Skip to content

Commit

Permalink
Ignore user data with empty ID in get_assertion
Browse files Browse the repository at this point in the history 
Users with an empty ID should not be returned by getAssertion to avoid
compatibility issues.

Fixes: #32
  • Loading branch information
@robin-nitrokey @nickray
robin-nitrokey authored and nickray committed Sep 13, 2023
1 parent 8fed081 commit 492ec63
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 1 deletion.
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
makeCredential operations without user verification ([#26][])
- Ignore public key credential parameters with an unknown type, as required by
the Webauthn spec ([#28][])
- Ignore user data with empty ID in getAssertion ([#32][])

[#26]: https://github.com/solokeys/fido-authenticator/issues/26
[#28]: https://github.com/solokeys/fido-authenticator/issues/28
[#32]: https://github.com/solokeys/fido-authenticator/issues/32

## [0.1.1] - 2022-08-22
- Fix bug that treated U2F payloads as APDU over APDU in NFC transport @conorpp
Expand Down
3 changes: 2 additions & 1 deletion src/ctap2.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1559,7 +1559,8 @@ impl<UP: UserPresence, T: TrussedRequirements> crate::Authenticator<UP, T> {
number_of_credentials: num_credentials,
};

if is_rk {
// User with empty IDs are ignored for compatibility
if is_rk && !credential.user.id.is_empty() {
let mut user = credential.user.clone();
// User identifiable information (name, DisplayName, icon) MUST not
// be returned if user verification is not done by the authenticator.
Expand Down

0 comments on commit 492ec63

Please sign in to comment.