Comments (9)
PRF inputs should be BufferSource instead of ArrayBuffer
Absolutely. Thank you. (I'll fix in Chromium too.)
from webauthn.
@emlun Is this similar to the issues previously mentioned about challenge and other types where the JS will need to base64 encode/decode to actually get this into a buffer though? Should we just try to nip this one early and make it base64urlsafe instead and get the browser to decode it?
from webauthn.
No, I don't think it's very similar. Both of these types are already byte array types, just slightly different flavours of it.
And no, I think that having some parameters be BufferSource
s and some be base64 String
s would be much worse than having them all be BufferSource
s. If we should change some parameters we should change them all. But as noted in #1362 (comment), I don't think we should. In #1683 we opted for the solution in #1703 instead, so there's very little benefit in changing the types now.
from webauthn.
If we are going to aim for consistency here, then should we also add this to the to/from base64 for the related browser methods then?
from webauthn.
Yes, it's already covered in §5.1.8. Deserialize Registration ceremony options - PublicKeyCredential’s parseCreationOptionsFromJSON() Method:
[...] This conversion MUST also apply to any client extension inputs processed by the client.
from webauthn.
Thanks @agl, but 5ebc257 doesn't quite resolve the issue - the inputs should be BufferSource
, but the outputs should still be ArrayBuffer
. 🙂 At least if we're going to be consistent with the rest of the spec.
from webauthn.
I don't think it's worth splitting the IDL just for the output. That causes additional code size in browsers too because an extra object needs to be supported.
BufferSource
isn't a real type, it's just means either ArrayBuffer
or ArrayBufferView
. For inputs that has real benefits as you note, but on the output it doesn't really make any difference because the underlying object will still be an ArrayBuffer
. E.g.:
> temp1.getClientExtensionResults().prf.results.first instanceof ArrayBuffer
> true
from webauthn.
Hm, I see:
typedef (ArrayBufferView or ArrayBuffer) BufferSource;
typedef (Int8Array or Int16Array or Int32Array or
Uint8Array or Uint16Array or Uint32Array or Uint8ClampedArray or
BigInt64Array or BigUint64Array or
Float32Array or Float64Array or DataView) ArrayBufferView;
But...
the underlying object will still be an
ArrayBuffer
. E.g.:> temp1.getClientExtensionResults().prf.results.first instanceof ArrayBuffer
> true
I don't get the same results in Chrome (110.0.5481.77) or Firefox (109.0.1):
> new Uint8Array().buffer instanceof ArrayBuffer
true
> new Uint8Array() instanceof ArrayBuffer
false
and indeed, I can't find ArrayBuffer
in the prototype hierarchy of Uint8Array
either.
But on the other hand... in order to work with an ArrayBuffer
(i.e., to base64-encode it) you'll most likely convert it to Uint8Array
first, and the Uint8Array
constructor accepts both ArrayBuffer
as well as any TypedArray
. You can just new Uint8Array(prf.results.first)
and that will always work. So in that sense BufferSource
is "Liskov substitution compatible" with ArrayBuffer
, even though it's not formally a subtype.
So ok, yeah, I guess we could go either way. I do agree with not splitting the IDL just for this. It seems a bit inappropriate to use a union type for output, but I agree that BufferSource
output seems less likely to trip people up than ArrayBuffer
inputs.
So ok, this will be fixed by 5ebc257. Thanks!
from webauthn.
Will be fixed by in commit 5ebc257 in PR #1836.
from webauthn.
Related Issues (20)
- Extensions should specify partial dictionaries that modify AuthenticationExtensionsClient{Inputs, Outputs}JSON
- The bike shed build is broken with the newest version
- Provide a way for Web Extensions to hook into browser's Passkey autofill UI HOT 4
- Remove the [SameObject] attribute from PublicKeyCredential::authenticatorAttachment HOT 1
- Are notes in webauthn normative or informative? HOT 1
- Ambiguous instructions in the Android Key Attestation Statement Format verification procedure HOT 6
- Spec is not specific enough about order of conditional UI autofill tokens HOT 1
- create() and get() return an algorithm, not a credential HOT 1
- Virtual Authenticator API does not expose a way to set backup-eligible or backup-status flags HOT 9
- Deprecation warning for fido-u2f, apple, and android-safetynet? HOT 6
- > HOT 1
- Inconsistent Passkey Authentication in Google Chrome HOT 5
- rp.name, user.name and user.displayName length limit does not state binary encoding HOT 2
- How is an RP to know if a packed attestation root certificate is used for multiple authenticator models? HOT 2
- Wrong type of encrypted content specified for credentialId under "Credential Storage Modality" section HOT 1
- Cambios por abuso HOT 2
- Consider replacing "Github" with "GitHub" HOT 2
- Conditional UI support by WebAuthn WebDriver Extension HOT 2
- Refine JSON serialization to use UTF-8 encoding for `user.id` and `userHandle` HOT 10
- Clarify usage of credentialRecord.transports HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webauthn.