Skip to content

fix(passkey): accept base64url credential ids#48

Merged
intel352 merged 1 commit into
mainfrom
codex/fix-passkey-base64url-credentials
Jun 4, 2026
Merged

fix(passkey): accept base64url credential ids#48
intel352 merged 1 commit into
mainfrom
codex/fix-passkey-base64url-credentials

Conversation

@intel352
Copy link
Copy Markdown
Contributor

@intel352 intel352 commented Jun 4, 2026

Summary

  • parse passkey credential JSON through a plugin-owned decoder instead of ignoring json.Unmarshal errors
  • accept standard base64 and base64url credential byte fields, with or without padding
  • fail login begin/finish cleanly when supplied credential JSON is malformed

Root cause

The plugin emits passkey credential IDs with base64url encoding from registration, but login parsed credential JSON into []webauthn.Credential using Go's default []byte JSON decoder, which only accepts standard base64. Decode errors were ignored, so supplied credentials could become unusable and the browser ceremony would fail or hang downstream.

Verification

With URL-safe decoding temporarily removed:

$ GOWORK=off go test ./internal -run 'TestParsePasskeyCredentials_AcceptsBase64URLCredentialID'
FAIL — credential 0 id: illegal base64 data at input byte 0

With fix restored:

$ GOWORK=off go test ./internal -run 'TestParsePasskeyCredentials_AcceptsBase64URLCredentialID'
ok github.com/GoCodeAlone/workflow-plugin-auth/internal 0.741s

Full suite:

$ GOWORK=off go test -count=1 ./...
? github.com/GoCodeAlone/workflow-plugin-auth [no test files]
? github.com/GoCodeAlone/workflow-plugin-auth/cmd/workflow-plugin-auth [no test files]
ok github.com/GoCodeAlone/workflow-plugin-auth/internal 2.457s
? github.com/GoCodeAlone/workflow-plugin-auth/internal/contracts [no test files]

Copilot AI review requested due to automatic review settings June 4, 2026 02:28
Copilot AI reviewed Jun 4, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes passkey login failures caused by silently ignored JSON/base64 decode errors by introducing a plugin-owned credential JSON decoder that accepts both standard base64 and base64url (padded or raw) for credential byte fields, and by making begin/finish login fail cleanly on malformed credential JSON.

Changes:

  • Added parsePasskeyCredentials plus supporting JSON structs and base64/base64url decoding helpers in the passkey step implementation.
  • Updated passkey login begin/finish to use the new decoder and surface parsing failures instead of ignoring json.Unmarshal errors.
  • Added focused unit tests covering base64url IDs, standard base64 IDs, and invalid IDs.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
internal/step_passkey.go Adds a strict, base64url-aware credential JSON decoder and wires it into passkey begin/finish login paths.
internal/step_passkey_test.go Adds unit tests validating the new decoder behavior for base64/base64url and malformed input.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@intel352 intel352 merged commit afd2b51 into main Jun 4, 2026
7 checks passed
@intel352 intel352 deleted the codex/fix-passkey-base64url-credentials branch June 4, 2026 02:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@intel352