Merge branch 'main' into bump-versions

dodobrands · Mar 23, 2024 · 2b6863e · 2b6863e
2 parents 65aafcf + 7624ace
commit 2b6863e
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 8 deletions.
diff --git a/demo/WebAuthn.Net.Demo.Mvc/Services/Implementation/DefaultUserService.cs b/demo/WebAuthn.Net.Demo.Mvc/Services/Implementation/DefaultUserService.cs
@@ -1,4 +1,6 @@
-using System.Text.Json;
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.Json;
 using System.Text.Json.Serialization;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.WebUtilities;
@@ -106,7 +108,7 @@ private void Write(HttpContext httpContext, TypedInternalApplicationUser[] items
 
     private static TypedInternalApplicationUser Create(string userName)
     {
-        var userHandle = Guid.NewGuid().ToByteArray();
+        var userHandle = SHA256.HashData(Encoding.UTF8.GetBytes(userName));
         var createdAt = DateTimeOffset.FromUnixTimeSeconds(DateTimeOffset.UtcNow.ToUnixTimeSeconds());
         return new(userHandle, userName, createdAt);
     }

diff --git a/demo/WebAuthn.Net.Demo.Mvc/wwwroot/js/lib.js b/demo/WebAuthn.Net.Demo.Mvc/wwwroot/js/lib.js
@@ -107,7 +107,9 @@ const Alerts = {
     registerSuccess: () => alert("User registered!"),
     usernameInputEmpty: () => alert("Username input is empty"),
     credentialsGetApiNull: () => alert("navigator.credentials.get returned null"),
-    credentialsCreateApiNull: () => alert("navigator.credentials.create returned null")
+    credentialsCreateApiNull: () => alert("navigator.credentials.create returned null"),
+    getAuthenticatorDataInvalid: () => alert("Invalid data from getAuthenticatorData() method. Expected arraybuffer"),
+    getPublicKeyInvalid: () => alert("Invalid data from getPublicKey() method. Expected arraybuffer")
 };
 
 // API
@@ -127,12 +129,27 @@ const API = {
             const clientExtensionResults = newCredential.getClientExtensionResults ?
                 (newCredential.getClientExtensionResults() ?? {}) : {};
 
-            const authenticatorData = newCredential.response.getAuthenticatorData ?
-                coerceToBase64Url(newCredential.response.getAuthenticatorData()) : undefined;
+            let authenticatorData;
+            if (newCredential.response.getAuthenticatorData) {
+                const authData = newCredential.response.getAuthenticatorData();
+                const isValid = authData instanceof ArrayBuffer;
+                if (!isValid) {
+                    Alerts.getAuthenticatorDataInvalid();
+                    return;
+                }
+                authenticatorData = coerceToBase64Url(authData);
+            }
 
-            const responsePublicKey = newCredential.response.getPublicKey ?
-                newCredential.response.getPublicKey() : undefined;
-            const publicKey = responsePublicKey ? coerceToBase64Url(responsePublicKey) : undefined;
+            let publicKey;
+            if (newCredential.response.getPublicKey) {
+                const responsePublicKey = newCredential.response.getPublicKey();
+                const isValid = responsePublicKey instanceof ArrayBuffer;
+                if (!isValid) {
+                    Alerts.getPublicKeyInvalid();
+                    return;
+                }
+                publicKey = coerceToBase64Url(responsePublicKey);
+            }
 
             const transports = newCredential.response.getTransports ?
                 newCredential.response.getTransports() : undefined;