Always render plain text in WebauthnVerification#authenticate #3712

jenshenny · 2023-04-14T19:18:57Z

8000

What problem are you solving?

There's a couple of TODOs left from #3298. They all refer to how WebauthnVerification:authenticate should have a consistent response format.

What approach did you choose and why?

Chose to return plain text as the response from the client is plain text. Made sure that not found, and expired token return plain and errors in the authenticate action all return plain.

Since all the responses are plain text, it is simpler to display the error to the user rather than swallowing it. If the result of the verification is not successful, the message with be stored as a param and rendered in the failed verification view.

Testing

run RUBYGEMS_HOST=http://localhost:3000 gem signin as a user with a webauthn device. access the webauthn link
Wait 2+ minutes, and authenticate. The failed verification page will have the appropriate message.

Do step 1 and Control C in the terminal before authenticating. The failed verification page will have the appropriate message.

4. Do step 1 and authenticate, the success page would look the same.

app/controllers/webauthn_verifications_controller.rb

codecov · 2023-04-14T19:34:07Z

Codecov Report

Merging #3712 (56684db) into master (448fd43) will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@           Coverage Diff           @@
##           master    #3712   +/-   ##
=======================================
  Coverage   98.75%   98.75%           
=======================================
  Files         207      207           
  Lines        5136     5143    +7     
=======================================
+ Hits         5072     5079    +7     
  Misses         64       64

Impacted Files	Coverage Δ
app/controllers/application_controller.rb	`100.00% <100.00%> (ø)`
...p/controllers/webauthn_verifications_controller.rb	`100.00% <100.00%> (ø)`

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

jenshenny · 2023-04-17T15:32:25Z

app/controllers/application_controller.rb

      format.json { render json: { error: t(:not_found) }, status: :not_found }
      format.yaml { render yaml: { error: t(:not_found) }, status: :not_found }
-      format.any(:all) { render text: t(:not_found), status: :not_found }
+      format.any(:all) { render plain: t(:not_found), status: :not_found }


render text: was removed in Rails 5.1 rails/rails@79a5ea9

jenshenny · 2023-04-17T15:34:01Z

app/controllers/webauthn_verifications_controller.rb

+    @message = params.permit(:error).fetch(:error, "")
+    Rails.logger.info("[webauthn_verification:authenticate] Verification failed: #{@message}")


Displaying and logging message as suggested:

can we add a log or something in the catch, rather than completely discarding the error?

Are you thinking of logging it our side (Rails logs) or like displaying a message to the user on why it failed (or both).

Hmmm I think both would be good? We could pass the error in the query param when redirecting to the failure page?

jenshenny · 2023-04-17T15:35:19Z

test/system/webauthn_verification_test.rb

    assert_link_is_expired
  end

+  test "when webauthn verification is expired during verification" do


Forgot this test case originally :p

jchestershopify

LGTM.

app/controllers/webauthn_verifications_controller.rb

jenshenny force-pushed the plain-text branch from ecd1011 to 560f9eb Compare April 14, 2023 19:20

segiddins reviewed Apr 14, 2023

View reviewed changes

app/controllers/webauthn_verifications_controller.rb Outdated Show resolved Hide resolved

jenshenny force-pushed the plain-text branch 2 times, most recently from 3996b66 to 949b2d9 Compare April 17, 2023 15:31

jenshenny commented Apr 17, 2023

View reviewed changes

jenshenny added 2 commits April 17, 2023 11:39

Consolidate authenticate response format to be text

da92db7

Change render not found to use render plain

a94584a

jenshenny force-pushed the plain-text branch from 949b2d9 to 63708f6 Compare April 17, 2023 15:39

jenshenny marked this pull request as ready for review April 17, 2023 15:39

jchestershopify reviewed Apr 17, 2023

View reviewed changes

jenshenny requested a review from segiddins April 17, 2023 17:25

segiddins approved these changes Apr 17, 2023

View reviewed changes

app/controllers/webauthn_verifications_controller.rb Outdated Show resolved Hide resolved

Display and log error if verification failed

56684db

jenshenny force-pushed the plain-text branch from 63708f6 to 56684db Compare April 17, 2023 20:17

jenshenny merged commit 14d7fc5 into rubygems:master Apr 17, 2023

jenshenny deleted the plain-text branch April 17, 2023 20:42

rubygems-org-shipit bot temporarily deployed to staging April 17, 2023 20:54 Inactive

rubygems-org-shipit bot temporarily deployed to production April 20, 2023 20:27 Inactive

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Always render plain text in WebauthnVerification#authenticate #3712

Always render plain text in WebauthnVerification#authenticate #3712

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

		@message = params.permit(:error).fetch(:error, "")
		Rails.logger.info("[webauthn_verification:authenticate] Verification failed: #{@message}")

Uh oh!

Always render plain text in WebauthnVerification#authenticate #3712

Always render plain text in WebauthnVerification#authenticate #3712

Uh oh!

Conversation

Uh oh!

What problem are you solving?

What approach did you choose and why?

Testing

Uh oh!

Uh oh!

Uh oh!

Codecov Report

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants