' => 
  array (
    'remember' => NULL,
    'id' => 'ZDariNmfR72XYzZEG-QMubXC9Mc',
    'rawId' => 'ZDariNmfR72XYzZEG-QMubXC9Mc',
    'response' => 
    array (
      'authenticatorData' => 'REDACTED',
      'clientDataJSON' => 'REDACTED',
      'signature' => 'REDACTED',
      'userHandle' => '69433240-22c0-46d3-95de-29ceda194b63',
    ),
    'type' => 'public-key',
    'clientExtensionResults' => 
    array (
    ),
    'authenticatorAttachment' => 'platform',
  ),
  'handle' => '69433240-22c0-46d3-95de-29ceda194b63',
  'Uuid::fromString()->getHex()->toString()' => '6943324022c046d395de29ceda194b63',
)  
[2024-05-03 09:50:12] local.DEBUG: Assertion Error: User ID is not owner of the stored credential.  

// This is 1Password
[2024-05-03 09:50:35] local.DEBUG: array (
  'request' => 
  array (
    'remember' => NULL,
    'id' => 'auDdo3Qn2MZ47Fp0bg0hIg',
    'rawId' => 'auDdo3Qn2MZ47Fp0bg0hIg',
    'response' => 
    array (
      'authenticatorData' => 'REDACTED',
      'clientDataJSON' => 'REDACTED',
      'signature' => 'REDACTED',
      'userHandle' => '6943324022c046d395de29ceda194b63',
    ),
    'type' => 'public-key',
    'clientExtensionResults' => 
    array (
    ),
    'authenticatorAttachment' => 'platform',
  ),
  'handle' => '6943324022c046d395de29ceda194b63',
  'Uuid::fromString()->getHex()->toString()' => '6943324022c046d395de29ceda194b63',
)

PHP & Platform

PHP 8.3 - Ubuntu 22.04

Database

Mysql 8

Laravel version

11

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

Attestation Error: Challenge does not exist.

Description

I did everything exactly as you described in the installation steps. In Laravel 10 I installed version 1.x of this package without any problems, but in Laravel 11 and Webauthn 2.x I get the following error.

Attestation Error: Challenge does not exist.

Reproduction

//

Stack trace & logs

No response

PHP & Platform

8.1.22

Database

No response

Laravel version

10.16.1

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

Setting a custom Relying Party Id in the .env file should allow to register new webauthn devices.

Description

Following the Laragear/webauthn documentation:

If I set WEBAUTHN_ID=https://my.domain.com the registration ceremony fails because the RP-ID is not valid. Indeed, regarding the Webauthn W3C recommandation, the RP ID should be a domain, not an URL. Using such an URL makes the webauthn API throwing a SecurityError (see https://www.w3.org/TR/webauthn-2/#CreateCred-DetermineRpId)

But if I set WEBAUTHN_ID=my.domain.com, the registration ceremony also fails but this time because the CheckRelyingPartyIdContained does not pass because of the way $current is defined:

Using parse_url() with the PHP_URL_HOST flag will return nothing, causing the next evaluation to fail:

Reproduction

// Set WEBAUTHN_ID=my.domain.com and try to register a new device

Stack trace & logs

No response

HELP

Please i am trying to use webauthn in my app i had to upgrade to laravel 9 to user Laragear/WebAuthn because i was unable to set up Larapass and i can't create any issue there.

Wel Successfull Set WebAuthn but having Issue registering Device...
I get 422 Error Code

Actually need Help is not a bug

Please check these requirements

• This feature helps everyone using this package
• It's feasible and maintainable
• It's non breaking
• I issued a PR with the implementation (optional)

Description

It would be great if the fields used in the WebAuthn data were configurable instead of being hardcoded to the email and name properties of the user.

https://github.com/Laragear/WebAuthn/blob/1.x/src/WebAuthnAuthentication.php#L28

For example, I might want to use the user's username instead of email as the visible name of the WebAuthn credential.

It should be straightforward to add a configuration option to set these properties.

Code sample

`config/webauthn.php`


...
  'webauthn_data_properties' => [
    'name' => env('WEBAUTHN_NAME_PROP', 'email'),
    'displayName' => env('WEBAUTHN_DISPLAYNAME_PROP', 'name'),
  ]
...

As you can see, there are a lot of small bugs here and there.

Currently I'm under contract and hands full. I've not abandoned this package, or any under the Laragear.

I will retake it as soon as I'm able to, hopefully before this year ends.

PHP & Platform

8.2

Database

No response

Laravel version

10 [Latest]

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

I want to login.

Description

When I attempted to log in using my Android device with a QR code, an error message appeared is Laravel Log files:

"Assertion Error: User ID is not the owner of the stored credential."

The userHandle is null. I tried the codes in the PRs and the Android null repository.

Reproduction

...

Stack trace & logs

No response

Please check these requirements

• This feature helps everyone using this package
• It's feasible and maintainable
• It's non breaking
• I issued a PR with the implementation (optional)

Description

Hi @DarkGhostHunter ,

I've been using your Larapass package, since it's abandoned now I tried to use this one.
I'm using Laravel-doctrine/orm package which means that I'm not relaying on Eloquent.

With previous package I was able to easily implement contracts, etc. but since current contracts are forcing return types to strictly Eloquent related, I'm not able to implement contracts without Model usage.

I think it's mostly about WebAuthnAuthenticatable contract and it's webAuthnCredentials returning MorphMany which I'm not able to use in doctrine world :)

Are there any plans to make this package more open ?

Thanks

Code sample

interface WebAuthnAuthenticatable
{
    /**
     * Returns displayable data to be used to create WebAuthn Credentials.
     *
     * @return array{name: string, displayName: string}
     */
    public function webAuthnData(): array;

    /**
     * Removes all credentials previously registered.
     *
     * @param  string  ...$except
     * @return void
     */
    public function flushCredentials(string ...$except): void;

    /**
     * Disables all credentials for the user.
     *
     * @param  string  ...$except
     * @return void
     */
    public function disableAllCredentials(string ...$except): void;

    /**
     * Makes an instance of a WebAuthn Credential attached to this user.
     *
     * @param  array  $properties
     * @return \Laragear\WebAuthn\Models\WebAuthnCredential
     */
    public function makeWebAuthnCredential(array $properties): WebAuthnCredential;

    /**
     * Returns a queryable relationship for its WebAuthn Credentials.
     *
     * @phpstan-ignore-next-line
     * @return \Illuminate\Database\Eloquent\Relations\MorphMany|\Laragear\WebAuthn\Models\WebAuthnCredential
     */
    public function webAuthnCredentials(): MorphMany;
}

Please check these requirements

• This feature helps everyone using this package
• It's feasible and maintainable
• It's non breaking
• I issued a PR with the implementation (optional)

Description

Hi dev team, i have been using the old package Larapass i guess, it was working perfectly.

What about implementing it in this also?

Code sample

<?php

namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use DarkGhostHunter\Larapass\Http\SendsWebAuthnRecoveryEmail;

class WebAuthnDeviceLostController extends Controller


and 

<?php

namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use App\Providers\RouteServiceProvider;
use DarkGhostHunter\Larapass\Http\RecoversWebAuthn;

class WebAuthnRecoveryController extends Controller
{
    use RecoversWebAuthn;

PHP & Platform

8.1.20 - Cent OS (Plesk)

Database

No response

Laravel version

9.0

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

No Error Message

Description

Sorry, I'm not sure wether this is an issue, but searching for help.
I'm using Nuxt.js Frontend and Laravel Backend, authenticated with Laravel Sanctum Cookie Based.
Frontend URL: example.com Backend URL: api.example.com, so Cookie Based Auth works fine here, but not Webauthn I get the Error "Attestation Error: Relying Party ID not scoped to current"

On localhost:3000 for frontend and 8010 for backend everything is working fine. I think the problem comes from difference in URL, but I don't know how to configure, for not getting this error. Is this possible?
Thanks!

Reproduction

Install Frontend and Backend on different URLs

Stack trace & logs

No response

PHP & Platform

PHP 8.1.7 (in Valet) (MAC OS dev)

Laravel version

9.17.0

Authenticator type

not applicable

OS and Browser versions

MAC OS Monterrey, FireFox (current)

Have you done this?

• I am willing to share my stack trace and logs
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

For the database migration to complete without error. I just ginned up a totally new clean install, installed breeze, created one user, then tried, same issue. MySQL: 10.7.3-MariaDB - Homebrew

Description

I get this error:

Illuminate\Database\QueryException

SQLSTATE[42000]: Syntax error or access violation: 1059 Identifier name 'webauthn_credentials_authenticatable_type_authenticatable_id_index' is too long (SQL: alter table webauthn_credentials add index webauthn_credentials_authenticatable_type_authenticatable_id_index(authenticatable_type, authenticatable_id))

at vendor/laravel/framework/src/Illuminate/Database/Connection.php:742
738▕ // If an exception occurs when attempting to run a query, we'll format the error
739▕ // message to include the bindings with SQL, which will make this exception a
740▕ // lot more helpful to the developer instead of just the database's errors.
741▕ catch (Exception $e) {
➜ 742▕ throw new QueryException(
743▕ $query, $this->prepareBindings($bindings), $e
744▕ );
745▕ }
746▕ }

  +9 vendor frames 

10 database/migrations/2022_06_17_161949_create_webauthn_credentials.php:25
Illuminate\Support\Facades\Facade::__callStatic("create")

  +22 vendor frames 

33 artisan:35
Illuminate\Foundation\Console\Kernel::handle(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))

Reproduction

not applicable

Stack trace & logs

Illuminate\Database\QueryException 

  SQLSTATE[42000]: Syntax error or access violation: 1059 Identifier name 'webauthn_credentials_authenticatable_type_authenticatable_id_index' is too long (SQL: alter table `webauthn_credentials` add index `webauthn_credentials_authenticatable_type_authenticatable_id_index`(`authenticatable_type`, `authenticatable_id`))

  at vendor/laravel/framework/src/Illuminate/Database/Connection.php:742
    738▕         // If an exception occurs when attempting to run a query, we'll format the error
    739▕         // message to include the bindings with SQL, which will make this exception a
    740▕         // lot more helpful to the developer instead of just the database's errors.
    741▕         catch (Exception $e) {
  ➜ 742▕             throw new QueryException(
    743▕                 $query, $this->prepareBindings($bindings), $e
    744▕             );
    745▕         }
    746▕     }

      +9 vendor frames 
  10  database/migrations/2022_06_17_161949_create_webauthn_credentials.php:25
      Illuminate\Support\Facades\Facade::__callStatic("create")

      +22 vendor frames 
  33  artisan:35
      Illuminate\Foundation\Console\Kernel::handle(Object(Symfony\Component\Console\Input\ArgvInput), Object(Symfony\Component\Console\Output\ConsoleOutput))

Attestation / Assertion objects

No response

Are you a Patreon supporter?

No, don't give priority to this

PHP & Platform

Laravel version

Authenticator type

No response

OS and Browser versions

No response

Have you done this?

• I am willing to share my stack trace and logs
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

Code being used with respect to manual ? 😅

Description

https://github.com/Laragear/WebAuthn/blob/1.x/src/Auth/WebAuthnUserProvider.php#L49

class_implements($this->model, WebAuthnAuthenticatable::class)

https://www.php.net/manual/en/function.class-implements.php

class_implements(object|string $object_or_class, bool $autoload = true): array|false
This function returns an array with the names of the interfaces that the given object_or_class and its parents implement.

Reproduction

See above.

Stack trace & logs

No response

Attestation / Assertion objects

No response

Are you a Patreon supporter?

No, don't give priority to this

Please check these requirements

• This feature helps everyone using this package
• It's feasible and maintainable
• It's non breaking
• I issued a PR with the implementation (optional)

Description

Hi, first of all thanks for super power 🚀 package,

I think it can be very useful and important to give the ability of using a stateless mode (e.g. for token based communications like rest/grapqhl/..).

In this sense I identify two areas for improvement:

• ability to use the cache as an alternative driver to the session
• pipelines, ability of receiving an alternative contract to the request as input from which to obtain the exchange data

I'll try to clarify this last point for a moment: at several points pipes expect precise data present in the input of incoming request but this is quite limiting if the communication where the payload of the data exchanged is different (e.g. graphql/rest/..) and this cause complications in use of manual management, (as a work around I currently use request()->merge([]) but I think we can find a better strategy.

What do you think about this? Did I miss something, maybe some security-related steps?

Thanks.

Code sample

// I'm trying to see if I can produce a draft PR on this.

PHP & Platform

8.1.11 - Mac OS Ventura 13.2

Database

latest (docker)

Laravel version

9.19

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request
  I added the workaround/solution to this bug to #30 by mistake 😞

Expectation

alias should be reflected in the database but it is not.

Description

sadly the parameter seems to be dropped.

Reproduction

const register = event => {
    event.preventDefault()
    new WebAuthn().register({
        alias: 'some alias'
    }).then(response => alert('Registration successful!'));
};


alias is sent to the options request but dropped on the way to the register request.
stored credentials do not include the given alias.

vanilla backend as described in docs `WebAuthnRegisterController.php`:
```php
    public function options(AttestationRequest $request): Responsable
    {
        return $request
            ->fastRegistration()
//            ->userless()
//            ->allowDuplicates()
            ->toCreate();
    }

    public function register(AttestedRequest $request): Response
    {
        $request->save($request->input('alias'));
        return response()->noContent();
    }

### Stack trace & logs

_No response_

Please check these requirements

• This feature helps everyone using this package
• It's feasible and maintainable
• It's non breaking
• I issued a PR with the implementation (optional)

Description

Currently the method expiresAt of class Laragear\WebAuthn\Challenge\Challenge expects the return type to be Carbon. And since it uses Date facade by default it will return Carbon only. But for projects where Date facade uses CarbonImmutable handler using Date::use(CarbonImmutable::class); this method will break as the return value from Date facade will be an instance of CarbonImmutable. We can add the return type of expiresAt as CarbonInterface to support both Carbon and CarbonImmutable.

Feel free to close this issue if it is of not that importance.

Code sample

use Carbon\CarbonInterface;

public function expiresAt(): CarbonInterface
{
    return Date::createFromTimestamp($this->expiresAt);
}

PHP & Platform

8.1.11 - Windows 10

Database

MySQL 8.0.30

Laravel version

9.36.3

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

When registering a security key, the attestation is stored to db.

Description

When registering a Nitrokey, an error occurs when attestation is written to MySQL db because of a too long index (298 chars!)

This Nitrokey does not validate the assumption made here: DarkGhostHunter/Larapass#14 (comment)

Reproduction

// Using the WebAuthn repository tests.
// Change the CREDENTIAL_ID to a 255+ long string
// Then run the Tests\Http\Requests\AttestedRequestTest tests

class FakeAuthenticator
{
    public const CREDENTIAL_ID = 'owBYu_waGLhAOCg4EFzi6Lr55x51G2dR5yhJi8q2C3tgZQQL2aEi-nK3I54J6ILj70pJzR_6QxvA5XER17d7NA9EFe2QH3VoJYQGpO8G5yDoFQvsdkxNhioyMyhyQHNrAgTMGyfigIMCfhjk9te7LNYl9K5GbWRc4TGeQl1vROjBtTNm3GdpEOqp9RijWd-ShQZ95eHoc8SA_-8vzCyfmy-wI_K4ZqlQNNl85Fzg2GIBcC2zvcJhLYy1A2kw6JoBTAmz1ZCCgkTKWhzUvAJQpMpu40M67FqE0WkGZfSJ9A';    
    public const CREDENTIAL_ID_RAW = 'owBYu/waGLhAOCg4EFzi6Lr55x51G2dR5yhJi8q2C3tgZQQL2aEi+nK3I54J6ILj70pJzR/6QxvA5XER17d7NA9EFe2QH3VoJYQGpO8G5yDoFQvsdkxNhioyMyhyQHNrAgTMGyfigIMCfhjk9te7LNYl9K5GbWRc4TGeQl1vROjBtTNm3GdpEOqp9RijWd+ShQZ95eHoc8SA/+8vzCyfmy+wI/K4ZqlQNNl85Fzg2GIBcC2zvcJhLYy1A2kw6JoBTAmz1ZCCgkTKWhzUvAJQpMpu40M67FqE0WkGZfSJ9A=';

// ...
}

Stack trace & logs

// Error in VS Code during the execution of Tests\Http\Requests\AttestedRequestTest tests

node:events:504
      throw er; // Unhandled 'error' event
      ^

Error: ENOENT: no such file or directory, open 'd:\ SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'id' at row 1 in ...\WebAuthn\vendor\laravel\framework\src\Illuminate\Database\Connection.php'
Emitted 'error' event on Interface instance at:
    at ReadStream.onerror (node:readline:265:10)
    at ReadStream.emit (node:events:526:28)
    at emitErrorNT (node:internal/streams/destroy:157:8)
    at emitErrorCloseNT (node:internal/streams/destroy:122:3)
    at process.processTicksAndRejections (node:internal/process/task_queues:83:21) {
  errno: -4058,
  code: 'ENOENT',
  syscall: 'open',
  path: "d:\\ SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'id' at row 1 in ...\\WebAuthn\\vendor\\laravel\\framework\\src\\Illuminate\\Database\\Connection.php"
}

// In production stacktrace (from https://github.com/Bubka/2FAuth/issues/166#issuecomment-1460991223)
[2023-03-01 12:24:10] local.ERROR: SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'id' at row 1 (SQL: insert into `web_authn_credentials` (`id`, `user_handle`, `type`, `transports`, `attestation_type`, `trust_path`, `aaguid`, `public_key`, `counter`, `user_id`, `updated_at`, `created_at`) values (owBYu_waGLhAOCg4EFzi6Lr55x51G2bhCQIYNOXkC3tgZQQL2aEi-nK3I54J6ILj70pJzR_6QxvA5XER17d7NA9EFe2QH3VoJYQGpO8G5yDoFQvsdkxNhioyMyhyQHNrAgTMGyfigIMCfhjk9te7LNYl9K5GbWRc4TGeQl1vROjBtTNm3GdpEOqp9RijWd-ShQZ95eHoc8SA_-8vzCyfmy-wI_K4ZqlQNNl85Fzg2GIBcC2zvcJhLYy1A2kw6JoBTAmz1ZCCgkTKWhzUvAJQpMpu40M67FqE0WkGZfSJ9A, c6d01c4c-95fb-4e39-ab4f-78be47568837, public-key, [], none, {"type":"Webauthn\\TrustPath\\EmptyTrustPath"}, 00000000-0000-0000-0000-000000000000, XXXXXXXXXXXXXXXXX, 25, 1, 2023-03-01 12:24:10, 2023-03-01 12:24:10)) {"userId":1,"exception":"[object] (Illuminate\\Database\\QueryException(code: 22001): SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'id' at row 1 (SQL: insert into `web_authn_credentials` (`id`, `user_handle`, `type`, `transports`, `attestation_type`, `trust_path`, `aaguid`, `public_key`, `counter`, `user_id`, `updated_at`, `created_at`) values (owBYu_waGLhAOCg4EFzi6Lr55x51G2bhCQIYNOXkC3tgZQQL2aEi-nK3I54J6ILj70pJzR_6QxvA5XER17d7NA9EFe2QH3VoJYQGpO8G5yDoFQvsdkxNhioyMyhyQHNrAgTMGyfigIMCfhjk9te7LNYl9K5GbWRc4TGeQl1vROjBtTNm3GdpEOqp9RijWd-ShQZ95eHoc8SA_-8vzCyfmy-wI_K4ZqlQNNl85Fzg2GIBcC2zvcJhLYy1A2kw6JoBTAmz1ZCCgkTKWhzUvAJQpMpu40M67FqE0WkGZfSJ9A, c6d01c4c-95fb-4e39-ab4f-78be47568837, public-key, [], none, {\"type\":\"Webauthn\\\\TrustPath\\\\EmptyTrustPath\"}, 00000000-0000-0000-0000-000000000000, XXXXXXXXXXXXXXXXXXXX, 25, 1, 2023-03-01 12:24:10, 2023-03-01 12:24:10)) at /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Database/Connection.php:712)
[stacktrace]
#0 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Database/Connection.php(672): Illuminate\\Database\\Connection->runQueryCallback()
#1 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Database/Connection.php(502): Illuminate\\Database\\Connection->run()
#2 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Database/Connection.php(454): Illuminate\\Database\\Connection->statement()
#3 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Database/Query/Builder.php(2980): Illuminate\\Database\\Connection->insert()
#4 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Builder.php(1657): Illuminate\\Database\\Query\\Builder->insert()
#5 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Model.php(1164): Illuminate\\Database\\Eloquent\\Builder->__call()
#6 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Model.php(994): Illuminate\\Database\\Eloquent\\Model->performInsert()
#7 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Database/Eloquent/Relations/HasOneOrMany.php(267): Illuminate\\Database\\Eloquent\\Model->save()
#8 /var/www/2fauth/vendor/darkghosthunter/larapass/src/WebAuthnAuthentication.php(93): Illuminate\\Database\\Eloquent\\Relations\\HasOneOrMany->save()
#9 /var/www/2fauth/vendor/darkghosthunter/larapass/src/Http/RegistersWebAuthn.php(47): App\\Models\\User->addCredential()
#10 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Routing/Controller.php(54): App\\Http\\Controllers\\Auth\\WebAuthnRegisterController->register()
#11 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php(45): Illuminate\\Routing\\Controller->callAction()
#12 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Routing/Route.php(262): Illuminate\\Routing\\ControllerDispatcher->dispatch()
#13 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Routing/Route.php(205): Illuminate\\Routing\\Route->runController()
#14 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Routing/Router.php(721): Illuminate\\Routing\\Route->run()
#15 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(128): Illuminate\\Routing\\Router->Illuminate\\Routing\\{closure}()
#16 /var/www/2fauth/app/Http/Middleware/RejectIfReverseProxy.php(26): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#17 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): App\\Http\\Middleware\\RejectIfReverseProxy->handle()
#18 /var/www/2fauth/app/Http/Middleware/KickOutInactiveUser.php(53): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#19 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): App\\Http\\Middleware\\KickOutInactiveUser->handle()
#20 /var/www/2fauth/app/Http/Middleware/LogUserLastSeen.php(35): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#21 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): App\\Http\\Middleware\\LogUserLastSeen->handle()
#22 /var/www/2fauth/vendor/laravel/passport/src/Http/Middleware/CreateFreshApiToken.php(50): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#23 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Laravel\\Passport\\Http\\Middleware\\CreateFreshApiToken->handle()
#24 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Routing/Middleware/SubstituteBindings.php(50): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#25 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\\Routing\\Middleware\\SubstituteBindings->handle()
#26 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Auth/Middleware/Authenticate.php(44): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#27 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\\Auth\\Middleware\\Authenticate->handle()
#28 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php(78): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#29 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\\Foundation\\Http\\Middleware\\VerifyCsrfToken->handle()
#30 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(121): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#31 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(64): Illuminate\\Session\\Middleware\\StartSession->handleStatefulRequest()
#32 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\\Session\\Middleware\\StartSession->handle()
#33 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/AddQueuedCookiesToResponse.php(37): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#34 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\\Cookie\\Middleware\\AddQueuedCookiesToResponse->handle()
#35 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php(67): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#36 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\\Cookie\\Middleware\\EncryptCookies->handle()
#37 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(103): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#38 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Routing/Router.php(723): Illuminate\\Pipeline\\Pipeline->then()
#39 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Routing/Router.php(698): Illuminate\\Routing\\Router->runRouteWithinStack()
#40 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Routing/Router.php(662): Illuminate\\Routing\\Router->runRoute()
#41 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Routing/Router.php(651): Illuminate\\Routing\\Router->dispatchToRoute()
#42 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(167): Illuminate\\Routing\\Router->dispatch()
#43 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(128): Illuminate\\Foundation\\Http\\Kernel->Illuminate\\Foundation\\Http\\{closure}()
#44 /var/www/2fauth/app/Http/Middleware/ForceJsonResponse.php(20): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#45 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): App\\Http\\Middleware\\ForceJsonResponse->handle()
#46 /var/www/2fauth/app/Http/Middleware/SetLanguage.php(54): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#47 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): App\\Http\\Middleware\\SetLanguage->handle()
#48 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#49 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ConvertEmptyStringsToNull.php(31): Illuminate\\Foundation\\Http\\Middleware\\TransformsRequest->handle()
#50 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\\Foundation\\Http\\Middleware\\ConvertEmptyStringsToNull->handle()
#51 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#52 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TrimStrings.php(40): Illuminate\\Foundation\\Http\\Middleware\\TransformsRequest->handle()
#53 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\\Foundation\\Http\\Middleware\\TrimStrings->handle()
#54 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php(27): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#55 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\\Foundation\\Http\\Middleware\\ValidatePostSize->handle()
#56 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/PreventRequestsDuringMaintenance.php(86): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#57 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\\Foundation\\Http\\Middleware\\PreventRequestsDuringMaintenance->handle()
#58 /var/www/2fauth/vendor/fruitcake/laravel-cors/src/HandleCors.php(38): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#59 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Fruitcake\\Cors\\HandleCors->handle()
#60 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Http/Middleware/TrustProxies.php(39): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#61 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\\Http\\Middleware\\TrustProxies->handle()
#62 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(103): Illuminate\\Pipeline\\Pipeline->Illuminate\\Pipeline\\{closure}()
#63 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(142): Illuminate\\Pipeline\\Pipeline->then()
#64 /var/www/2fauth/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(111): Illuminate\\Foundation\\Http\\Kernel->sendRequestThroughRouter()
#65 /var/www/2fauth/public/index.php(73): Illuminate\\Foundation\\Http\\Kernel->handle()
#66 {main}

PHP & Platform

8.2.11 - Windows 21H2

Database

MariaDB 10.9.3

Laravel version

10.28

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

successful registration

Description

api returns an error response when registering through webauthn. i have an SPA with the package @simplewebauthn/browser.

i setup the default configs w/ breeze; sanctum, api

routes/auth.php

Route::prefix('webauth')
    ->middleware(['auth:sanctum'])
    ->group(function () {
        Route::get('/register/options', [WebAuthnRegisterController::class, 'options'])->name('webauthn.register.options');
        Route::post('/register', [WebAuthnRegisterController::class, 'register'])->name('webauthn.register');
    });

sample fetch:

register/options response

{
    "rp": {
        "name": "Laravel"
    },
    "authenticatorSelection": {
        "residentKey": "required",
        "requireResidentKey": true,
        "userVerification": "required"
    },
    "user": {
        "name": "[email protected]",
        "displayName": "Test User",
        "id": "671b1314af7a4ae59acb11bfe31da868"
    },
    "pubKeyCredParams": [
        {
            "type": "public-key",
            "alg": -7
        },
        {
            "type": "public-key",
            "alg": -257
        }
    ],
    "attestation": "none",
    "excludeCredentials": [],
    "timeout": 60000,
    "challenge": "B_nNl8II2S7rLFDkciHU2Q"
}

simplewebauthn startRegistration() payload to /register

{
  "id": "EBKcjOuGFLJkuKALSW4FxGGgVEKb_hQywCjx4Qa-i1E",
  "rawId": "EBKcjOuGFLJkuKALSW4FxGGgVEKb_hQywCjx4Qa-i1E",
  "response": {
    "attestationObject": "o2N ... AB",
    "clientDataJSON": "eyJ ... V9",
    "transports": [],
    "publicKeyAlgorithm": -257,
    "publicKey": "MI ... AB",
    "authenticatorData": "x8 ... AE"
  },
  "type": "public-key",
  "clientExtensionResults": {},
  "authenticatorAttachment": "platform"
}

/register response

{
    "message": [
        "Attestation Error: ByteBuffer: Invalid offset or length."
    ],
    "file": "\\vendor\\laravel\\framework\\src\\Illuminate\\Validation\\ValidationException.php",
    "line": 71,
    "trace": [
        {
            "file": "\\vendor\\laragear\\webauthn\\src\\Exceptions\\AttestationException.php",
            "line": 18,
            "function": "withMessages",
            "class": "Illuminate\\Validation\\ValidationException",
 ...

* also tested on w11, but the same error happens.

Full stack trace: https://pastebin.com/raw/9UfA1GxT

excuse my poor understanding of all these. many thanks in advance

Please check these requirements

• This feature helps everyone using this package
• It's feasible and maintainable
• It's non breaking
• I issued a PR with the implementation (optional)

Description

When a user logs in via Assertion, a session key should be set with the ID of the credential used to login via assertion.

This would help developers to check which device the user is using, and reject disabling the current device by mistake by simple id comparison: If the Credential ID is equal to the Session Credential ID, don't allow to disable it.

Implementation should be in the guard. Assertion pipelines should be kept as-is as the feature is authentication-session-specific.

Code sample

/**
     * Validate the WebAuthn assertion.
     */
    protected function validateWebAuthn(WebAuthnAuthenticatable $user, array $credentials): bool
    {
        try {
            // When we hit this method, we already have the user for the credential, so we will
            // pass it to the Assertion Validation data, thus avoiding fetching it again.
            $this->validator
                ->send(new AssertionValidation(new JsonTransport($credentials), $user))
                ->thenReturn();
        } catch (AssertionException $e) {
            // If we're debugging, like under local development, push the error to the logger.
            if (config('app.debug')) {
                logger($e->getMessage());
            }

            return false;
        }

+        // If the dev has ID-on-session enabled, set it.
+        if (config('webauthn.auth.set_id')) {
+            $this->session->put(
+                config('webauthn.auth.session_key', '_webauthn.credential_id'),
+                $credentials['id']
+            ):
+        }

        return true;
    }

Please check these requirements

• This feature helps everyone using this package
• It's feasible and maintainable
• It's non breaking
• I issued a PR with the implementation (optional)

Description

"While WebAuthn was designed primarily for authentication, the framework can be extended to support signing with keypairs generated on authenticators without requiring custom clients for end users."

I found this functionality very interesting, the flow is described here:

"In short, the registration and authentication events consists of a cryptographic signing process with the public key returned, which is then used to sign a data set which is provided by the relying party. Replacing the randomly generated challenge with a hash of a file to be signed allows this signature flow to be applied to actual documentation, with the public key also available for verification after the fact."

Currently the related discuss and progress in this regard under webauthn / webcrypto are in a sort of "limbo" (see w3c/webauthn#1608 and related w3c/webcrypto#263) so I have the thought there would be room for use currently.

Interesting also this caveats to keep in mind.

On the implementation side, I think it would be enough to give the possibility to inject the ByteBuffer into AssertionCreation and then use it as an alternative for the creation of the Challenge (instead of random).

What do you think about it?

Code sample

$assertion = app()->make(AssertionCreator::class)
 ->send(new AssertionCreation(
  user: null,
  userVerification: UserVerification::DISCOURAGED,
  challengeData: new ByteBuffer('...hash_of_a_file...')
 ))
 ->then(static function (AssertionCreation $creation): Responsable {
  return $creation->json;
 });

PHP & Platform

8.1.5 - Debian

Laravel version

9.2

Authenticator type

No response

OS and Browser versions

No response

Have you done this?

• I am willing to share my stack trace and logs
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

CSRF are not always provided, sometimes a XCRF token is provided in the cookies headers. Those should be supported.

Description

Larapass was supporting XCRF tokens:
https://github.com/DarkGhostHunter/Larapass/blob/master/resources/js/larapass.js#L85

Reproduction

Use Laragear with any Laravel installation without using @csrf in meta or form.

Stack trace & logs

No response

Attestation / Assertion objects

No response

Are you a Patreon supporter?

No, don't give priority to this

Please check these requirements

• This feature helps everyone using this package
• It's feasible and maintainable
• It's non breaking
• I issued a PR with the implementation (#84)

Description

Studying the integration of the library on Android and iOS we found that although via WebView (both platform) or Android CustomTabs / iOS SFSafariViewController there are no difficulties, it is necessary to carry out a small server side integration to allow the native implementation of the solution on Android and iOS.

The evaluation of this analysis was done with a small poc (actors: android / ios / web / server), in essence, everything translates (in addition to the various configurations of the case for both environments which are not the responsibility of this library) in:

• allowing an array of valid strings as origin (necessary for Android, see Sign in your user with Credential Manager -> Verify origin from client data JSON)
• in our opinion, add the integration of the Relying Party (rpId) in the option assertion response (this would be useful for both Android and iOS) to allow suggestion of appropriate keys on the device side.

On the implementation side, the areas of impact that I find are:

• configuration / env: possibility to configure an array of valid "origins" (strings).
• SharedPipes/CheckOriginSecure adaptation implementation for allow valid origins integration
• SharedPipes/CheckRelyingPartyIdContained adaptation implementation for allow valid sources integration
• Create pipe for attach rpId and add to Assertion\Creator\AssertionCreator pipeline

I looked at a previous "draft" of closed pr #61 which went in that direction, although in my opinion it can be simplified with a simple in_array (match string) to be able to also be used for other possible non-Android scenarios.
For example, for Android I would value with the already calculated android:apk-key-hash (e.g. android:apk-key-hash:hlbf0LpDSuQ3UpvvmFAMc1OhrD96549OYYOkGJKxJVs) instead of calculating the relevant fingerprint (see detail on the composition), in order to make everything simpler (avoid recalculations at each request) and not differentiate per os (possibly commands could be provided for os as helpers to generate the appropriate strings).

Although at the current state of the branches it seems to me that this feat is also compatible on 2.x, perhaps it is better to keep 3.x as the basis (I don't seem to see any conflicts but I don't understand the tests part).

Let me know what you think,
thanks.

PHP & Platform

8.2.1 & MacOs

Database

No response

Laravel version

10

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

When I try to register a new device, the credential should be saved in the DB.

Description

I am getting this error when I try to register a new device:
Attestation Error: ByteBuffer: Invalid offset or length.
It's coming from this class: CompileAttestationObject and the line number is 78.

Reproduction

Try to register a new device.

Stack trace & logs

No response

PHP & Platform

8.1

Database

No response

Laravel version

10

Have you done this?

• I have checked my logs and I'm sure is a bug in this package.
• I can reproduce this bug in isolation (vanilla Laravel install)
• I can suggest a workaround as a Pull Request

Expectation

When I'm logging in with wrong E-Mail Adress, the browser should not be able to find a matching Key.

Description

The browser is not able to find a matching key, but if I only have one key, the browser is choosing the one and logging in into the account where the key is for and not the account I typed the email-adress in.

So long story short: No matter which E-Mail I'm inserting in Login Form, I am always in the same account.
Tested on MacOS with Chrome.

Potentially a bug in chrome? I'm not shure? Or is this the expected behaviour?

Reproduction

Generate Webauthn Login and try to log in with different E-Mail.

Stack trace & logs

No response