Incorporate Bitwarden FIDO SDK/passkey-rs changes #2190
Conversation
|
Great job! No new security vulnerabilities introduced in this pull request |
## 🎟️ Tracking [PM-17241](https://bitwarden.atlassian.net/browse/PM-17241) ## 📔 Objective This updates the SDK to point to a new version of our passkey-rs fork that has been synced with upstream. (The remaining differences between upstream and our fork are documented in the README of our fork.) If approved, we should update `passkey-rs`'s `main` branch to point to the version referenced in this PR (bitwarden/passkey-rs@2e5c0ba). ## 🚨 Breaking Changes - `is_user_verification_enabled()` is no longer asynchronous. Clients should implement any dynamic checks for UV availability in the `check_user()` implementation. - `user_handle has been added to the `find_credential()` method as an optional parameter. If the incoming request contains the user handle, then clients should pass it on. Otherwise, pass a `null` value, and the previous behavior. iOS PR: bitwarden/ios#2190 [PM-17241]: https://bitwarden.atlassian.net/browse/PM-17241?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ
| return false | ||
| case .preferred: | ||
| return await fido2UserVerificationMediator.isPreferredVerificationEnabled() | ||
| return true |
There was a problem hiding this comment.
❓ Why does this return true at all times now?
There was a problem hiding this comment.
Good question. This part of the class is in fulfillment of the PasskeyAuthenticator trait from passkey-rs. That is intended to be a static configuration for whether user verification would ever be available for an authenticator, not whether it's available for this specific call. (It essentially enables an early return from the library for processing UV.) Cf 1Password/passkey-rs#74 (comment)
This dynamic call should instead deferred to the checkUser() function, which we're still doing in checkEnforceRequiredVerification() at L234 (called from checkUser() at L144)
There was a problem hiding this comment.
Oh alright, have you tested that the flows keep working as expected for .preferred UV? Particularly with session timeout -> Never.
If so, given that's the case then in the same file this should be removed alongside with their calls as part of this change as they're not needed anymore and just were there to workaround having UV in isVerificationEnabled which was a wrong assumption:
private var userVerificationPreference: Uv? (code)
func setupCurrentUserVerificationPreference(userVerificationPreference: Uv) (code)
There was a problem hiding this comment.
On the simulator, I can confirm that the iPhone prompted with FaceID when user ID after removing the code referenced above and setting the session timeout to "Never".
(Curiously, it seems that when I set userVerification: discouraged, iOS is upgrading the request to required. preferred is still set as preferred.)
iinuwa
force-pushed
the
iinuwa/update-passkey-rs
branch
from
0607a04 to
c7e775f
Compare
| case .required: | ||
| return true | ||
| } | ||
| func isVerificationEnabled() -> Bool { |
There was a problem hiding this comment.
🤔 Is this function likely to change in the future, to have more logic in it? If not, it would make sense to me to just delete it, and cascade up the true.
There was a problem hiding this comment.
No, not on iOS, where using passkeys requires setting up at least one local OS auth method. After thinking about this, I agree, I think it would be good to push it into the SDK.
This method exists because the SDK is passing through a required method to fulfill a passkey-rs trait, so we can't remove it without changing it for all consumers of the SDK. I think there are two reasons we should push this into the SDK:
- I believe that all of our clients should have a way to do user verification, even it's just redoing whatever auth/unlock ceremony they have enabled for their vault. So this would just become a static value inside the SDK.
- We are only using this method to:
- set the
options.uvvalue inauthenticatorGetInfo, which is merely a hint for platforms, and to - set the
options.uvvalue incheckUseronauthenticatorMakeCredentialandauthenticatorGetAssertion—which is always ignored in our implementation, since we pass the WebAuthnUserVerificationRequirementenum instead.1
- set the
For those reasons, and because of the confusion having this method introduces, I think removing this method from the SDK trait and letting the SDK abstract over it would be beneficial.
But the current implementation, where isVerificationEnabled() always returns true produces the same behavior as pushing this SDK trait method, so I'd recommend following that up in a separate PR in the SDK.
I think I should clarify two other things that I am not talking about changing:
-
changing
checkUser(options: BitwardenSdk.CheckUserOptions, ...)tocheckUser(shouldVerify: bool, ...). Even though we could decide whether we should prompt the user for verification from the SDK, if we change this to a simple bool, it still loses information on how hard we should try to verify the user. For example, the current iOS implementation will prompt for UV on bothpreferredandrequired, but if set torequiredand no verification methods are available, it will start the PIN setup flow, but it will just returnuserVerified: falseif onlypreferred. -
removing
shouldThrowEnforcingRequiredVerificationparameter fromcheckUser(). I'm a little fuzzy on this one. It seems that we don't set this flag when calling this from the SDK, since the SDK will check this and return an appropriate CTAP2 error code. But we call this method from other places that don't go through the SDK FIDO methods (VaultAutofillListProcessor,AddEditItemProcessor), so this method is used there. I don't know enough about these two call sites to know whether this is useful or not.
Footnotes
-
To expand on this point, passkey-rs only sends the CTAP2
options.uvboolean, which loses context on whether the UV request can be ignored or not (e.g.preferredis not represented.) So instead, we send the original WebAuthn UV preference,discouraged,required, orpreferred(found inoptions.authenticatorSelection.userVerificationinnavigator.credential.create()anduserVerificationinnavigator.credential.get()) which gives more context. ↩
There was a problem hiding this comment.
A ticket has been created to clean up / refine ´isVerificationEnabled´ so that we can unblock this PR https://bitwarden.atlassian.net/browse/PM-30454
iinuwa
force-pushed
the
iinuwa/update-passkey-rs
branch
from
c7e775f to
57f3f0e
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2190 +/- ##
===========================================
- Coverage 85.47% 43.58% -41.89%
===========================================
Files 1746 584 -1162
Lines 147479 30505 -116974
===========================================
- Hits 126053 13295 -112758
+ Misses 21426 17210 -4216 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
🎟️ Tracking
PM-17241
Depends on bitwarden/sdk-internal#606.
📔 Objective
This addresses the breaking changes introduced by syncing our fork of passkey-rs with upstream.
⏰ Reminders before review
🦮 Reviewer guidelines
:+1:) or similar for great changes:memo:) or ℹ️ (:information_source:) for notes or general info:question:) for questions:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion:art:) for suggestions / improvements:x:) or:warning:) for more significant problems or concerns needing attention:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt:pick:) for minor or nitpick changes