diff --git a/demo/WebAuthn.Net.Demo.Mvc/Services/Implementation/DefaultUserService.cs b/demo/WebAuthn.Net.Demo.Mvc/Services/Implementation/DefaultUserService.cs index 8235ae0..edfea67 100644 --- a/demo/WebAuthn.Net.Demo.Mvc/Services/Implementation/DefaultUserService.cs +++ b/demo/WebAuthn.Net.Demo.Mvc/Services/Implementation/DefaultUserService.cs @@ -1,4 +1,6 @@ -using System.Text.Json; +using System.Security.Cryptography; +using System.Text; +using System.Text.Json; using System.Text.Json.Serialization; using Microsoft.AspNetCore.DataProtection; using Microsoft.AspNetCore.WebUtilities; @@ -106,7 +108,7 @@ private void Write(HttpContext httpContext, TypedInternalApplicationUser[] items private static TypedInternalApplicationUser Create(string userName) { - var userHandle = Guid.NewGuid().ToByteArray(); + var userHandle = SHA256.HashData(Encoding.UTF8.GetBytes(userName)); var createdAt = DateTimeOffset.FromUnixTimeSeconds(DateTimeOffset.UtcNow.ToUnixTimeSeconds()); return new(userHandle, userName, createdAt); } diff --git a/demo/WebAuthn.Net.Demo.Mvc/wwwroot/js/lib.js b/demo/WebAuthn.Net.Demo.Mvc/wwwroot/js/lib.js index 970ea5c..4d2ba57 100644 --- a/demo/WebAuthn.Net.Demo.Mvc/wwwroot/js/lib.js +++ b/demo/WebAuthn.Net.Demo.Mvc/wwwroot/js/lib.js @@ -107,7 +107,9 @@ const Alerts = { registerSuccess: () => alert("User registered!"), usernameInputEmpty: () => alert("Username input is empty"), credentialsGetApiNull: () => alert("navigator.credentials.get returned null"), - credentialsCreateApiNull: () => alert("navigator.credentials.create returned null") + credentialsCreateApiNull: () => alert("navigator.credentials.create returned null"), + getAuthenticatorDataInvalid: () => alert("Invalid data from getAuthenticatorData() method. Expected arraybuffer"), + getPublicKeyInvalid: () => alert("Invalid data from getPublicKey() method. Expected arraybuffer") }; // API @@ -127,12 +129,27 @@ const API = { const clientExtensionResults = newCredential.getClientExtensionResults ? (newCredential.getClientExtensionResults() ?? {}) : {}; - const authenticatorData = newCredential.response.getAuthenticatorData ? - coerceToBase64Url(newCredential.response.getAuthenticatorData()) : undefined; + let authenticatorData; + if (newCredential.response.getAuthenticatorData) { + const authData = newCredential.response.getAuthenticatorData(); + const isValid = authData instanceof ArrayBuffer; + if (!isValid) { + Alerts.getAuthenticatorDataInvalid(); + return; + } + authenticatorData = coerceToBase64Url(authData); + } - const responsePublicKey = newCredential.response.getPublicKey ? - newCredential.response.getPublicKey() : undefined; - const publicKey = responsePublicKey ? coerceToBase64Url(responsePublicKey) : undefined; + let publicKey; + if (newCredential.response.getPublicKey) { + const responsePublicKey = newCredential.response.getPublicKey(); + const isValid = responsePublicKey instanceof ArrayBuffer; + if (!isValid) { + Alerts.getPublicKeyInvalid(); + return; + } + publicKey = coerceToBase64Url(responsePublicKey); + } const transports = newCredential.response.getTransports ? newCredential.response.getTransports() : undefined;